cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1552
Views
8
Helpful
7
Replies

Lab deployment - Can't join ISE to Windows AD

dpgator1975
Level 1
Level 1

I am trying to do some lab testing, and have deployed ISE and Windows AD.  They are Proxmox guest VMs, configured on the same subnet and on the same host. Server is 2025 version, ISE is 3.4.0.608. The user I am authenticating with is a domain and enterprise admin in AD. ISE is using the DC for NTP, which is using a NIST server for NTP.  

Relevant logs I know of and have captured. (identifying info obfuscated with "x")

"show ntp" - 

Configured NTP Servers:
dc1.xxx.xxx
Reference ID : 0A0A0A0A (DC1.xxx.xxx)
Stratum : 3
Ref time (UTC) : Sat Nov 30 17:30:33 2024
System time : 0.000000462 seconds slow of NTP time
Last offset : +0.000491446 seconds
RMS offset : 0.007088298 seconds
Frequency : 41.210 ppm fast
Residual freq : +0.756 ppm
Skew : 9.433 ppm
Root delay : 0.107027695 seconds
Root dispersion : 0.077161357 seconds
Update interval : 65.0 seconds
Leap status : Normal

MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* DC1.xxxx.xxx 2 6 377 32 +286us[ +777us] +/- 142ms

"show clock" matches the clock on the DC to the second. 

 

From the GUI upon failing to join AD

Error Description: ASN.1 failed call to system time library

Support Details...
Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Error Code: 41701

From ISE ad_agent.log;

2024-11-30 09:13:13,532 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::isBestDC: dc=[DC1.xxxx.xxx], address=[10.10.10.10] was not found in score map,,lwadvapi/threaded/dc_pri_list.cpp:449
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::getDCScoreByAddress: dc=[DC1.xxxx.xxx], address=[10.10.10.10] not found,,lwadvapi/threaded/dc_pri_list.cpp:467
2024-11-30 09:13:13,570 WARNING,140372674062080,[LwKrb5GetTgtImpl ../../lwadvapi/threaded/krbtgt.c:329] KRB5 Error code: 1859794432 (Message: ASN.1 failed call to system time library),,lwadvapi/threaded/lwkrb5.c:892
2024-11-30 09:13:14,660 ERROR ,140372644554496,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:369
2024-11-30 09:13:14,726 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226

 

Wireshark packet capture notable entries

290 09:23:33.103832 10.10.10.10 10.10.10.6 KRB5 299 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

292 09:23:33.107427 10.10.10.10 10.10.10.6 KRB5 130 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG

Other packets in the conversation look normal - query responses contain required records, etc. 

 

Security Event Logs on the domain controller show two events for Kerberos Authentication Service that appear normal/successful - the "Response ticket hash" is shown.

Really not sure where to go here.  This is a lab and while I have licensed ISE at work this is a trial install so no TAC option I don't believe.

7 Replies 7

marce1000
Hall of Fame
Hall of Fame

 

 - Checkout the Accepted Answer from https://learn.microsoft.com/en-us/answers/questions/1339208/how-to-solve-krb-err-response-too-big-error-at-ser
   Relatedhttps://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/group-policy-add-maxtokensize-registry-entry

 M>



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I tried this before.  No luck.

FireflyNemo
Level 1
Level 1

Hi,

I think the problem is this

Server’s Kerberos authentication fails with Windows 2025 Canary beta public release as KRB_KDC_REP KerberosTime date over year 2038:
      21000914024805Z  <<< September 14th 2100

I think we need to wait for a patch.

I'm not using a beta, but I have considered just wiping and starting over with Server 2022 or even 2019 just to rule out the bleeding edge factor

FireflyNemo
Level 1
Level 1

I have the same trouble on final release version Windows 2025.

Windows 2025 Domain Controller - the same error - Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT

Windows 2022 Domain Controller - work

This is trouble with ticket live time shift in Kerberos .

twadolow
Cisco Employee
Cisco Employee

Hello, @FireflyNemo thank you for attaching the bug to the discussion.
I am a TAC AAA Engineer who submitted the defect, as I was researching and doing lab repro regarding this.
Also I wanted to mention very good log analysis done by @dpgator1975.