11-30-2024 09:35 AM
I am trying to do some lab testing, and have deployed ISE and Windows AD. They are Proxmox guest VMs, configured on the same subnet and on the same host. Server is 2025 version, ISE is 3.4.0.608. The user I am authenticating with is a domain and enterprise admin in AD. ISE is using the DC for NTP, which is using a NIST server for NTP.
Relevant logs I know of and have captured. (identifying info obfuscated with "x")
"show ntp" -
Configured NTP Servers:
dc1.xxx.xxx
Reference ID : 0A0A0A0A (DC1.xxx.xxx)
Stratum : 3
Ref time (UTC) : Sat Nov 30 17:30:33 2024
System time : 0.000000462 seconds slow of NTP time
Last offset : +0.000491446 seconds
RMS offset : 0.007088298 seconds
Frequency : 41.210 ppm fast
Residual freq : +0.756 ppm
Skew : 9.433 ppm
Root delay : 0.107027695 seconds
Root dispersion : 0.077161357 seconds
Update interval : 65.0 seconds
Leap status : Normal
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* DC1.xxxx.xxx 2 6 377 32 +286us[ +777us] +/- 142ms
"show clock" matches the clock on the DC to the second.
From the GUI upon failing to join AD
Error Description: ASN.1 failed call to system time library
Support Details...
Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Error Code: 41701
From ISE ad_agent.log;
2024-11-30 09:13:13,532 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::isBestDC: dc=[DC1.xxxx.xxx], address=[10.10.10.10] was not found in score map,,lwadvapi/threaded/dc_pri_list.cpp:449
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::getDCScoreByAddress: dc=[DC1.xxxx.xxx], address=[10.10.10.10] not found,,lwadvapi/threaded/dc_pri_list.cpp:467
2024-11-30 09:13:13,570 WARNING,140372674062080,[LwKrb5GetTgtImpl ../../lwadvapi/threaded/krbtgt.c:329] KRB5 Error code: 1859794432 (Message: ASN.1 failed call to system time library),,lwadvapi/threaded/lwkrb5.c:892
2024-11-30 09:13:14,660 ERROR ,140372644554496,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:369
2024-11-30 09:13:14,726 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
Wireshark packet capture notable entries
290 09:23:33.103832 10.10.10.10 10.10.10.6 KRB5 299 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
292 09:23:33.107427 10.10.10.10 10.10.10.6 KRB5 130 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG
Other packets in the conversation look normal - query responses contain required records, etc.
Security Event Logs on the domain controller show two events for Kerberos Authentication Service that appear normal/successful - the "Response ticket hash" is shown.
Really not sure where to go here. This is a lab and while I have licensed ISE at work this is a trial install so no TAC option I don't believe.
12-01-2024 03:13 AM
- Checkout the Accepted Answer from https://learn.microsoft.com/en-us/answers/questions/1339208/how-to-solve-krb-err-response-too-big-error-at-ser
Related: https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/group-policy-add-maxtokensize-registry-entry
M>
12-09-2024 11:35 AM
I tried this before. No luck.
12-08-2024 09:12 AM - edited 12-08-2024 09:24 AM
Hi,
I think the problem is this
Server’s Kerberos authentication fails with Windows 2025 Canary beta public release as KRB_KDC_REP KerberosTime date over year 2038:
21000914024805Z <<< September 14th 2100
I think we need to wait for a patch.
12-09-2024 11:35 AM
I'm not using a beta, but I have considered just wiping and starting over with Server 2022 or even 2019 just to rule out the bleeding edge factor
12-10-2024 01:45 AM - edited 12-10-2024 01:46 AM
I have the same trouble on final release version Windows 2025.
Windows 2025 Domain Controller - the same error - Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Windows 2022 Domain Controller - work
This is trouble with ticket live time shift in Kerberos .
01-09-2025 01:07 AM
01-10-2025 02:34 PM
Hello, @FireflyNemo thank you for attaching the bug to the discussion.
I am a TAC AAA Engineer who submitted the defect, as I was researching and doing lab repro regarding this.
Also I wanted to mention very good log analysis done by @dpgator1975.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide