cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3419
Views
0
Helpful
5
Replies
Beginner

Kerberos check SASL connectivity to AD

Hi!

DNS, AD service, and NTP server all all synced between ISE and the AD instance we are trying to sync here.

The one remaining test that fails is Kerberos, here is the error message:

Could not get Machine account info : Machine is not joined to AD. PBIS error code: NERR_SetupNotJoined. Check Kerberos configuration and network settings

Does anyone know how to remedy this situation?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Please ensure you have the

5 REPLIES 5
Cisco Employee

Please ensure you have the

Please ensure you have the below listed network Ports open between the ISE and AD for communication. The error message you have listed suggest that Port 445  (MSRPC) and 88 (kerberos) are blocked in between.

Protocol

Port (remote-local)

Target

Authenticated

Notes

DNS (TCP/UDP)

Random number greater than or equal to 49152

DNS Servers/AD Domain Controllers

No

MSRPC

445

Domain Controllers

Yes

Kerberos (TCP/UDP)

88

Domain Controllers

Yes (Kerberos)

MS AD/KDC

LDAP (TCP/UDP)

389

Domain Controllers

Yes

LDAP (GC)

3268

Global Catalog Servers

Yes

NTP

123

NTP Servers/Domain Controllers

No

IPC

80

Other ISE Nodes in the Deployment

Yes (Using RBAC credentials)


~ Jatin

~Jatin Katyal
Highlighted
Beginner

Re: Please ensure you have the

I have the same error, and no firewall is installed on the DC.

Beginner

Re: Please ensure you have the

Coming late to this party, but had the same problem recently.

Adding A record of your AD server to your DNS server resolved this problem for me. These two tests were failing with the exact same error you mentioned.

Kerberos check SASL connectivity to AD

Kerberos test obtaining join point TGT  

Something like this was added to DNS

win2008.homelab.local. IN A 192.168.0.100

Beginner

Re: Please ensure you have the

Can you add more details. I have exactly same problem. I have single node ISE deployment reunning admin, PSN and MnT personas on it.

I am joining ISE node to abc.com domain and on doing nslookup to abc.com i am getting 10.10.10.10 (DC IP). Same DC is running DNS Server too. My ISE server ip is 10.10.10.20.

 

Could you advise what DNS record i need. Appreciate your help. 

Cisco Employee

Re: Please ensure you have the