Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

Similar Messages

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• PowerShell Script Get the User's Active Directory Fully Qualified Login Name for Specific Locked Out Accounts

  I have a script which displays locked out accounts. It works great.
  I'd like to display the fully qualified Active Directory Login Name instead of the LastName, First Name:
  Example: Davis, Susan
  Want instead: Domain\Susan.Davis
  I'd also like to include an additional filter to look for only Domain\Susan.Davis OR Domain\Robin.Givens
  Here is my script:
  $objDomain = New-Object System.DirectoryServices.DirectoryEntry
  $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
  $objSearcher.SearchRoot = $objDomain
  $objSearcher.PageSize = 1000
  $objSearcher.Filter = "(&(objectClass=User)(lockoutTime>=1))"
  $colProplist = "name","samaccountname"
  foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i) | out-null}
  $colResults = $objSearcher.FindAll()
  foreach ($objResult in $colResults) {
  $domainname = $objDomain.name
  $samaccountname = $objResult.Properties.samaccountname
  $user = [ADSI]"WinNT://$domainname/$samaccountname"
  $ADS_UF_LOCKOUT = 0x00000010
  if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
  $objResult.Properties.name
  John
  John

  Sorry, I should have mentioned that the cmdlets I'm using are part of the Active Directory module. You'll need to install the RSAT (Win7+) to use them.
  If you'd rather stick with your DirectorySearcher methods instead of moving to the AD module, you can adjust your output by using something like this instead:
  if(($user.UserFlags.Value -band $ADS_UF_LOCKOUT) -eq $ADS_UF_LOCKOUT) {
  "$domainname\$($objResult.Properties.samaccountname)"
  $domainname might not be what you're expecting, just FYI.
  As for filtering, you can add to the if statement and check for your known usernames only.
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)

• Cisco ISE AD (Windows Server 2013) Authentication Problem

  Background:
  Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
  Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
  Problem:
  Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
  Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
  xxdc01.xx.com (10.21.3.1)
  Pinged:0 Mins Ago
  State:down
  xxdc02.xx.com (10.21.3.2)
  Pinged:0 Mins Ago
  State:down
  xxdc01.xx.com
  Last Success:Thu Jan  1 10:00:00 1970
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:0
  Failures:11006
  xxdc02.xx.com
  Last Success:Mon Mar 11 09:43:31 2013
  Last Failure:Mon Mar 11 11:18:04 2013
  Successes:25
  Failures:11006
  Domain Controller: xxdc02.xx.com:389
      Domain Controller Type: Unknown DC Functional Level: 5
      Domain Name:            xx.COM
      IsGlobalCatalogReady:   TRUE
      DomainFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
      ForestFunctionality:           2 = (DS_BEHAVIOR_WIN2003)
  Action Taken:
  Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
  2)     Tested wireless authentication using EAP-FAST but same problem occurs.
  3)     Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.     
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - AD1
  24430  Authenticating user against Active Directory
  24444  Active Directory operation has failed because of an unspecified error in the ISE
  4)     Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
  5)     Tested wireless on different laptos and mobile phones with same error
  6)     Delete and add again AAA Client/Devices on both Cisco ISE and WLC
  7)     Restarted ISE services
  8)     Rejoin domain on Cisco ISE
  9)     Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
  10)    There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
  Other possibilities/action:
  1)     Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
  2)     Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
  Anyone out there experienced something similar of have any ideas on why this is happening?
  Thanks.
  Update:
  1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
  2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
  This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.

  Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
  Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• 801.x WLANs authenticated via Radius and Active Directory permit any user access any WLAN

  Hi,
  I have configured several WLANs with WPA2 and 8021.x which authenticate users through Radius server (Windows Internet authentication service) that conects with an Active Directory, into the AD exists one user group for each WLAN but the problem is that any user that was added to some group can get access to any WLAN, does anyboby know if I need some configuraion on the WLC to restric that?
  thanks for your help.

  Hi Scott,
  I have done some test modifying the Radius Policy to look at called station ID and test too looking at the NAS-ID, In the first case, I change the Call Station ID Type into WLC RADIUS Authentication Servers configuration to AP MAC Address:SSID and AP Name:SSID and into the Radius Server using .*:SSID-NAME$ and SSID-NAME$ ,but it blocks access for any user. In the second case, I change the NAS-ID into WLC WLAN and interface confguration and into the radius server Policy to match all, but it doesn´t have any impact, what other test could I try?
  thanks for your help. 

