Ironport S170 / NTLM Auth Realm Problem

exedraoldenburg · ‎05-28-2014

Hallo,

I'm having problems to setup the AD Authentication via NTLM.

"Join Domain" gives "Status: Computer account ironport$ has been created."

But when I run "Start Test" the Status changes to "Status: Computer account ironport$ not yet created." and I'm getting the error

kinit: krb5_get_init_creds: KDC has no support for encryption type

- I deleted the Machine Account and tried again

- The User used to join the Domain is a member of the Domain Administration Group

I also enabled "Enable Transparent User Identification using Active Directory agent" and that is working (via two Context Directory Agent installations).

Ironport S170 with AsyncOS 7.7.0

Configured Active Directory Controllers: 2 Win2008 R2 Servers

There is also a Win2003 AD Controller within the Domain.

Any help appreciated. Thank you.

Lucas

kushsriva · ‎05-28-2014

Hi,

Is you domain running on a "Windows 2003 Functional level"? If yes, you can try the workarounds given in the following links:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/f31ab749-064f-400f-901a-4a255ad0fb4f/kdc-has-no-support-for-encryption-type-14?forum=winserversecurity

https://community.oracle.com/thread/1527572?start=0&tstart=0

Regards,

Kush

exedraoldenburg · ‎05-28-2014

Hi Kush

thank you for your reply.

Yes, the domain is running on a "Windows 2003 Functional Level". I've tried the workarounds (check "Use DES encryption" and then reset password) but that didn't help: Now the "Join Domain" step already gives the error.

In a next step we will try to remove the old Windows 2003 AD Server and raise the Functional Level of our AD infrastructure to 2008. If this solves our problem thats fine. I'll report next monday.

Regards,

Lucas