05-16-2018 01:43 AM - edited 02-21-2020 10:56 AM
Good day dears,
This case was asked from vendors' support teams twice, with no adequate outcomes (no ms or ise related issue;). The last hope is for community.
I perform an investigation of the following event from domain controller(##### data has been obfuscated ####):
Security_4776_Microsoft-Windows-Security-Auditing: Security,rn=xxxxx cid=xxxxx eid=648,#####Event Date#####,4776,Microsoft-Windows-Security-Auditing,,Audit Failure,#####domain name#####,Credential Validation,,The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: #####username@domain.name##### Source Workstation: \\#####ISE Server Name##### Error Code: 0xC0000064
The user does exist in a domain.
There are no failures according to ms event on ISE Server.
Is it possible to track the source of authentication? If yes, how can I do that?
Thank you in advance!
Solved! Go to Solution.
10-21-2018 04:21 AM
CSCvf45991 is an enhancement filed for ISE for some potential workaround fix. But, this is how DC works by first trying the local DB before reaching out to the real AD. We would suggest to ignore the false failures.
05-16-2018 09:50 PM
Any thoughts? Suggestions?
06-15-2018 01:31 PM
Let me know if you find something on this. We're seeing similar issues/events from one of our customers.
We're exploring this at this time:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtz15107
10-19-2018 03:19 PM
This bug doesn't appear to be the same issue.
We are getting two 4776 events on the DC per ISE user authentication, every time - one success, one failure with error code
0xC0000064 (username does not exist).
We are using MS-RPC (as recommended), vs. Kerberos.
I've seen another thread on technet that identifies that MS-RPC may be the issue, but our network admins are hesitant to change as the CISCO build docs recommend MS-RPC.
Here's that TechNet thread:
10-21-2018 04:21 AM
CSCvf45991 is an enhancement filed for ISE for some potential workaround fix. But, this is how DC works by first trying the local DB before reaching out to the real AD. We would suggest to ignore the false failures.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: