I'm having an odd issue with one user getting multiple matching accounts on ISE. This started happening only after a recent upgrade from ISE 2.1 to 2.6 Patch 5. The 4-node ISE deployment is joined to a single AD forest. It's a single domain with no external trust relationships.

The username is unique in AD. Doing a test authentication with the Test User tool confirms it. Yet authentications happening as part of any of the defined policies (VPN, Wireless 802.1x or TACACS) all fail.

Here's an example below. As you can see, ISE initially says it finds a single matching account and then later in the process says there are multiple.

11001 	Received RADIUS Access-Request
  	11017 	RADIUS created a new session
  	15049 	Evaluating Policy Group
  	15008 	Evaluating Service Selection Policy
  	15048 	Queried PIP - Airespace.Airespace-Wlan-Id
  	15048 	Queried PIP - Radius.Called-Station-ID
  	15048 	Queried PIP - DEVICE.Device Type
  	11507 	Extracted EAP-Response/Identity
  	12500 	Prepared EAP-Request proposing EAP-TLS with challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request ( [step latency=5039 ms] Step latency=5039 ms)
  	11018 	RADIUS is re-using an existing session
  	11042 	Received duplicate RADIUS request; retransmitting previous response
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12301 	Extracted EAP-Response/NAK requesting to use PEAP instead
  	12300 	Prepared EAP-Request proposing PEAP with challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12302 	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  	12318 	Successfully negotiated PEAP version 0
  	12800 	Extracted first TLS record; TLS handshake started
  	12805 	Extracted TLS ClientHello message
  	12806 	Prepared TLS ServerHello message
  	12807 	Prepared TLS Certificate message
  	12808 	Prepared TLS ServerKeyExchange message
  	12810 	Prepared TLS ServerDone message
  	12811 	Extracted TLS Certificate message containing client certificate
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12318 	Successfully negotiated PEAP version 0
  	12812 	Extracted TLS ClientKeyExchange message
  	12813 	Extracted TLS CertificateVerify message
  	12804 	Extracted TLS Finished message
  	12801 	Prepared TLS ChangeCipherSpec message
  	12802 	Prepared TLS Finished message
  	12816 	TLS handshake succeeded
  	12310 	PEAP full handshake finished successfully
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	12313 	PEAP inner method started
  	11521 	Prepared EAP-Request/Identity for inner EAP method
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	11522 	Extracted EAP-Response/Identity for inner EAP method
  	11806 	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	11808 	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  	15041 	Evaluating Identity Policy
  	15048 	Queried PIP - Normalised Radius.RadiusFlowType
  	15048 	Queried PIP - Network Access.EapTunnel
  	15013 	Selected Identity Source - <redacted>
  	24430 	Authenticating user against Active Directory - <redacted>
  	24325 	Resolving identity - <redacted>
  	24313 	Search for matching accounts at join point - <redacted>
  	24315 	Single matching account found in domain - <redacted>
  	24323 	Identity resolution detected single matching account
  	24343 	RPC Logon request succeeded - <redacted>
  	24402 	User authentication against Active Directory succeeded - <redacted>
  	22037 	Authentication Passed
  	11824 	EAP-MSCHAP authentication attempt passed
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	11810 	Extracted EAP-Response for inner method containing MSCHAP challenge-response
  	11814 	Inner EAP-MSCHAP authentication succeeded
  	11519 	Prepared EAP-Success for inner EAP method
  	12314 	PEAP inner method finished successfully
  	12305 	Prepared EAP-Request with another PEAP challenge
  	11006 	Returned RADIUS Access-Challenge
  	11001 	Received RADIUS Access-Request
  	11018 	RADIUS is re-using an existing session
  	12304 	Extracted EAP-Response containing PEAP challenge-response
  	24715 	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
  	15036 	Evaluating Authorization Policy
  	24209 	Looking up Endpoint in Internal Endpoints IDStore - <redacted>
  	24211 	Found Endpoint in Internal Endpoints IDStore
  	24432 	Looking up user in Active Directory - <redacted>
  	24325 	Resolving identity - <redacted>
  	24313 	Search for matching accounts at join point - <redacted>
  	24320 	Multiple matching accounts in forest - <redacted>
  	24324 	Identity resolution detected multiple matching accounts
  	24417 	User's Groups retrieval from Active Directory failed - <redacted>
  	15048 	Queried PIP - <redacted>.ExternalGroups (4 times)
  	15016 	Selected Authorization Profile - DenyAccess
  	15039 	Rejected per authorization profile
  	12306 	PEAP authentication succeeded
  	11503 	Prepared EAP-Success
  	11003 	Returned RADIUS Access-Reject