Fix Active Directory group retrieval issue ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS on Identity Services Engine

Available Languages

Updated:October 24, 2016
Document ID:200780

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to workaround the problem with Active Directory (AD) group retrieval during authentication, while this error is seen in live logs:

ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco Identity Services Engine
  • Microsoft Active Directory

Components Used

This document is not restricted to specific software versions of Identity Services Engine (ISE).

Problem

The problem is that user account used to join ISE to AD does not have correct privileges to get tokenGroups. This would not happen if Domain Admin account was used to join ISE to AD. To fix this issue, you have to add ISE node(s) to the user account and provide those permissions to ISE node(s):

  • List contents
  • Read all properties
  • Read permissions

This issue is seen, even though permissions for user seems to be correct (check against ISE 1.3 AD Authentications Fail with Error: "Insufficient Privilege to Fetch Token Groups"). Those debugs are seen in ad-agent.log:

28/08/2016 17:23:35,VERBOSE,140693934700288,Error code: 60173 (symbol: LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS),lsass/server/auth-providers/ad-open-provider/provider-main.c:7409
28/08/2016 17:23:35,VERBOSE,140693934700288,Error code: 60173 (symbol: LW_ERROR_TOKEN_GROUPS_INSUFFICIENT_PERMISSIONS),lsass/server/api/api2.c:2572

Solution

To provide required permissions to user account, perform those steps:

1. on AD navigate to Properties for AD user account:

200780-Fix-Active-Directory-group-retrieval-iss-00.png

2. Choose Security tab and click Add:

200780-Fix-Active-Directory-group-retrieval-iss-01.png

3. Select Object Types:

200780-Fix-Active-Directory-group-retrieval-iss-02.png

4. Select Computers and click OK:

200780-Fix-Active-Directory-group-retrieval-iss-03.png

5. Insert ISE hostname (VCHRENEK-ISE4 in this example) and click OK:

200780-Fix-Active-Directory-group-retrieval-iss-04.png

6. Select ISE node and click Advanced:

200780-Fix-Active-Directory-group-retrieval-iss-05.png

7. From Advanced Security Settings select ISE machine account and click Edit:

200780-Fix-Active-Directory-group-retrieval-iss-06.png

8. Provide those permissions to ISE machine account and click OK:

200780-Fix-Active-Directory-group-retrieval-iss-07.png

After these changes, AD groups should be retrieved without any issues:

200780-Fix-Active-Directory-group-retrieval-iss-08.png

This has to be performed for all users and changes should be replicated to all Domain Controllers in the domain.

Revision History

Revision Publish Date Comments
1.0
24-Oct-2016
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products