• "24427 Access to Active Directory failed" error in ACS 5.1

  Hello,
  I'm working on implementing a RADIUS authentication for wireless access with the following :
  - PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
  - AP 1252  configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
  - ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
  - AD domain running on Windows 2003 Server.
  My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
  All I can get running the expert troubleshoot
  Investigating failure code: 24427 Access to Active Directory failed
  Checking if Active Directory is configured
  Active Directory is configured
  Attempting connection to Active Directory
  Connection to Active Directory was successful.
  Troubleshooting completed.
  Click on Show Results Summary to view results.
  I followed this guide, at least for the ACS certificate section :
  http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
  Anyone has an idea where the problem may come from?
  Thanks in advance,
  Vincent

  hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
  link
  Problem: Error "24495 Active Directory servers are not available"
  Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
  Solution
  Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

• Is it possible to switch from Office 365 online user management to Active Directory after Exchange online migration?

  If we utilize the Cutover method to migrate from on-premise Exchange (2007) to Office 365, which to my understanding will hand over user management/authentication to Office 365 online during the process, is possible to later switch from Office 365 user management
  to Active Directory (synced to a future local domain, or even possibly via AD federation single sign-on)? If so, how difficult is this process and is there any documentation available?
  Asking this because the organization  I'm working for plans to upgrade (re-do actually) its entire infrastructure. There will be a completely brand new domain/AD set up that's totally unrelated to the old one. At the same time, we also plan to migrate
  all emails (previously hosted locally on Exchange 2007) to Office 365 and get rid of local exchange. Now because we will set up new domain, we do not want to carry over the older AD to the cloud, hence we will not use the "Staged Migration". 
  So the plan is to to use "Cutover" migration first, which means all authentications will become Office 365 managed. That's fine for now. But later, after we set up our new domain and AD controller etc, we'd like to have Exchange Online switch back
  to syncing with our new on-premise AD. We'd also like to consider the AD Federation Services if it's not too complicated to set up.
  Your advice on this would be greatly appreciated!

  In principle, you cannot sync back from the cloud AD to the on-prem, yet. But you can take advantage of the soft-matching mechanism once you have the new AD in place:
  http://support.microsoft.com/kb/2641663
  Be careful though, as the moment you turn on Dirsync, all the matching users in the cloud will have their attributes overwritten. A very good idea is to do an 'export' of the cloud AD first, using the WAAD module for PowerShell and the Get-MsolUser cmdlets,
  which you can then use to compare or import data in the new on-prem AD. Some links:
  http://technet.microsoft.com/en-us/library/hh974317.aspx
  http://msdn.microsoft.com/en-us/library/azure/dn194133.aspx

• Impact on roaming profile accounts if we Change User logon Name to Employee Number format in Active Directory for all User accounts

  I want to understand if we change User logon Name to Employee Number format in Active Directory for all User accounts, then what would be the impact on existing profile. Whether we need to change it manualy or it will connect to same profiles in terminal
  session.
  As i observed it create new profile after logon name changed to employee number where existing users profile settings get fails to load and prompt for new settings (such as outlook reconfiguration, share drive mapping etc.).
  Kindly let me know the proper process to overcome with this, how to connect same existing roaming profile with employee number format change.

  Hi,
  What if we change the user name of user account, will it have impact on roaming profiles.
  Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
  Here is an related article below for you:
  How to Rename a Windows 7 User Account and Related Profile Folder
  http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
  Best Regards,
  Amy

• Unable to save Unified Messaging PIN: Access to Active Directory Failed

  I'm trying to enable all of our users for Unified Messaging and I've created a powershell script for each of users I want to enable but I am getting an error message everytime I try and run it.
  Unable to save Unified Messaging PIN for mailbox 'smtp address': Access to Active Directory Failed
  Our setup is forest root domain and 2 child domains.  Most of the users are in the child domains and the Exchange server is in the forest root domain.
  I'm using -domaincontroller but this doesn't make a difference.  Here is the script I am using:
  Enable-UMMailbox -Identity [email protected] -UMMailboxPolicy "DefaultUM Default Policy" -Extensions 303 -PIN 1234 -SIPResourceIdentifier "[email protected]" -PINExpired $false -domaincontroller "rc-curdc-01.curriculum.riddlesdown.local"
  Can someone point out why this isn't working?

