I am trying to do some lab testing, and have deployed ISE and Windows AD. They are Proxmox guest VMs, configured on the same subnet and on the same host. Server is 2025 version, ISE is 3.4.0.608. The user I am authenticating with is a domain and enterprise admin in AD. ISE is using the DC for NTP, which is using a NIST server for NTP.
Relevant logs I know of and have captured. (identifying info obfuscated with "x")
"show ntp" -
Configured NTP Servers:
dc1.xxx.xxx
Reference ID : 0A0A0A0A (DC1.xxx.xxx)
Stratum : 3
Ref time (UTC) : Sat Nov 30 17:30:33 2024
System time : 0.000000462 seconds slow of NTP time
Last offset : +0.000491446 seconds
RMS offset : 0.007088298 seconds
Frequency : 41.210 ppm fast
Residual freq : +0.756 ppm
Skew : 9.433 ppm
Root delay : 0.107027695 seconds
Root dispersion : 0.077161357 seconds
Update interval : 65.0 seconds
Leap status : Normal
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* DC1.xxxx.xxx 2 6 377 32 +286us[ +777us] +/- 142ms
"show clock" matches the clock on the DC to the second.
From the GUI upon failing to join AD
Error Description: ASN.1 failed call to system time library
Support Details...
Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
Error Code: 41701
From ISE ad_agent.log;
2024-11-30 09:13:13,532 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::isBestDC: dc=[DC1.xxxx.xxx], address=[10.10.10.10] was not found in score map,,lwadvapi/threaded/dc_pri_list.cpp:449
2024-11-30 09:13:13,560 WARNING,140372674062080,DCPriorityList::getDCScoreByAddress: dc=[DC1.xxxx.xxx], address=[10.10.10.10] not found,,lwadvapi/threaded/dc_pri_list.cpp:467
2024-11-30 09:13:13,570 WARNING,140372674062080,[LwKrb5GetTgtImpl ../../lwadvapi/threaded/krbtgt.c:329] KRB5 Error code: 1859794432 (Message: ASN.1 failed call to system time library),,lwadvapi/threaded/lwkrb5.c:892
2024-11-30 09:13:14,660 ERROR ,140372644554496,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:369
2024-11-30 09:13:14,726 ERROR ,140372674062080,Failed to get lsass status -> error = 40074, symbol = LW_ERROR_NOT_JOINED_TO_AD, client pid = 8781,,lsass/server/api/status.c:226
Wireshark packet capture notable entries
290 09:23:33.103832 10.10.10.10 10.10.10.6 KRB5 299 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
292 09:23:33.107427 10.10.10.10 10.10.10.6 KRB5 130 KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG
Other packets in the conversation look normal - query responses contain required records, etc.
Security Event Logs on the domain controller show two events for Kerberos Authentication Service that appear normal/successful - the "Response ticket hash" is shown.
Really not sure where to go here. This is a lab and while I have licensed ISE at work this is a trial install so no TAC option I don't believe.
