Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1422
Views
7
Helpful
6
Replies

Referential Integrity error - the most useless error message of all times

Arne Bier
VIP
VIP

‎08-10-2017 03:40 PM

I have spent over an hour and I still cannot find out why I cannot delete an AD join point.  Yes I know, *somewhere* in that forest of menu options is some little thing that is preventing me.  But the application knows there is a problem but it tortures the user unnecessarily.

Can someone please give me an SQL command or something to find out what dependencies my AD Join Point has, to put me out of my misery?

1 person had this problem
6 Replies 6

hslai
Cisco Employee
Cisco Employee

‎08-10-2017 03:49 PM

If prior to 2.2, you might be hitting CSCva73322. Please engage Cisco TAC on this.

0 Helpful

Arne Bier
VIP
VIP
In response to hslai

‎08-10-2017 04:16 PM

this is 2.2 patch 2

I had the TAC engaged yesterday for another issue and we poked around in Oracle a bit.  If I knew my way around the schema I'd be running an SQL query to find the dependencies.

In the longer term, having more expressive error messages would be a great thing.

0 Helpful

paul
Level 10
Level 10
In response to Arne Bier

‎08-10-2017 04:19 PM

I am assuming you checked all the usual spots:

  1. Is it reference in an External Identity Source Sequences?
  2. Is it referenced directly in any RADIUS or Device Administration Policy Sets?
  3. Is it referenced in the Admin Access configuration (i.e. you pointed the ISE GUI at it for AD auth)?

Those are the only spots off the top of my head where it could be referenced.  I am sure I am missing some more. 

0 Helpful

Arne Bier
VIP
VIP
In response to paul

‎08-10-2017 04:55 PM

Thanks - I have checked those at least three times over - I even clicked into settings I have never touched before, just in case I missed something.  The back story is that I had a Join Point called CORP, and then later I added a second join point called RES.  RES has AD trust relationship to many other domains (including CORP).  So I changed all my config to use RES instead - and this works like a charm.  I deleted all the CORP Groups that I had added, and I also managed to Leave CORP domain.  I just cannot delete the Join Point.

So far we use AD only for Admin GUI, Sponsor Portal admin groups and TACACS Policy Sets.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Arne Bier

‎08-10-2017 04:22 PM

CSCuc55997 is one such enhancement.

AD can be used also in the sponsor group policy, client provisioning and posture policies.

DontNeedThoseStupidPackets
Level 1
Level 1

‎04-28-2020 04:31 PM

Necro an ancient post! I had the same issue and for anybody else consulting the interwebs for the same problem, I finally find the last vestiges of the old AD join point.

 

1) Administration --> System --> Admin Access --> Authentication

2) Select the "Authentication Method" tab if not already selected

3) Select the "Password Based" radio button if not already selected

4) Select your identity source and ensure it's not the AD join point you're trying to delete

5) Try again

 

I also tried the policy export and poured through the XML to no avail. Again, sorry for pulling a necrotic post but want to document this for anybody else in the same boat.

Customers Also Viewed These Support Documents