Solved: Service Account Password Change.

mshapour · ‎12-18-2017

Currently working on a case where we are trying to use API to change "service account" within ISE for domain services. This would be the account ISE uses to join nodes to the domain and then query the domain for user/machine authentications. They are planning to use CyberArk to automate the process of renewing the password for the service account. They would like to know whether they are required to rejoin all the nodes with the same account and new password once the password renewal is enforced.

I would appreciate any hints regarding these changes and the expected behavior.

Kind Regards.

Mahdi Shapouri.

hslai · ‎12-22-2017

Assuming you meant the credentials used to join ISE nodes to Active Directory domains, then it depends on whether they are also used for PassiveID.

If not used for PassiveID, then they are only used during the AD join/leave so ISE nodes do not need them besides those operations. If also used for PassiveID, then we need to update the credentials used to monitor the domain controllers after the passwords renewed.

View solution in original post

hslai · ‎12-22-2017

Assuming you meant the credentials used to join ISE nodes to Active Directory domains, then it depends on whether they are also used for PassiveID.

If not used for PassiveID, then they are only used during the AD join/leave so ISE nodes do not need them besides those operations. If also used for PassiveID, then we need to update the credentials used to monitor the domain controllers after the passwords renewed.