Is there any information on how this was resolved? Unfortunately I coul dnot find anything in the Bug nor the Release Notes of 2.4.

What are the new values?

Are those values editable via AD advanced tuning?

After the bug fix, ISE will attempt to changes its AD password every 15 days by default.

Yes, it can be tuned between 15 minutes and 30 days.

CSCvb73178 is an enhancement request I opened a while ago and asking to allow disabling password change. This has not been fulfilled yet.

Thank you for the info!

Are you also able to tell m, how I can modify this timer? AD Advanced Tools Registry Value maybe?

The AD advanced tuning is usually not required until we encountering an issue. When that happens, it's best to engage Cisco TAC support and our TAC team will help validating the problems and guide through how to set these registries, if required.

I also reached out to our engineering team for more info on this.

Apply ISE 2.4 patch 1 or higher.

1. Go to Administration > Identity Management > External Identity Sources > Active Directory
2. Click Advanced Tools > Advanced Tuning
3. Select the ISE node you want to change
   The 'Name' field gets the specific REGISTRY string given below.
   REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\MachinePasswordLifespan
   The 'Value' field is where you specify the option
4. Specify value in seconds. Valid range is 30 minutes ~ 60 days; default is 30 days (2592000).
   Type any description. Required before next step.
5. Click 'Update Value' button
6. Click 'Restart Active Directory Connector'

Note: ISE Machines change password should trigger for every (configured-time) / 2 seconds. The ISE machine Kerberos TGT refreshes for every 30 minutes regardless so to keep TGT fresh and not expired.