ISE 1.3 AD Authentications Fail with "Insufficient Privilege to Fetch Token Groups" Error

Available Languages

Updated:May 2, 2018
Document ID:200349

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the solution to Identity Services Engine (ISE) authentications failure against Active Directory (AD) due to error code "24371" caused by insufficient ISE machine account privileges.

    Prerequisites

    Requirements

    Cisco recommends that you have basic knowledge of these topics:

    • Configure and Troubleshoot ISE
    • Microsoft AD

    Components used

    The information in this document is based on these software and hardware versions:

    • ISE version 1.3.0.876
    • Microsoft AD version 2008 R2

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    AD Authentications Fail Due to Error "24371"

    In ISE 1.3 and above, authentications can fail against the AD with error "24371". The detailed authentication report for the failure has steps similar to those shown here:

    15036     Evaluating Authorization Policy
    24432     Looking up user in Active Directory - CISCO_LAB
    24371     The ISE machine account does not have the required privileges to fetch groups. - ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS
    24371     The ISE machine account does not have the required privileges to fetch groups. - CISCO_LAB
15048     Queried PIP - CISCO_LAB.ExternalGroups

    The AD status shows joined and connected and the required AD groups have been added correctly in the ISE configuration.

    Solution

    Modify permissions for ISE machine account on AD

    The error in the detailed authentication report implies that the machine account of ISE on the active directory, does not have sufficient privileges to fetch token groups.

    Note: The fix is done on the AD side as it is not able to give the correct privilege to the ISE machine account. You might need to disconnect/reconnect ISE to AD after this.

    The current privileges of the machine account can be checked with the dsacls command as shown in this example:

    Open a command prompt on your AD with administrator privilege.
    
The dsquery command can be used to find the Fully Qualified Domain Name (FQDN) of the ISE.
    
C:\Users\admin> dsquery computer -name lab-ise1  //here lab-ise1 is the hostname of the ISE
"CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local"

The dsacls command can now be used to find the privileges assigned to the machine account
C:\Windows\system32> dsacls "CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local" >> C:\dsacl_output.txt

    The output is long and therefore redirected into a text file dsacl_output.txt that can then be opened and viewed properly in a text editor, such as notepad.

    If the account has permissions to read token groups, then it will have these entries in the dsacl_output.txt file:

    Inherited to user
    Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
                                          SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                          READ PROPERTY
Inherited to group
    Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
                                          SPECIAL ACCESS for tokenGroups   <Inherited from parent>
                                          READ PROPERTY

    If the permissions are not present, then it can be added with this command:

    C:\Windows\system32>dsacls "CN=Computers,DC=ciscolab,DC=local" /I:T /G "lab-ise1$":rp;tokenGroups

    If the FQDN or exact group is not known, this command can be quickly run for the domain or Organizational Unit (OU) as per these commands:

    C:\Windows\system32>dsacls "DC=ciscolab,DC=local" /I:T /G "lab-ise1$":rp;tokenGroups
    C:\Windows\system32>dsacls "OU=ExampleOU,DC=ciscolab,DC=local" /I:T /G "lab-ise1$":rp;tokenGroups

    The commands look for the host lab-ise1 in the entire domain or OU respectively.

    Remember to replace the group and host name details in the commands with the corresponding group and ISE name from your deployment. This command grants the ISE machine account the privilege to read the token groups. It needs to be run on one domain controller only and must replicate to other controllers automatically.

    The issue can be resolved immediately. Run the command on the domain controller currently connected on ISE.

    In order to view the current domain controller, navigate to Administration > Identity Management > External Identity Sources > Active Directory > Select AD join point.

    Related Information

    TAC Authored

    Contributed by Cisco Engineers

    • Aishwarya Srivastava
      Cisco TAC Engineer
    • Shrikant Sundaresh
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products