Solved: Re: Kerberos check SASL connectivity to AD

andrewsigna · ‎02-03-2016

Hi!

DNS, AD service, and NTP server all all synced between ISE and the AD instance we are trying to sync here.

The one remaining test that fails is Kerberos, here is the error message:

Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings

Does anyone know how to remedy this situation?

Thanks!

Jason Kunst · ‎07-18-2019

Please see the requirements under https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#reference_EA017E71F25145C9A1374373ABFA102E

View solution in original post

Jatin Katyal · ‎02-03-2016

Please ensure you have the below listed network Ports open between the ISE and AD for communication. The error message you have listed suggest that Port 445 (MSRPC) and 88 (kerberos) are blocked in between.

Protocol	Port (remote-local)	Target	Authenticated	Notes
DNS (TCP/UDP)	Random number greater than or equal to 49152	DNS Servers/AD Domain Controllers	No	—
MSRPC	445	Domain Controllers	Yes	—
Kerberos (TCP/UDP)	88	Domain Controllers	Yes (Kerberos)	MS AD/KDC
LDAP (TCP/UDP)	389	Domain Controllers	Yes	—
LDAP (GC)	3268	Global Catalog Servers	Yes	—
NTP	123	NTP Servers/Domain Controllers	No	—
IPC	80	Other ISE Nodes in the Deployment	Yes (Using RBAC credentials)	—

~ Jatin

~Jatin

Willieh13 · ‎12-05-2017

I have the same error, and no firewall is installed on the DC.

mprstacic · ‎04-20-2018

Coming late to this party, but had the same problem recently.

Adding A record of your AD server to your DNS server resolved this problem for me. These two tests were failing with the exact same error you mentioned.

Kerberos check SASL connectivity to AD

Kerberos test obtaining join point TGT

Something like this was added to DNS

win2008.homelab.local. IN A 192.168.0.100

gagandeeps1 · ‎07-16-2019

Can you add more details. I have exactly same problem. I have single node ISE deployment reunning admin, PSN and MnT personas on it.

I am joining ISE node to abc.com domain and on doing nslookup to abc.com i am getting 10.10.10.10 (DC IP). Same DC is running DNS Server too. My ISE server ip is 10.10.10.20.

Could you advise what DNS record i need. Appreciate your help.

Jason Kunst · ‎07-18-2019

Please see the requirements under https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#reference_EA017E71F25145C9A1374373ABFA102E

torkis.halomoan · ‎06-19-2020

Bro, what do you do to solve this issue ? I have same issue with you

Willieh13 · ‎06-19-2020

Check time between NAC and AD controller. Needs to be within 5 minutes or so or Kerberos will fail.

torkis.halomoan · ‎06-23-2020

Solved : Troubleshoot with rejoin AD to cisco ISE, Thank you for answer (y).

benjamin.gillies · ‎11-29-2020

The same thing happened to me and I resolved it by adding a host entry into my forward lookup zone.

Go to your Windows Server DNS manager > forward lookup zones > the zone you have created that your ISE/AD server uses. In my case it is 'mylab.local'
Create a new host entry under that zone.

The name field will be the hostname of ISE. If you are unsure of what it is, check the report under the test details in your diagnostic tool menu. It will mention at the top, 'Diagnostic Report for ISE node: my-ise-server.mylab.local'
Go back to your windows server and enter as your name and then under the IP address field, enter the IP of your ISE node.

Save changes and restart your DNS server service. Then try to re-join your AD in ISE from scratch again.

Thanks all for the pointers!

JanusBarinan60286 · ‎01-04-2021

I have this same error on one node.

DNS -> check

FW ports -> check

Delegated permission to join for the user account -> check

Able to resolve domain -> check

time sync with Domain Controller -> check

Last option I am looking at is patching ISE.

Does anyone here have a different solution?