09-08-2017 07:55 AM - edited 02-21-2020 10:33 AM
Hello,
I am trying to configure an ISE-PIC. I already have the DC configured, joined, and WMI configured successfully according to the message shown on the ISE-PIC, but I don't see any live session at all. I configured an FMC as a Provider and I verified that is not sharing information. Any idea what is happening?
Thank you in advance for the help!
Regards,
Jaime
Solved! Go to Solution.
09-21-2017 10:45 AM
Hello,
Finally I solved the issue with the help of a Microsoft Consultant. The issue was due some Kerberos audit logs that were disabled, and therefore, the information was not sent via WMI. In summary:
Hope it helps!
09-11-2017 10:11 AM
Jamie,
An easy way to test is to log into the domain controller using a domain account. That should populate the logon event in the session directory of PIC. Alternately, you could use RDP. You should also check the status of the DC on the dashboard. It should be green.
Regards,
-Tim
09-11-2017 10:30 AM
Thanks Timothy! I found out that even when the WMI configuration showed a success the first time, when I repeat the process, an error appears:
Successfully configured 0/1 DC
Unable to run executable on AD.domain.com, The IseExec remote copy failed to set credentials
I followed the procedure showed on this doc Configure ISE-PIC to monitor AD using WMI, and the pre-requisites stated on the installation guide, but without success.
I am struggling with the WMI logs and messages because there is almost no information about it. May be, if you have info about the logs and the interpretation of them, I'd appreciate it very much.
PS: the domain admin account works without issues.
Regards,
James
09-11-2017 12:48 PM
Hi,
Two things to try:
Thanks,
Shay
09-21-2017 10:45 AM
Hello,
Finally I solved the issue with the help of a Microsoft Consultant. The issue was due some Kerberos audit logs that were disabled, and therefore, the information was not sent via WMI. In summary:
Hope it helps!
05-07-2018 06:44 AM
Hi,
I doubt it's really necessary to enable Kerberos audit logs as MS support says:
"Kerberos event logging is intended only for troubleshooting purpose when you expect additional information for the Kerberos client-side at a defined action timeframe. Restated, kerberos logging should be disabled when not actively troublehshooting."
https://support.microsoft.com/en-us/help/262177/how-to-enable-kerberos-event-logginghttps://support.microsoft.com/en-us/help/262177
I have same problem (no live sessions, even the wmi connection is green), but would not like to enable kerberos audit logs
Any other ideas?
-mikko
05-07-2018 07:47 AM
See Set the Windows Audit Policy under Active Directory Requirements to Support Easy Connect and Passive Identity services
The logging might have initially intended for troubleshooting only but it is used as the source to derive ISE Passive Identities.
If you are not using Easy Connect, then you may try other providers.
05-07-2018 11:02 AM
Hi,
According to the MS Consultant, ISE audits 4768 (Kerberos Ticket Granting) and 4770 (Kerberos Ticket Renewal). If these events are not being logged, it may not be possible to see the events on ISE PIC/ISE.
Hope it helps,
James
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: