Cisco Cisco Identity Services Engine Software Guía De Información
Contents
Introduction
Prerequisites
Requirements
Components Used
Problem
Solution
Introduction
This document describes how to workaround the problem with Active Directory (AD) group
retrieval during authentication, while this error is seen in live logs:
retrieval during authentication, while this error is seen in live logs:
ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Cisco Identity Services Engine
●
Microsoft Active Directory
●
Components Used
This document is not restricted to specific software versions of Identity Services Engine (ISE).
Problem
The problem is that user account used to join ISE to AD does not have correct privileges to get
tokenGroups. This would not happen if Domain Admin account was used to join ISE to AD. To fix
this issue, you have to add ISE node(s) to the user account and provide those permissions to ISE
node(s):
tokenGroups. This would not happen if Domain Admin account was used to join ISE to AD. To fix
this issue, you have to add ISE node(s) to the user account and provide those permissions to ISE
node(s):
List contents
●
Read all properties
●
Read permissions
●
). Those debugs
are seen in ad-agent.log:
28/08/2016 17:23:35,VERBOSE,140693934700288,Error code: 60173 (symbol:
LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS),lsass/server/auth-providers/ad-open-
provider/provider-main.c:7409
28/08/2016 17:23:35,VERBOSE,140693934700288,Error code: 60173 (symbol:
LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS),lsass/server/api/api2.c:2572