Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sorin_Gogean
Advisor

Identity Awareness - Unsuccessful User Directory Queries

Hello everyone,

 

As I was stating in other topics, we're close to get the IA into production.

We've deployed IC in pairs, so we assure redundancy, we collect log-ins from AD and we got also ISE pxGrig integrated too.

 

What still bothers me, is the HIGH number of "Unsuccessful User Directory Queries" we're seeing in reports (screenshot below).

Capture.JPG Capture.JPG

 

What I can tell, is that our AD Domain (xyz.int) has 4 main sub-domains (ALV, EU, NA and AP) and our IC's are set to grab log-is from the ALV.xyz.int . 

All good here as we properly see log-ins on each region, and we properly identify the users and machines against AD (groups and everything). 

 

My guess is that the cross regions log-ins are going to the "Unsuccessful User Directory Queries" figures, because user1@eu.xyz.int is properly found in the EU Cluster, but the user2@na.xyz.int or user3@ap.xyz.int are not. (actually they all show up like user1@xyz.com or user2@xyz.com or user3@xyz.com ) still in the settings we have LDAP/User Catalog defined for all 4 sub-domains.

 

As a next step, since we just read about it. we're going to address on our LDAP/User Catalog settings the AD Global Catalog (see sk134292 ) .

Does anyone else faced similar problem, or my understanding for "Unsuccessful User Directory Queries" is caused by smth else?


Any ideas or hints are welcomed. 

 

Thank you, 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

TAC would have to take some debugs to find the root cause for your specific case.
In one of the SRs I reviewed, the issue was that ISE was sending usernames to the gateway that aren't in Active Directory.
That would cause the LDAP query to fail, thus that counter to increase.

0 Kudos
Sorin_Gogean
Advisor

hey @PhoneBoy ,

 

I will also open a TAC to look into this, as most likely it's like you said, usernames are sent by ISE.

We were thinking to use GlobalCatalog for getting User/Machine groups, could this GC address this user search in AD.  

 

Ty,

0 Kudos
PhoneBoy
Admin
Admin

Remember that however users are acquired, the gateways do the lookup (via LDAP) for the groups.
Not sure this will help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events