Loading...
Loading...
After attempting to join Cisco ISE to a Microsoft Active Directory hosted on Windows Server 2025, we encountered the following detailed message: • Integration Failure Message: "Join Operation Failed: ASN.1 failed call to system time library" • Error Code: 41701 • Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
• Occurs when using Windows Server 2025. • Tested and applies to ISE versions 3.1, 3.2, 3.3, and 3.4. • Error is specific to Windows 2025 Domain Controller, while integration works correctly with previous versions of Windows Server Domain Controller.
The workaround is: 1. Make sure that the fix in ISE side is applied (available from versions 3.4P2, 3.3P8 and 3.2P8 and hot patch for version 3.1P10, 3.4P1, 3.3P4, 3.3P5, 3.3P6, 3.3P7 and 3.2P7) 2. Apply the workaround in the DC: - Open a powershell as administrator and in it type gpedit.msc and click enter. - Go to Computer Configuration > Administrative Templates > System > Security Account Manager > Configure SAM change password RPC methods policy - Change the polict to "Allow all change password RPC methods" Note: gpedit.msc opens the local group policy editor which affects the local machine which can be overriden by domain level GPO's. If there is a domain GPO change needed, it can be done using gpmc.msc with the same steps.
Microsoft Windows Server 2025 makes several changes on Active Directory Domain Services. Among them is Legacy Security Account Manager (SAM) remote procedure call (RPC) password change behavior: Secure protocols such as Kerberos are the preferred way to change domain user passwords. On DCs, the latest SAM RPC password change method SamrUnicodeChangePasswordUser4 by using Advanced Encryption Standard (AES) is accepted by default when it's called remotely. The following legacy SAM RPC methods are blocked by default when they're called remotely: * SamrChangePasswordUser * SamrOemChangePasswordUser2 * SamrUnicodeChangePasswordUser2 For domain users that are members of the Protected Users group and for local accounts on domain member computers, all remote password changes through the legacy SAM RPC interface are blocked by default, including SamrUnicodeChangePasswordUser4. To control this behavior, use the following GPO setting: Computer Configuration > Administrative Templates > System > Security Account Manager > Configure SAM change password RPC methods policy Customer Impact: To ensure Cisco ISE can join an Active Directory using a domain controller on Windows Server 2025, after applying a patch or upgrading to a newer Cisco ISE version that resolves the time format issue, it is necessary to configure the SAM change password RPC methods policy on the domain controllers. Follow these steps: 1. Open the "Run" dialog by selecting it from the Start menu or pressing the 'Windows Key + R' shortcut. 2. Enter "gpedit.msc" and click "OK". Note: This opens the Local Group Policy Editor. Alternatively, you can use the Group Policy Management Console (gpmc.msc) to configure GPO if preferred. 3. Navigate to: Computer Configuration > Administrative Templates > System > Security Account Manager. 4. Double-click on "Configure SAM change password RPC methods policy." 5. Select the "Enable" option. 6. Under the "Options" section, choose "Allow all change password RPC methods." 7. Click "Apply" and then "OK" to save the changes.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.