AAA, NAC, Guest Access & BYOD

Common Clearpass domain Joining errors.

by on ‎08-06-2014 01:30 PM - edited on ‎08-31-2015 10:57 PM by Moderator

Environment : This article is to troubleshoot some common errors faced when joining Clearpass to an Active Directory. 

 

Clearpass Version: 6.0.x to 6.3.x.

 

 

Clock greater: 

 
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN 'clearpass.aruba.com'
INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the CLEARPASS's username
Enter Administrator's password:
[2014/04/01 18:46:17, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Clock skew too great
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor 
code may provide more information : Clock skew too great

 
Not A Domain Admin user (i.e. insuffcient privs to add/modify computers in AD): 
 
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN
'ad1.clearpass.aruba.com'

INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
Enter test's password:
Failed to join domain: Failed to set account flags for machine
account (NT_STATUS_ACCESS_DENIED)
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR -Clearpass.aruba.com failed to join the domain
CLEARPASS.ARUBA.COM with domain controller as ad1.clearpass.aruba.com

Join domain failed
 
Not correct FQDN (i.e. trying to use the domain name only instead of the full FQDN of the domain controller): 
 
Adding host to AD domain...
INFO - Fetched REALM 'CLEARPASS.ARUBA.COM' from domain FQDN
'clearpass.aruba.com'

INFO - Fetched the NETBIOS name 'CLEARPASS'
INFO - Creating domain directories for 'CLEARPASS'
INFO - Using Administrator as the CLEARPASS's username
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CLEARPASS'
ERROR - Clearpass.aruba.com failed to join the domain
CLEARPASS.ARUBA.COM with domain controller as clearpass.aruba.com     <<<

Join domain failed

Constraint violation

Adding host to AD domain...
INFO - Fetched REALM 'Aruba-Test.com' from domain FQDN 'ad.Aruba-Test.com'
INFO - Fetched the NETBIOS name 'My-Service'
INFO - Creating domain directories for 'My-Service'
Enter MY-USER's password:

Failed to join domain: failed to set machine spn: Constraint violation
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'My-Service'

ERROR - MY-CPPM failed to join the domain Aruba-Test.com with domain controller as ad.Aruba-Test.com
Join domain failed
 

Clock greater

Maximum allowed clock difference can only be 5 minutes. Verify whether Clearpass and AD system time do not exceed more than 5 minutes. Please verify the tjme, time zone and daylight savings settings.  

Privilege  Issue: 

The username provided to join to active directory should be a member of domain admin group. When we join Clearpass to the domain, a host entry will be added under 'Computers' by default. 

Invalid domain controller FQDN:

Domain controller name provided when attempting to join Clearpass to domain. This should point to a valid FQDN of the domain controller. To verify this if we perform an nslookup form Clearpass (From CLI using 'network nslookup <domain controller>'), this should return the IP address of a domain controller (Note: We should receive the interface IP address of the DC). 

Make sure that Clearpass FQDN is resolvable from the DC. If not, we need to add an entry to the DNS server. 

Constrain Validation:

This error normally points to the privilege issue (i.e. bind user does not have sufficient privs to add/modify computer accounts in the AD) or the DNS issue. 

Errors Caused by Unsynchronized Clocks: http://technet.microsoft.com/en-us/library/cc780011(v=ws.10).aspx
Comments
Wicharn

your can use Full name server 

Aruba Aruba

I have seen issues in the past when the AD admin account being used is 14 characters or more.  That may (hopefully) have been fixed.

 

[edit]  This limitation still exists.  Have to use an account with 13 characters or less.

MVP MVP

We're getting a notice that the Domain admin password contains invalid characters.

It's a vaild AD password on the Windows side, but ClearPass appears unhappy with it.

The admin didn't tell me his password, but did say that it contains upper and lower, a space and a zero - sounds like a good password to me.

What are the limitations?

 

Aruba Aruba

what version of CPPM. There was limitation on older versions

MVP MVP

Latest minus 1 patch: 6.6.0.81015

Aruba Aruba

There shouldnt be any issues. Please open a TAC case so engineering can look into it.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.