cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1913
Views
0
Helpful
14
Replies

FMC AD Join test failed

Hello everyone i want to configure identity policy on FMC with Active Directory Kerberos, on guide written The Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication. but when i testing AD Join there is error. AD Join test failed credintials are same with LDAP Realms, Group and User sync works.

1.png2.png3.png

 
14 Replies 14

 

System->Integration
then add realm and directory  


MHM

11.png

Realm already added, screenshots higher are settings of exsisting realm

Can you from AD ping FMC mgmt IP?

I think it reachability issue

MHM

No problem with access rule i can load groups and users

The first step of AD joint test is resolved the AD fqdn to IP.

So check this step

MHM

if i ping AD fqdn from CLI FMC hostname resolving and ping is success

Keep in mind that the username on the Realm Configuration page is not LDAP, it is Kerberos.  Be sure that tcp/udp 88 and 464 is permitted.

Other things to consider are from the following output of the 7.2.x administration guide:

AD Join Username and AD Join Password
(Available on the Realm Configuration tab page when you edit a realm.)
For Microsoft Active Directory realms intended for Kerberos captive portal active authentication, the distinguished username and password of any Active Directory user with appropriate rights to create a Domain Computer account in the Active Directory domain.

Keep the following in mind:

DNS must be able to resolve the domain name to an Active Directory domain controller's IP address.

The user you specify must be able to join computers to the Active Directory domain.

The user name must be fully qualified (for example, administrator@mydomain.com, not administrator).

If you choose Kerberos (or HTTP Negotiate, if you want Kerberos as an option) as the Authentication Protocol in an identity rule, the Realm you select must be configured with an AD Join Username and AD Join Password to perform Kerberos captive portal active authentication.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/identity-realms.html#task_F9ED2AF84F604438ACDC2124237DC518

 

 

--
Please remember to select a correct answer and rate helpful posts

1. DNS resloving domain name. Pinging domain name from CLI FMC

11.png

2. User have super-administrator role

13.png

3. Username FQDN

12.png

 

Are the AD server and FMC on the same subnet?  If not make sure that access rule allows the connection between FMC and AD.

--
Please remember to select a correct answer and rate helpful posts

11.png

No problem with access rule i can load groups and users

dotran
Level 1
Level 1

Were you able to resolve this issue?  I have the same problem.  I think the last change I made that broke this was to disable some older cipher suite (3DES) on our Windows DC.    Not sure it is related but authenticated via Kerberos for Remote Storage doesn't work either.  I opened a TAC on that one and they said feature doesn't exist in 7.2.

haven't resolved yet

Yordan1
Level 1
Level 1

still not resolved ?

still not resolved ?

Review Cisco Networking for a $25 gift card