Loading...
Loading...
After attempting to join Cisco ISE to a Microsoft Active Directory hosted on Windows Server 2025, we encountered the following detailed message: • Integration Failure Message: "Join Operation Failed: ASN.1 failed call to system time library" • Error Code: 41701 • Error Name: LW_ERROR_KRB5_ASN1_BAD_TIMEFORMAT
• Occurs when using Windows Server 2025. • Tested and applies to ISE versions 3.1, 3.2, 3.3, and 3.4. • Error is specific to Windows 2025 Domain Controller, while integration works correctly with previous versions of Windows Server Domain Controller.
No workaround. We MUST upgrade to a fixed Cisco ISE Release and Patch Level or apply the hot patch for version 3.1P10, 3.4P1, 3.3P4, 3.3P5, 3.3P6, 3.3P7, and 3.2P7. After that, we MUST configure the SAM change password RPC methods policy as detailed in the Customer Impact section.
Microsoft Windows Server 2025 makes several changes on Active Directory Domain Services. Among them is Legacy Security Account Manager (SAM) remote procedure call (RPC) password change behavior: Secure protocols such as Kerberos are the preferred way to change domain user passwords. On DCs, the latest SAM RPC password change method SamrUnicodeChangePasswordUser4 by using Advanced Encryption Standard (AES) is accepted by default when it's called remotely. The following legacy SAM RPC methods are blocked by default when they're called remotely: * SamrChangePasswordUser * SamrOemChangePasswordUser2 * SamrUnicodeChangePasswordUser2 For domain users that are members of the Protected Users group and for local accounts on domain member computers, all remote password changes through the legacy SAM RPC interface are blocked by default, including SamrUnicodeChangePasswordUser4. To control this behavior, use the following GPO setting: Computer Configuration > Administrative Templates > System > Security Account Manager > Configure SAM change password RPC methods policy Customer Impact: To ensure Cisco ISE can join an Active Directory using a domain controller on Windows Server 2025, after applying a patch or upgrading to a newer Cisco ISE version that resolves the time format issue, it is necessary to configure the SAM change password RPC methods policy on the domain controllers. Follow these steps: 1. Open the Run dialog by selecting it from the Start menu or pressing the 'Windows Key + R' shortcut. 2. Enter gpedit.msc and click OK. Note: This opens the Local Group Policy Editor. Alternatively, you can use the Group Policy Management Console (gpmc.msc) to configure GPO if preferred. 3. Navigate to: Computer Configuration > Administrative Templates > System > Security Account Manager. 4. Double-click on Configure SAM change password RPC methods policy. 5. Select the Enable option. 6. Under the Options section, choose Allow all change password RPC methods. 7. Click Apply and then OK to save the changes.
CSCws27786
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.