I’m wondering if anyone has encountered the same problem with binary certicate comparison. The scenario is as follows:
- the client hires a new employee
- an AD account is created for that employee.
- Meanwhile, a PC is prepared for that employee and an IT person logs to that PC for the first time. CA shares a copy of the certificate with AD.
- The employee receives the PC but can’t log into the network
- ISE says that no valid account has been found in AD for this certificate IF binary certificate comparison is used. If it is not used, ISE accepts the certificate as valid.
If the certificates are refreshed on the PC, all is well again.
My theory is that this is due to the fact that there are multiple domain controllers and I think that there might be problems if the domain controller receives the certificate from CA before the object is replicated on that branch domain controller and mapping of machine account to machine certificate fails on that controller. My theory is further corroborated by the following bug:
and the following forum entry: