Active Directory False Failure - Error Code: 0xc0000064

Available Languages

Download Options

  • PDF     (51.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (121.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (111.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 21, 2020
Document ID:215798

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the solution of the issue when Microsoft Active Directory Domain Controller starts to respond to the false failure notification with "error code: 0xc0000064" for authentication requests from the Cisco Identity Services Engine (ISE).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics: 

    • Cisco Identity Services Engine (ISE).
    • Microsoft Active Directory (MS-AD).

    Components Used

     The information in this document is based on these software and hardware versions:

    • Identity Services Engine (ISE) 2.4 & 2.6 on VM (Small).
    • Microsoft Active Directory (MS-AD) 2012.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any step.

    Problem

    Two log entries observed (failure & successful) in Event viewer Audit logs of Domain Controller (DC) for each authentication request from ISE.

    The failure is with reason "NO_SUCH_USER” and error code: 0xc0000064

    Solution

    Behaviour is related to defect CSCvf45991 and the following steps should resolve the issue.

    Step 1. Upgrade ISE to version or patch in which CSCvf45991 is fixed.

    Step 2. Join ISE to desire AD Domain.

    Step 3. In order to configure Registry Settings, navigate to Advance Tool > Advance Tuning.

    Name: REGISTRY.Services\lsass\Parameters\Providers\ActiveDirectory\WorkaroundForFalseFailedLoginEvent

    Step 4. Value: YES.

    Step 5. Click Update Value button.

    Step 6. Click Restart Active Directory Connector

    Note: Step 6 restarts the Active Directory connector service.

    Step 7. Perform authentication test ( MSCHAPV2 ) once again after Active Directory connector service is up and the issue is resolved.

    Step 8. Audit success log under Event Viewer in AD should confirm the same.

    TAC Authored

    Contributed by Cisco Engineers

    • Manjunath Sheregar
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products