Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
1
Helpful
2
Replies

ISE 3.2 AD Join issues

Go to solution
klnnnnng
Level 1
Level 1

‎03-11-2024 05:11 AM

Hello guys,

I am trying to join Active Directory with pre-created Machine Account, but facing some issues. In previous community cases with similar symptoms it was mentioned that hostnames longer than 15 characters are causing problems (randomizing hostname). In my case I have exactly 15 characters or some ISE nodes with even less, but ISE is still trying to randomize the hostname and create new Machine Account, although a matching one was found. Do you have any idea what might be cause?

 

=====================================================================

AD Join Results

=====================================================================

Error Description: Access Is Denied

Support Details...
Error Name: ERROR_ACCESS_DENIED
Error Code: 5

Detailed Log:

Error Description :
Cannot Create Machine Account (empty) : Access Denied.

Error Resolution :
Please Check For Sufficient Permissions To Create Machine Account Object

Join Steps :

*

11:36:13 Searching For An Existing Machine Account
11:36:13 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=XXXXXX-TACACS-X$))
11:36:13 Account: XXXXXX-TACACS-X$ Was Found

11:36:13 Searching For An Existing Machine Account
11:36:13 Searching Object By Filter : (&(objectClass=computer)(sAMAccountName=XXXXXX--N2W7J6B$))
11:36:13 Account: XXXXXX--N2W7J6B$ Was Found

11:36:13 ISE Machine Account Name Is : XXXXXX--N2W7J6B$

*

=====================================================================

Any help or suggesting will be highly appreciated. Thank you!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
klnnnnng
Level 1
Level 1

‎03-13-2024 01:49 AM

Hello Arne,

thank you for information. There was a problem with missing machine account attribute in AD. We use AD account that has only read permission and is not allowed to create/change new machine accounts. 

Regards. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎03-12-2024 01:58 PM

Why do you use a pre-created machine account?  Are you re-joining an ISE node that was previously successfully joined?  

Have you tried deleting the AD machine account and then performing the ISE join?  

I have found that the permissions you need to join ISE (when the machine account does not exist) to the Domain is "Domain User" - this is a very low priv account.  I never store the creds and I don't specify an OU. You can always move the machine account into a different OU later if you want to.

Go to solution
klnnnnng
Level 1
Level 1

‎03-13-2024 01:49 AM

Hello Arne,

thank you for information. There was a problem with missing machine account attribute in AD. We use AD account that has only read permission and is not allowed to create/change new machine accounts. 

Regards. 

0 Helpful
Customers Also Viewed These Support Documents