ironport s370 can not join domain

newsubscribe · ‎05-08-2014

Hello

For some reason ironport s370 can not join domain.

Checking DNS resolution of WSA hostname(s)...
Success: Resolved 'ironport----' address: ironport p1 address
Success: Resolved 'ironport----' address: ironport p1 address
Success: Resolved 'ironport----' address: ironport p1 address
Success: Resolved 'ironport----' address: ironport p1 address

Checking DNS resolution of Active Directory Server(s)...
Success: Resolved 'dns-srv1' address: dns-srv1
Success: Resolved 'dns-srv2' address: dns-srv2
Success: Resolved 'dns-srv1' address: dns-srv1
Success: Resolved 'dns-srv2' address: dns-srv2

Checking DNS resolution of AD Server(s)' full computer name(s)...
Success: Resolved 'DC1.---' address: dns-srv1
Success: Resolved 'DC2.---' address: dns-srv2
Success: Resolved 'DC1.---' address: dns-srv1
Success: Resolved 'DC2.---' address: dns-srv2

Validating configured Active Directory Domain...
Success: Active Directory Domain Name for 'dns-srv1' : ---
Success: Active Directory Domain Name for 'dns-srv2' : ---
Success: Active Directory Domain Name for 'dns-srv1' : ---
Success: Active Directory Domain Name for 'dns-srv2' : ---

Attempting to get TGT...

Attempting to get TGT...
Failure: Error while fetching Kerberos Tickets from server 'dns-srv1' :
kinit: krb5_get_init_creds: Preauthentication failed
Failure: Error while fetching Kerberos Tickets from server 'dns-srv2' :
kinit: krb5_get_init_creds: Preauthentication failed
Failure: Error while fetching Kerberos Tickets from server 'dns-srv1' :
kinit: krb5_get_init_creds: Preauthentication failed
Failure: Error while fetching Kerberos Tickets from server 'dns-srv2' :
kinit: krb5_get_init_creds: Preauthentication failed

Checking local WSA time and server time difference...

Checking local WSA time and server time difference...
Success: AD Server time and WSA time difference within tolerance limit
Success: AD Server time and WSA time difference within tolerance limit

Attempting to fetch group information...

Attempting to fetch group information...
Failure: Queries to server 'dns-srv1' on port 389 failed :
Server doesn't accept anonymous queries
Failure: Queries to server 'dns-srv2' on port 389 failed :
Server doesn't accept anonymous queries
Failure: Queries to server 'dns-srv1' on port 389 failed :
Server doesn't accept anonymous queries
Failure: Queries to server 'dns-srv2' on port 389 failed :
Server doesn't accept anonymous queries

Any advice would be greatly appreciated.
Thanks!

kushsriva · ‎05-11-2014

Hi,

Could you please check the following:

1). Go to the AD, go to User properties of this user and make sure "Do not require kerberos preauthentication" option is checked.

2). If possible make sure the user is part of the domain admins groups so that it has proper rights to join the WSA to the AD.

Regards,

Kush