Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2012
Views
0
Helpful
5
Replies

ISE 1.1.1 and AD connect failure

jaray.jasper
Level 1
Level 1

‎10-15-2012 09:44 AM - edited ‎03-10-2019 07:40 PM

Hello,

I'm trying to join ISE to my AD. i have a linux vm as my time source for both AD/DC ( a vm) and ISE(actual appliance), both have sycn and time is the same on ISE and AD. I've opened all the ports and took off NAT between the two.

i get a successful join message, then it says "joined to domain but not connected"

i've turned off the windows firewall just in case.

in ISE i see:

base.bind.cache can't resolve LDAP service provider for test.com, check DNS

base.bind.healing disconnect reconnect failed

osutil module=LDAP SASL bind to ldap/ad.test.com@test.com GSSAP mechanism with LDAP error invalid credentials

network.state favorite DC marked as dead

but i see other information that is being pulled from the domain correctly.

everything is in DNS.

any clues?

thanks

Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎10-15-2012 11:33 AM

Jaray,

From ISE can you issue "nslookup test.com" and see if the dns records that returned are accurate. Also do you have PTR records in DNS? Issue "nslookup x.x.x.x" and see if the hostname is correct for the domain controller.

Also what are you using for the binding account? Is it a domain admin account, if it is a new account is the flag to change password at next login disabled?

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

jaray.jasper
Level 1
Level 1
In response to Tarik Admani

‎10-16-2012 04:03 AM

Tarik

nslookup test.com

status noerror query:1 answer:3 authority:0

test.com in A      192.168.3.3

                 NS     ad.test.com

                 SOA     ad.test.com, hostmaster.test.com

nslookup 192.168.3.3

status noerror query:1 answer:1

3.3.168.192.in-add.arpa in PTR     ad.test.com

i'm using my original domain admin account to do the join, flag is disabled.

in wireshark i see a "bindrequest sasl" and response "invalid credentials"

0 Helpful

hariholla
Cisco Employee
Cisco Employee

‎08-04-2013 10:02 PM

I recently ran in to this issue and here is what I did :

Did a "netstat -a -p tcp" on the Windows domain controller. Saw that Port 389 (LDAP) wasnt enabled (not sure on why this happened however). Got in to Windows services console (services.msc), "Stopped" and "Started" the "Active Directory Service". Checked with netstat to see if the port was open now, it was. I did a test from ISE and later "Joined" the AD, it turned successful!

Other options to look for:

Its evident that this errror corps up when ISE has problem with the LDAP service. So to resolve this, here are somethings to look at/do :

(1) Check connectivity between the ISE and the DC.

(2) Check if ISE can resolve the DC name (from the CLI mode)

(3) Check if the NTP is set properly on ISE (Administration -> Settings -> System Time)

(4) Check if port 389 (LDAP) is open on the domain controller.

(5) See if a router/Firewall is blocking the LDAP port

The "Detailed" test under "Test Connection" from ISE gives verbose information about the failure cause.

-Hari

0 Helpful

manjeets
Level 3
Level 3

‎08-17-2013 03:33 AM

Kindly go through below video :

http://www.youtube.com/watch?v=FKXvhBdWA1E

0 Helpful

Ravi Singh
Level 7
Level 7

‎08-18-2013 07:33 PM

Please also check that your AD should not work in 2000 mixed mode. It should be in 2003 or 2008 native mode because some parameter of AD 2000 is not supported by ISE.

0 Helpful
Customers Also Viewed These Support Documents