This document describes the solution to Identity Services Engine (ISE) authentications failure against Active Directory (AD) due to error code "24371" caused by insufficient ISE machine account privileges.
Cisco recommends that you have basic knowledge of these topics:
Configure and Troubleshoot ISE
The information in this document is based on these software and hardware versions:
ISE version 220.127.116.116
Microsoft AD version 2008 R2
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
AD Authentications Fail Due to Error "24371"
In ISE 1.3 and above, authentications can fail against the AD with error "24371". The detailed authentication report for the failure has steps similar to those shown here:
15036 Evaluating Authorization Policy 24432 Looking up user in Active Directory - CISCO_LAB 24371 The ISE machine account does not have the required privileges to fetch groups. - ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS 24371 The ISE machine account does not have the required privileges to fetch groups. - CISCO_LAB
15048 Queried PIP - CISCO_LAB.ExternalGroups
The AD status shows joined and connected and the required AD groups have been added correctly in the ISE configuration.
Modify permissions for ISE machine account on AD
The error in the detailed authentication report implies that the machine account of ISE on the active directory, does not have sufficient privileges to fetch token groups.
Note: The fix is done on the AD side as it is not able to give the correct privilege to the ISE machine account. You might need to disconnect/reconnect ISE to AD after this.
The current privileges of the machine account can be checked with the dsacls command as shown in this example:
Open a command prompt on your AD with administrator privilege.
The dsquery command can be used to find the Fully Qualified Domain Name (FQDN) of the ISE.
C:\Users\admin> dsquery computer -name lab-ise1 //here lab-ise1 is the hostname of the ISE
The dsacls command can now be used to find the privileges assigned to the machine account
C:\Windows\system32> dsacls "CN=lab-ise1,CN=Computers,DC=ciscolab,DC=local" >> C:\dsacl_output.txt
The output is long and therefore redirected into a text file dsacl_output.txt that can then be opened and viewed properly in a text editor, such as notepad.
If the account has permissions to read token groups, then it will have these entries in the dsacl_output.txt file:
Inherited to user Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent> READ PROPERTY
Inherited to group Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent> READ PROPERTY
If the permissions are not present, then it can be added with this command:
The commands look for the host lab-ise1 in the entire domain or OU respectively.
Remember to replace the group and host name details in the commands with the corresponding group and ISE name from your deployment. This command grants the ISE machine account the privilege to read the token groups. It needs to be run on one domain controller only and must replicate to other controllers automatically.
The issue can be resolved immediately. Run the command on the domain controller currently connected on ISE.
In order to view the current domain controller, navigate to Administration > Identity Management > External Identity Sources > Active Directory > Select AD join point.