Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4757
Views
0
Helpful
8
Replies

error in joining in active directory

Go to solution
John
Level 1
Level 1

‎02-01-2016 07:36 PM

Failure: Error while fetching Kerberos Tickets from server 'x.x.x.x' :
kinit: krb5_get_init_creds: Client (wsa-dcb$@XXX.COM) unknown

Failure: Queries to server 'x.x.x.x' on port 389 failed :
Server doesn't accept anonymous queries

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎02-02-2016 03:09 PM

Please ensure your WSA can reach  your configured DC's 389 port and also ensure your WSA hostname has a valid DNS A record in your internal DNS server.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tao Yang
Cisco Employee
Cisco Employee

‎02-02-2016 03:09 PM

Please ensure your WSA can reach  your configured DC's 389 port and also ensure your WSA hostname has a valid DNS A record in your internal DNS server.

0 Helpful

Go to solution
kermia amar
Level 1
Level 1

‎06-03-2018 01:02 AM

please how i can ensure that my  WSA can reach  configured DC's 389 port 

 

 

best regards 

 

 
0 Helpful

Go to solution
Handy Putra
Cisco Employee
Cisco Employee
In response to kermia amar

‎06-04-2018 05:02 PM

Hi,

 

You can use 'telnet' test from WSA CLI by issuing 'telnet' command and select M1 interface and enter your DC address and port 389 and make sure it can connect.

 

You can also do packet capture from WSA to the DC and do test authentication (where you get the error message from) and from the capture filter on port 389 to see the packets communication

 

Regards

Handy Putra

0 Helpful

Go to solution
kermia amar
Level 1
Level 1
In response to Handy Putra

‎06-05-2018 05:21 AM

Hi Handy 

I have already test the Telnet  from WSA to AD but unfortinutly not works, I can not Telnet AD from WSA on 389 port or any other port 

please see the below error 

 

ALGWSAPXYMGT01> telnet

Please select which interface you want to telnet from.
1. Auto
2. Failover Group 1 (10.111.66.19/24: ALGWSAPXY)
3. Failover Group 2 (10.111.66.20/24: ALGWSAPXY.)
4. Management (10.111.48.62/24: ALGWSAPXYMGT01.)
5. P1 (10.111.66.21/24: ALGWSAPXYINT01.)
6. P2 (10.111.67.21/24: ALGWSAPXY01.)
[1]> 4

Enter the remote hostname or IP address.
[]> 10.111.106.12

Enter the remote port.
[23]> 389

Trying 10.111.106.12...
Connected to 10.111.106.12.
Escape character is '^]'.
Connection closed by foreign host.

0 Helpful

Go to solution
kermia amar
Level 1
Level 1
In response to Handy Putra

‎06-05-2018 05:34 AM

hi handy 

also see please the error message at my WSA when I do a test 

.

Version:1.0 StartHTML:000000235 EndHTML:000004254 StartFragment:000003762 EndFragment:000004095 StartSelection:000003762 EndSelection:000004095 SourceURL:https://10.115.48.63:8443/network/identity_services/proxy_authenticationCisco Web Security Appliance S390 (10.115.48.63) - Network > Identification Services > Authentication       Attempting to fetch AD group information...Failure: Exception on query to server '10.115.106.11', port 389 failed :Exception('Inquiry timed out: auth failed: invalid credentials',)Test completed: Errors occurred, see details above.

 

Attempting to get TGT...
Failure: Error while fetching Kerberos Tickets from server '10.115.106.11' :
kinit: krb5_get_init_creds: Client (SKDWSAPXYMGT02$@CORP.ATELAT.DZ) unknown
0 Helpful

Go to solution
Handy Putra
Cisco Employee
Cisco Employee
In response to kermia amar

‎06-05-2018 07:20 PM

Hi,

 

From your telnet output, the connection to your DC on port 389 is actually connected:

Enter the remote port.
[23]> 389

Trying 10.111.106.12...
Connected to 10.111.106.12.

 

However from your error message, it is having issues in getting the kerberos ticket from your 10.115.106.11 server (the telnet test that you performed is to 10.111.106.12)

And it is complaining that the credential is not correct:

kinit: krb5_get_init_creds: Client (SKDWSAPXYMGT02$@CORP.ATELAT.DZ) unknown

 

Please check the AD account that you are using when joining WSA to the domain, make sure you are using administrator account or an account that has privilege to create objects in the AD server.

 

Would recommend to open a TAC case if you need further in depth assistance

 

Regards

Handy Putra

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Handy Putra

‎06-05-2018 07:54 PM

If you're not on 10.5.2, make sure you haven't turned off SMB1. Up until that version, the WSA still required SMB1
0 Helpful

Go to solution
kermia amar
Level 1
Level 1
In response to Ken Stieers

‎06-06-2018 03:04 AM

yes I'm not in 10.5.2 and i can not check if SMB1 is tuned off or not, let me do system upgrade and back to you 

 

thanks 

 

Best Regards 

A.kermia 

 
 
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents