ISE binary certificate comparison mystery

Hello

I’m wondering if anyone has encountered the same problem with binary certicate comparison. The scenario is as follows:

  • the client hires a new employee
  • an AD account is created for that employee.
  • Meanwhile, a PC is prepared for that employee and an IT person logs to that PC for the first time. CA shares a copy of the certificate with AD.
  • The employee receives the PC but can’t log into the network
  • ISE says that no valid account has been found in AD for this certificate IF binary certificate comparison is used. If it is not used, ISE accepts the certificate as valid.

If the certificates are refreshed on the PC, all is well again.

My theory is that this is due to the fact that there are multiple domain controllers and I think that there might be problems if the domain controller receives the certificate from CA before the object is replicated on that branch domain controller and mapping of machine account to machine certificate fails on that controller. My theory is further corroborated by the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr51940

and the following forum entry:

https://www.jamf.com/jamf-nation/discussions/22807/race-condition-when-requesting-an-ad-certificate

 

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s