  I had the same experience as Gueetar. Couldn't enable a UM mailbox, or change the PIN. Got a generic "Access to Active Directory Failed" message instead of anything useful. Even went so far as enabled a ton of diagnostic logging, which didn't report anything
  useful.
  Of course, all the accounts I was enabling had the HiddenFromAddressListsEnabled property set to $true (these were old deactivated accounts I was using to test with). I found that setting it back to $false corrected the issue.
  Of course I didn't know it was that exact problem at the time. I only found a difference after disabling/re-connecting mailboxes (and of course newly created mailboxes exhibited no issues). Assuming this was going to be the case for all mailboxes this would
  be fine for testing and proof of concept, bad for production/implementation. Instead I ran a bunch of scenarios over two days, culminating in a crap load of LDIFDEs and DSACL dumps to enumerate the object properties and compare the values that were different.
  This property (HideFromALEnabled) and a few others stood out. Luckily it wasn't ACL-related - that would've been a complete head wreck!
  Dear Microsoft: More descriptive errors next time, please :)

• User SAP* is active. No other users can log on.  Now What?

  After the last time I restarted the portal, I get the following message when I try to logon:
  User SAP* is active. No other users can log on
  Before the reboot, I was trying to configure LDAP. I changed the Data source from "Database Only" to "Read-Only Microsoft ADS (Deep Hierarchy) + Database". I also, tried to create a Superuser/Password.  You can logon using SAP* and see the users from LDAP.
  Any thoughts?  Also, can anyone clarify the configuration option:
  SAP* User Configuration
  Enable SAP* user (If you disable the SAP* user, enter a superuser ID and password below)
  Superuser Name   
  Superuser Password
  EP6.0

  Bill,
  You have to assign a user the super admin role.  Once the user has this role, go to the UM Configuration (System Admin--> System Config --> UM Configuration) and uncheck the Enable SAP* User option and enter in the superuser name and superuser password.  Restart the portal and users should be able to login.
  FYI.  No users can login to the portal if sap* is active.
  Regards,
  Marty

• User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013

  User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013 
  I can login with the these AD users and AD direct import is working just fine. We are not using UPS.
  With admin user when I click on the user it shows up proper data. But when I login with the same user it does not show me userdisplay/useredit and shows blank data. Also another strange thing is when I add new item in list with these AD users created by
  modified by is blank and its really strange. I checked user information list, tried to rerun user sync with direct AD import option but no success.
  MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

  Hi Amit,
  According to your description, my understanding is that the page is blank when the use accessed /_layouts/15/userdisp.aspx and the created by field was blank when the user created a new list item in SharePoint 2013.
  I tested the same scenario per your post, however I cannot reproduce your issue.
  For troubleshooting this issue, I recommend to verify the things below:
  Check the permission of the user in the corresponding site collection to see if he can access /_layouts/15/userdisp.aspx.
  Delete the user from AD and SharePoint, then re-add the user to AD and grant proper permission to the user in SharePoint to see if the issue still occurs.
  Did this issue occur with all the users? Add a new user in AD and test the same scenario.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Credential Roaming failed to write to the Active Directory. Error code 5 (Access is denied.)

