Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2633
Views
5
Helpful
2
Replies

Host query issue with multi-AD domains

csco11552159
Level 5
Level 5

‎12-19-2016 05:39 PM

Hi Folks,

I recently ran into another issue, really couldnt figure out.

my ISE joined 3 AD domains. when I try to query Username information, everything seems right. I got all the groups and attributes back.

But when i try to query the Host information, 2 works, but 1 doesnt.  I tried to capture the traffic sent to AD, it is very odd that there was no traffic been sent to AD at all.  

Any thought on this ?

Test Username           : host/d19c4q

ISE NODE                : ISEPSN2.LABDEV.DEV.LAB.CA

Scope                   : Initial_Scope,LAB_PROD_AND_DEV

Instance                : LAB-PROD-AD

Authentication Result   : FAILED

Error                   : Identity not found; some of the  domains were not available

Processing Steps:

Resolving identity - host/d19c4q

Search for matching accounts at join point - lab.corp.lab.ca

Incoming identity was not rewritten - host/d19c4q

Skipping unavailable forest - corp.lab.ca

Skipping unusable domain -

Skipping unusable domain -

Identity resolution detected no matching account

Identity resolution failed - ERROR_NO_SUCH_USER_SOME_DOMAINS_NOT_AVAILABLE

Thanks.

1 person had this problem
2 Replies 2

csco11552159
Level 5
Level 5

‎12-20-2016 02:35 PM

found out more, actually when i use SAM$ to search, it works. dont know why it doesnt work with "host/" format

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to csco11552159

‎12-20-2016 03:00 PM

sAMAccountName$ works. The others would work are those set in servicePrincipalName.

Below shows an example servicePrincipalName from my test setup:

First, enable View -> Advanced Features

Screen Shot 2016-12-20 at 2.53.53 PM.png

And, look at the properties of an AD domain computer and tab on [ Attribute Editor ]. My sample computer has a multi-valued servicePrincipalName HOST/tt-corp; HOST/tt-corp.demo.local

Screen Shot 2016-12-20 at 2.54.32 PM.png

Then, the lookup test results.

Test Username           : host/tt-corp


ISE NODE                : ise-210.demo.local


Scope                   : Default_Scope


Instance                : demoAD






Authentication Result   : SUCCESS






Authentication Domain   : demo.local


User Principal Name     : TT-CORP$@demo.local


User Distinguished Name : CN=TT-CORP,CN=Computers,DC=demo,DC=local






Groups                  : 1 found.


Attributes              : 41 found.














Processing Steps:


Resolving identity - host/tt-corp


Search for matching accounts at join point - demo.local


Single matching account found in forest - demo.local


Identity resolution detected single matching account
0 Helpful
Customers Also Viewed These Support Documents