cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Kerberos check SASL connectivity to AD

andrewsigna
Beginner
Beginner

Hi!

DNS, AD service, and NTP server all all synced between ISE and the AD instance we are trying to sync here.

The one remaining test that fails is Kerberos, here is the error message:

Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings

Does anyone know how to remedy this situation?

Thanks!

1 ACCEPTED SOLUTION
10 REPLIES 10

Jatin Katyal
Cisco Employee
Cisco Employee

Please ensure you have the below listed network Ports open between the ISE and AD for communication. The error message you have listed suggest that Port 445  (MSRPC) and 88 (kerberos) are blocked in between.

Protocol

Port (remote-local)

Target

Authenticated

Notes

DNS (TCP/UDP)

Random number greater than or equal to 49152

DNS Servers/AD Domain Controllers

No

MSRPC

445

Domain Controllers

Yes

Kerberos (TCP/UDP)

88

Domain Controllers

Yes (Kerberos)

MS AD/KDC

LDAP (TCP/UDP)

389

Domain Controllers

Yes

LDAP (GC)

3268

Global Catalog Servers

Yes

NTP

123

NTP Servers/Domain Controllers

No

IPC

80

Other ISE Nodes in the Deployment

Yes (Using RBAC credentials)


~ Jatin

~Jatin

I have the same error, and no firewall is installed on the DC.

Coming late to this party, but had the same problem recently.

Adding A record of your AD server to your DNS server resolved this problem for me. These two tests were failing with the exact same error you mentioned.

Kerberos check SASL connectivity to AD

Kerberos test obtaining join point TGT  

Something like this was added to DNS

win2008.homelab.local. IN A 192.168.0.100

Can you add more details. I have exactly same problem. I have single node ISE deployment reunning admin, PSN and MnT personas on it.

I am joining ISE node to abc.com domain and on doing nslookup to abc.com i am getting 10.10.10.10 (DC IP). Same DC is running DNS Server too. My ISE server ip is 10.10.10.20.

 

Could you advise what DNS record i need. Appreciate your help. 

torkis.halomoan
Beginner
Beginner

Bro, what do you do to solve this issue ? I have same issue with you

Check time between NAC and AD controller. Needs to be within 5 minutes or so or Kerberos will fail.


Solved : Troubleshoot with rejoin AD to cisco ISE, Thank you for answer (y).

The same thing happened to me and I resolved it by adding a host entry into my forward lookup zone.

Go to your Windows Server DNS manager > forward lookup zones > the zone you have created that your ISE/AD server uses. In my case it is 'mylab.local'
Create a new host entry under that zone.

The name field will be the hostname of ISE. If you are unsure of what it is, check the report under the test details in your diagnostic tool menu. It will mention at the top, 'Diagnostic Report for ISE node: my-ise-server.mylab.local'
Go back to your windows server and enter  as your name and then under the IP address field, enter the IP of your ISE node.

Save changes and restart your DNS server service. Then try to re-join your AD in ISE from scratch again.

 

Thanks all for the pointers!

I have this same error on one node.

DNS -> check

FW ports -> check

Delegated permission to join for the user account -> check

Able to resolve domain -> check

time sync with Domain Controller -> check

Last option I am looking at is patching ISE.

Does anyone here have a different solution?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: