ISE problem "Joined to domain but disconnected"

jiyoung Kim · ‎02-13-2013

Hi all experts.

I recently have experienced this issue.

I have been using ISE1.1.2.145 and joined to AD since the ISE was released, but never seen this error before.

I did not touch any configuration and I was trying to test CWA with multiple WLCs.

I finished all configuration about CWA, and I was verifing if it is working.

while I was trying to login as user on AD, I could not. so I looked up on External Identity Source and it apears.

does anyone know why it is giving me that error ?

the ISE and AD both see the same NTP and time difference between them is only 1 minute, timezone is same.

even though they are looking at the same NTP, it's outside of private network and it is isolated.

also, I am able to ping each other. DNS is working. I don't see why it is not working......

can anyone help me with this problem ?

nspasov · ‎02-14-2013

NTP and timezones are very important for ISE. If both the AD and ISE are using the same NTP server then they should not be any variance between the two clocks. Can you:

1. Run "show ntp" from CLI and see if the association with the NTP server is correct

2. What happens when you try to connect to AD? (Make sure that the AD account has the proper permissions)

Thank you for rating!

harvisin · ‎07-09-2013

Hello,

I went through your query and I guess there Can be several things for the issue to persist.

Just want to know if you had run a detailed test connection from the GUI to see if any issues come up?

Without any other data, first guess would be the DNS name server setting on the Cli. IF AD is used, the CLI should be containing only Dns that know about AD.

For example, having a mix of DNS name servers, some of which don't include AD info can cause this.

Next steps would be:

run Detailed test connection, send the output
Set ad diagnositc debug to full, perfrom a leave, wait 5 mins to ensure replication or removal of machie account from AD, perform a join, and download the ad_agent.log for investigation.

Jatin Katyal · ‎07-10-2013

If you perform a Leave, wait for few minutes and Join to the domain, does it correct the issue? To identify the cause of this issue, you would really need to capture the ad_agent logs and try to pinpoint what failed with the AD communication. That's the only way to get to the bottom of this.

~BR
Jatin Katyal

**Do rate helpful posts**

If you perform a Leave/Join of the domain, does it correct the issue?

~Jatin

xxkozxx · ‎11-15-2013

I had this issue as well but my NTP settings were correct and the time was not slipped at all.

I logged into the cli and ran this: #sh logging application ad_agent.log tail

which led me to this error:

2013-11-15T07:55:57.177566-06:00 host-psn1 adclient[10469]: INFO base.bind.healing Lost connection to DVN.COM(GC). Running in disconnected mode: KDC refused skey: Preauthentication failed

2013-11-15T07:55:57.282448-06:00 host-psn1 adclient[10469]: ERROR base.adagent Can't use default machine password. Please reset computer account in Active Directory.

Go into Active Directory Users and Computers and right click on the computer account object and click reset account.

Which resulted in these log entries:

2013-11-15T07:57:57.473370-06:00 host-psn1 adclient[10469]: INFO samba.interop Attempting interoperability with untested Samba version .

2013-11-15T07:57:58.266485-06:00 host-psn1 adclient[10469]: INFO base.bind.healing Reconnected to odcmsadrw002p.dvn.com(GC). Running in connected

mode.

2013-11-15T07:58:25.006230-06:00 host-psn1 adclient[10469]: INFO daemon.main Start trusted domain discovery

2013-11-15T07:58:25.058151-06:00 host-psn1 adclient[10469]: INFO daemon.main Trusted domain discovery complete : 4 domains found

2013-11-15T07:58:25.058189-06:00 host-psn1 adclient[10469]: INFO daemon.main Have new domain info map: flushing all negative objects

2013-11-15T07:58:25.100676-06:00 host-psn1 adclient[10469]: INFO base.kerberos.krb5conf Wrote /etc/krb5.conf

That fixed me up. Hope this helps someone else out there.