Customer has a pending TAC case for the issue detailed below (opened on 12/28/2016). So far, there has been no traction. Has anyone seen this and come up with a workaround?
tl;dr = LDAP attributes have changed between ISE 1.4 and 2.1 whereas an additional CN is returned and causing errors when Machine Names are the same as Account Names.
The issue we are encountering is clearly due to a change that Cisco made to their LDAP search in version 2.1 where they added a CN attribute to the search filter as captured on the AD_Agent logs below:
In ISE 2.1 the LDAP search for a user on this case āwoofterā is returning 2 results as shown below:
---------------------------------------------------------------------------------------------------------------------
05/01/2017 18:23:13,DEBUG ,139624622061312,AdIdentityResolver::search: do (&(|(objectCategory=person)(objectCategory=computer))(|(cn=woofter)(sAMAccountName=woofter)))search in forest dsrsd.com,searchIdentity(),lsass/server/auth-providers/ad-open-provider/ad_identity_resolver_impl.cpp:633
05/01/2017 18:23:13,DEBUG ,139624622061312,LsaDmpLdapOpen: gc=1, domain=dsrsd.com,LsaDmpLdapOpen(),lsass/server/auth-providers/ad-open-provider/lsadm.c:4014
05/01/2017 18:23:13,DEBUG ,139624622061312,LsaDmpLdapOpen: search for connection in pool,LsaDmpLdapOpen(),lsass/server/auth-providers/ad-open-provider/lsadm.c:4040
05/01/2017 18:23:13,DEBUG ,139624622061312,AdLdapConnPool::retrieve(0x7efd00004420): JP=dsrsd.com, forest=dsrsd.com, size=0,retrieve(),lsass/server/auth-providers/ad-open-provider/ad_ldap_conn_pool.cpp:99
05/01/2017 18:23:13,VERBOSE,139624622061312,AdIdentitySearcher::performSearch: forest=[dsrsd.com], base=[dc=dsrsd,dc=com], filter=[(&(|(objectCategory=person)(objectCategory=computer))(|(cn=woofter)(sAMAccountName=woofter)))],performSearch(),lsass/server/auth-providers/ad-open-provider/ad_identity_searcher.cpp:254
05/01/2017 18:23:13,VERBOSE,139624622061312,LsaDmLdapDirectorySearch: forest=dsrsd.com, scope=2, query=(&(|(objectCategory=person)(objectCategory=computer))(|(cn=woofter)(sAMAccountName=woofter))),LsaDmLdapDirectorySearch(),lsass/server/auth-providers/ad-open-provider/lsadm.c:426418:23:13,VERBOSE,139624622061312,AdIdentitySearcher::performSearch: number of matching entries is 2,performSearch(),lsass/server/auth-providers/ad-open-provider/ad_identity_searcher.cpp:275
As you can see because of the change introduced in 2.1 the search result is returning two results ( user and computer) causing ISE to reject the authentication request.
The log from ISE 1.4 shown below didnāt have the AD attribute CN on it and it only returns one result for the same search
--------------------------------------------------------------------------------------------------------------------------------------------------
05/01/2017 18:59:52,VERBOSE,140201613584128,AdIdentitySearcher::performSearch: forest=[dsrsd.com], base=[dc=dsrsd,dc=com], filter=[(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=woofter))],lsass/server/auth-providers/ad-open-provider/ad_identity_searcher.cpp:253
05/01/2017 18:59:52,VERBOSE,140201613584128,LsaDmLdapDirectorySearch: forest=dsrsd.com, scope=2, query=(&(|(objectCategory=person)(objectCategory=computer))(sAMAccountName=woofter)),lsass/server/auth-providers/ad-open-provider/lsadm.c:4227
05/01/2017 18:59:52,VERBOSE,140201613584128,AdIdentitySearcher::performSearch: number of matching entries is 1,lsass/server/auth-providers/ad-open-provider/ad_identity_searcher.cpp:274
I even run both LDAP queries on our Active Directory and both were matching what ISE was returning:
Charles Moreton
Accepted Solutions
