Re: FMC AD Join test failed

sherali mamatkarimov · ‎01-02-2024

Hello everyone i want to configure identity policy on FMC with Active Directory Kerberos, on guide written The Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication. but when i testing AD Join there is error. AD Join test failed credintials are same with LDAP Realms, Group and User sync works.

MHM Cisco World · ‎01-02-2024

System->Integration
then add realm and directory

MHM

sherali mamatkarimov · ‎01-03-2024

Realm already added, screenshots higher are settings of exsisting realm

MHM Cisco World · ‎01-03-2024

Can you from AD ping FMC mgmt IP?

I think it reachability issue

MHM

sherali mamatkarimov · ‎01-03-2024

No problem with access rule i can load groups and users

MHM Cisco World · ‎01-03-2024

The first step of AD joint test is resolved the AD fqdn to IP.

So check this step

MHM

sherali mamatkarimov · ‎01-03-2024

if i ping AD fqdn from CLI FMC hostname resolving and ping is success

Marius Gunnerud · ‎01-03-2024

Keep in mind that the username on the Realm Configuration page is not LDAP, it is Kerberos. Be sure that tcp/udp 88 and 464 is permitted.

Other things to consider are from the following output of the 7.2.x administration guide:

AD Join Username and AD Join Password
(Available on the Realm Configuration tab page when you edit a realm.)
For Microsoft Active Directory realms intended for Kerberos captive portal active authentication, the distinguished username and password of any Active Directory user with appropriate rights to create a Domain Computer account in the Active Directory domain.

Keep the following in mind:

DNS must be able to resolve the domain name to an Active Directory domain controller's IP address.

The user you specify must be able to join computers to the Active Directory domain.

The user name must be fully qualified (for example, administrator@mydomain.com, not administrator).

If you choose Kerberos (or HTTP Negotiate, if you want Kerberos as an option) as the Authentication Protocol in an identity rule, the Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/identity-realms.html#task_F9ED2AF84F604438ACDC2124237DC518

--
Please remember to select a correct answer and rate helpful posts

sherali mamatkarimov · ‎01-03-2024

1. DNS resloving domain name. Pinging domain name from CLI FMC

2. User have super-administrator role

3. Username FQDN

Marius Gunnerud · ‎01-03-2024

Are the AD server and FMC on the same subnet? If not make sure that access rule allows the connection between FMC and AD.

--
Please remember to select a correct answer and rate helpful posts

sherali mamatkarimov · ‎01-03-2024

No problem with access rule i can load groups and users

dotran · ‎05-02-2024

Were you able to resolve this issue? I have the same problem. I think the last change I made that broke this was to disable some older cipher suite (3DES) on our Windows DC. Not sure it is related but authenticated via Kerberos for Remote Storage doesn't work either. I opened a TAC on that one and they said feature doesn't exist in 7.2.

sherali mamatkarimov · ‎06-01-2024

haven't resolved yet

Yordan1 · ‎06-25-2024

still not resolved ?

jesper riisbjerg hansen · ‎07-11-2024

still not resolved ?