Symptom
When configuring "TROUBLESHOOTING.EncryptionOffPeriod" Advanced Tuning with any non-zero value of minutes for decrypting communication with Active Directory for troubleshooting, RPC netlogon fails for all Active Directory authentications on this ISE node
Failed RADIUS/TACACS+ authentication report on ISE includes the below details:
---
//"Authentication Details" section includes:
Message Text -> Failed-Attempt: Authentication failed
Failure Reason -> 24403 User authentication against Active Directory failed
Resolution -> Check whether the user account is enabled in Active Directory. Also check for valid credentials and whether Active Directory is reachable.
Root Cause -> User authentication against Active Directory failed
---
//"Steps" section includes:
RPC Logon request failed - STATUS_ACCESS_DENIED,ERROR_RPC_NETLOGON_FAILED,>
Communication with domain controller failed - >,ERROR_RPC_NETLOGON_FAILED
Failover threshold has been exceeded
Conditions
Configuring "TROUBLESHOOTING.EncryptionOffPeriod" Advanced Tuning option on ISE with any number of minutes (other than 0)
Recent Microsoft security updates are installed on Domain Controller
Further Problem Description
Recent Microsoft security updates doesn't allow this clear-text communication and "netlogon.log" on Domain Controller (if configured) would show the below logs during authentication attempts from ISE while disabling encryption:
!
>: SamLogon: Network logon of \>@> from \\> failed RPC Security checks
!
>: SamLogon: Network logon of \>@> from \\> (via >) Returns 0xC0000022