  Hi All,
  I could see following error event in all client computers , Could you please some one help me on this ?
  Log Name:      Application
  Source:
  Microsoft-Windows-CertificateServicesClient-CredentialRoaming
  Event ID:      1005
  Level:         Error
  Description: Certificate Services Client: Credential Roaming failed to  write to the Active Directory. Error code 5 (Access is denied.)
  Regards, Srinivasu.Muchcherla

  If you are not using certificates and Credential Roaming for clients then simply ignore the error message.
  If you are using certificates then you are getting access denied message when Credential Roaming is trying to write to your AD. More details about Credential Roaming here: http://blogs.technet.com/b/askds/archive/2009/01/06/certs-on-wheels-understanding-credential-roaming.aspx
  http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx
  This is probably related to the fact that your schema version not 44 or higher: https://social.technet.microsoft.com/Forums/windowsserver/en-US/5b3a6e61-68c4-47d3-ae79-8296cb3be315/certificateservicesclientcredentialroaming-errors?forum=winserverGP 
  Active Directory
  ObjectVersion
  Windows 2000
  13
  Windows 2003
  30
  Windows 2003 R2
  31
  Windows 2008
  44
  Windows 2008 R2
  47
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Sending an User an email using SCORCH based on a SCOM alert that his/her account was locked out.

  Hi,
  I am interested in finding a solution for the following topic.
  We would like to send an email to an End-User who's Windows Account has been locked-out. Besides the fact there are measures in place to deal with the situation in general (Monitoring by SCOM 2012 R2, looking for eventid:4740) we would like to notify the
  End-User about this event too.
  So, we have SCOM 2012 R2 in place to collect all the necessary information at a central location, if you will. The tricky part is to take the information and create an email containing the email address of the User who's account was locked-out. That information
  resides within the Description of the Event.
  Having asked around basically everyone is pointing to Orchestrator to do the job. Being new to that topic I wonder if someone else has that type of requirement and maybe already found a solution.
  So key is, SCOM collects the information from all DCs, has a rule to identify EventID4740, than Orchestrator comes into play to take that Alert and send out an email to the user, who's name is part of the Event Description.
  Any ideas are greatly appreciated.

  Hello,
  first you need to setup System Center Orchestrator:
  http://technet.microsoft.com/en-us/library/hh420387.aspx . The current version is System Center 2012 R2 Orchestrator.
  You also need to register, deploy and configure the System Center Integration Pack for System Center 2012 Operations Manager (download of the current version:
  http://www.microsoft.com/en-us/download/details.aspx?id=39622&WT.mc). You need to install The OpsMgr Operantion Console on the Orchestrator Runbook Server that it works, or
  http://blog.coretech.dk/jgs/sco-2012-use-operations-manager-integration-pack-without-installing-opsmgr-console-on-runbook-servers/.
  In the event description of 4740 there's the account name not the email address. If the email addresses for the users are maintained in Active Directory register and deploy the Active Directory Integration Pack for System Center 2012 - Orchestrator (also
  located in the download above).
  With that all you can build a Runbook like that:
  Or do you have or want to write a PowerShell-Workflow for that you can use this with Service Management Automation (SMA), contained in the setup of System Center 2012 R2 Orchestrator.
  Regards,
  Stefan
  www.sc-orchestrator.eu ,
  Blog sc-orchestrator.eu

• How can I authenticate a User In Windows Active Directory?

  I need to authenticate a user in Windows Active Directory, but I found use the code below will return true if the user name and password are both correct and false if one of them is wrong. But when I input a user name which is not exist in Active Driectory with a blank password, it will also return true. What shall I do? Ask every user must input a password withnot blank?
  Please give me some help to solve this problem. Thanks a lot.
  Code:
  private Context ctx = null;
  Hashtable env = new Hashtable ();
  boolean isValid = false;
  try {
  this.setEnvironmentProperties();
  String domainName = AuthenticateResources.getString("mydomain.com");
  //set the name of domain with the user name
  String fullName = name + "@" + domainName;
  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  env.put(Context.PROVIDER_URL,"ldap://mydomain:389");
  env.put(Context.SECURITY_AUTHENTICATION,"simple");
  //set user related information
  env.put(Context.SECURITY_PRINCIPAL, fullName);
  //set user password
  env.put(Context.SECURITY_CREDENTIALS, password);
  //validate user
  ctx = new InitialDirContext(env);
  isValid = true;
  }catch (AuthenticationException ex){
  isValid = false;
  catch (NamingException ex) {
  throw ex;
  }finally{
  this.freeContext();
  return isValid;

  This is usually a problem if Anonymous Binding is enabled. I have faced this in other Directory Servers, but I am not familiar with Active Directory.
  I think by default Active Directory disables Anonymous Binding, but you may want to check.