Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3388
Views
5
Helpful
3
Replies

Can't join S390 to domain (kerberos configuration file error)

Group IT
Level 1
Level 1

‎07-10-2017 07:06 AM

Hello,

We have very recently purchased two Cisco Ironport S390 WSA's, to replace two existing S170's.

The S170's have done us a good job (albeit very slowly) for 3 years (and S160's three years before that).

With these new S390's we are configuring them in the same fashion as always, by using Active Directory to authenticate our users. But this is where we are having problems.

When we add the new 'Realm' (under Network...Authentication), we put the correct details in for our Active Directory environment and click 'Join Domain', we get an error:

"
Computer Account creation failed.

Error: Internal error while updating the Kerberos configuration file.
"

Both of our existing S170's work fine with this setup.

What we have tried:

  • Using different domain admin accounts when joining the WSA to the domain.
  • Specifying different domain controllers (we have four).
  • Trying a different computer account location (default is 'Computers', which works fine for our other WSA's)
  • Manually creating the AD computer object (and ensuring all the attributes are in-line with one of the working WSA's computer object).
  • Triple checked routing tables and DNS settings.
  • Doubled checked WSA's times are in-sync with AD servers.
  • Creating the computer object via the CLI, using 'createcomputerobject'. This errors-out with:
    "
    Attempting to create computer object on server "dc4.mydomain.local" ...
    Error: Internal error while updating the Samba configuration file.
    "
  • AsyncOS 9.1.1-074 and 10.1.1-235.
  • Suggestions on https://supportforums.cisco.com/discussion/11351371/ironport-s370-authentication-realm-problem#comment-12168571


We are really struggling to get this to work. At the moment, we are still waiting for our Cisco software support contract to come through, but as we are eager to get these new WSA's rolled out, we were hoping someone may have already encountered this issue, or have any suggestions?

Thank you.

Best Regards,

Elliot

1 person had this problem
Labels:
3 Replies 3

Group IT
Level 1
Level 1

‎07-10-2017 09:44 AM

Update:

Tried flattening the network config, so the WSA only uses one NIC (the M1 port) for all services, which also means only 1 routing table/gateway.

Still fails with the same error.

0 Helpful

Group IT
Level 1
Level 1
In response to Group IT

‎07-11-2017 09:05 AM

Early days, but for those who may encounter the same issue in the future...

It appears we have resolved the issue by downgrading to AsyncOS 9 first, joining to the Windows domain, then upgrading to 10.x.

When you enter authentication settings on the WSA, the domain appears to be 'unjoined' (even though the computer object still appears in AD), but re-joining goes through fine.

0 Helpful

Ken Stieers
VIP
VIP

‎07-10-2017 10:05 AM

Did you turn off SMB1 after the Wannacry mess?  if so, try turning it back on.

0 Helpful
Customers Also Viewed These Support Documents