cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10008
Views
0
Helpful
4
Replies

CISCO ISE and MS ad event id 4776 troubleshooting

anuclear
Level 1
Level 1

Good day dears,

 

This case was asked from vendors' support teams twice, with no adequate outcomes (no ms or ise related issue;). The last hope is for community.

 

I perform an investigation of the following event from domain controller(##### data has been obfuscated ####):

 

Security_4776_Microsoft-Windows-Security-Auditing: Security,rn=xxxxx cid=xxxxx eid=648,#####Event Date#####,4776,Microsoft-Windows-Security-Auditing,,Audit Failure,#####domain name#####,Credential Validation,,The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: #####username@domain.name##### Source Workstation: \\#####ISE Server Name##### Error Code: 0xC0000064

 

The user does exist in a domain.

There are no failures according to ms event on ISE Server.

 

Is it possible to track the source of authentication? If yes, how can I do that?

 

Thank you in advance!

 

1 Accepted Solution

Accepted Solutions

CSCvf45991 is an enhancement filed for ISE for some potential workaround fix. But, this is how DC works by first trying the local DB before reaching out to the real AD. We would suggest to ignore the false failures.

View solution in original post

4 Replies 4

anuclear
Level 1
Level 1

Any thoughts? Suggestions?

Let me know if you find something on this.  We're seeing similar issues/events from one of our customers.

 

We're exploring this at this time:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtz15107

 

 

This bug doesn't appear to be the same issue. 

 

We are getting two 4776 events on the DC per ISE user authentication, every time - one success, one failure with error code

0xC0000064 (username does not exist).

 

We are using MS-RPC (as recommended), vs. Kerberos.

 

I've seen another thread on technet that identifies that MS-RPC may be the issue, but our network admins are hesitant to change as the CISCO build docs recommend MS-RPC.

 

Here's that TechNet thread:

 

https://social.technet.microsoft.com/Forums/en-US/d2869c14-a0e8-4084-b555-6172cd9c703a/cisco-ise-and-ad-authentication?forum=winserverDS

CSCvf45991 is an enhancement filed for ISE for some potential workaround fix. But, this is how DC works by first trying the local DB before reaching out to the real AD. We would suggest to ignore the false failures.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: