Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4526
Views
14
Helpful
17
Replies

Lab deployment - Can't join ISE to Windows AD

dpgator1975
Level 1
Level 1

‎11-30-2024 09:35 AM

I am trying to do some lab testing, and have deployed ISE and Windows AD.  They are Proxmox guest VMs, configured on the same subnet and on the same host. Server is 2025 version, ISE is 3.4.0.608. The user I am authenticating with is a domain and enterprise admin in AD. ISE is using the DC for NTP, which is using a NIST server for NTP.  

Relevant logs I know of and have captured. (identifying info obfuscated with "x")

"show ntp" - 

Configured NTP Servers:
dc1.xxx.xxx
Reference ID : 0A0A0A0A (DC1.xxx.xxx)
Stratum : 3
Ref time (UTC) : Sat Nov 30 17:30:33 2024
System time : 0.000000462 seconds slow of NTP time
Last offset : +0.000491446 seconds
RMS offset : 0.007088298 seconds
Frequency : 41.210 ppm fast
Residual freq : +0.756 ppm
Skew : 9.433 ppm
Root delay : 0.107027695 seconds
Root dispersion : 0.077161357 seconds
Update interval : 65.0 seconds
Leap status : Normal

MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* DC1.xxxx.xxx 2 6 377 32 +286us[ +777us] +/- 142ms

"show clock" matches the clock on the DC to the second. 

 

From the GUI upon failing to join AD

Error Description: ASN.1 failed call to system time library

Support Details...
Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Error Code: 41701

From ISE ad_agent.log;

2024-11-30 09:13:13,532 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::isBestDC: dc=[DC1.xxxx.xxx], address=[10.10.10.10] was not found in score map,,lwadvapi/threaded/dc_pri_list.cpp:449
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::getDCScoreByAddress: dc=[DC1.xxxx.xxx], address=[10.10.10.10] not found,,lwadvapi/threaded/dc_pri_list.cpp:467
2024-11-30 09:13:13,570 WARNING,140372674062080,[LwKrb5GetTgtImpl ../../lwadvapi/threaded/krbtgt.c:329] KRB5 Error code: 1859794432 (Message: ASN.1 failed call to system time library),,lwadvapi/threaded/lwkrb5.c:892
2024-11-30 09:13:14,660 ERROR ,140372644554496,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:369
2024-11-30 09:13:14,726 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226

 

Wireshark packet capture notable entries

290 09:23:33.103832 10.10.10.10 10.10.10.6 KRB5 299 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

292 09:23:33.107427 10.10.10.10 10.10.10.6 KRB5 130 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG

Other packets in the conversation look normal - query responses contain required records, etc. 

 

Security Event Logs on the domain controller show two events for Kerberos Authentication Service that appear normal/successful - the "Response ticket hash" is shown.

Really not sure where to go here.  This is a lab and while I have licensed ISE at work this is a trial install so no TAC option I don't believe.

4 people had this problem
17 Replies 17

Network Diver
Level 1
Level 1

‎02-23-2025 02:11 AM - edited ‎02-23-2025 04:00 AM

We ran into same issue. We're running ISE 3.1.0.518 patch 9 and our Windows team just upgraded the Windows domain controller to 2025. Bug CSCwn62873 says to downgrade to Windows 2022.

Also affected is Firewall Management Center Version 7.4.2.1 (build 30)

Is there an ETA for a bugfix?

0 Helpful

jaydoer1
Level 1
Level 1

‎03-17-2025 08:26 AM

Upgrade to Windows 2025 active directory has caused issues to our ISE environment as well. Have a TAC case opened

0 Helpful

Network Diver
Level 1
Level 1

‎04-23-2025 05:42 AM

Reply from TAC:

Currently, the only workaround for the bug CSCwn62873 is to install a hot patch on the deployment. However, this is only available for ISE version 3.3 patch 4 and 3.2 patch 7.
It is expected that this bug will be fixed in the following versions of ISE: 3.4 patch 2, 3.3 patch 6 and 3.2 patch 8. Unfortunately, I don't have any information regarding an estimated date for a fix for this bug for ISE 3.1.
 
That being said, you can integrate ISE with Active Directory 2022, which is the latest version of AD that is compatible with ISE 3.1, or upgrade ISE to a newer version that already has a hot patch that can be applied. 
 
You can check more detailed information regarding ISE compatibility with AD in this link:https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/compatibility_doc/b_ise_sdt_31.html

Customers Also Viewed These Support Documents