Security

Reply
Chief Airhead
Posts: 1,119
Registered: ‎07-13-2010

Clearpass Add to Domain error

Anyone know the reason for this clearpass error message and the fix?

 

Adding host to AD domain...
INFO - Fetched REALM 'XXXX.LOCAL' from domain FQDN 'XXXX.local'
INFO - Fetched the NETBIOS name 'XXXX'
INFO - Creating domain directories for 'XXXX'
Enter srynearson's password:
[2013/09/20 07:21:22, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password srynearson@XXXX.LOCAL failed: KDC has no support for e
ncryption type
Failed to join domain: failed to connect to AD: KDC has no support for encryptio
n type
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'XXXX'
ERROR - ClearPass1 failed to join the domain XXXX.LOCAL with domain controller a
s XXXX.local
Join domain failed

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass Add to Domain error

Are your clocks in sync? (AD DC + CPPM)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Chief Airhead
Posts: 1,119
Registered: ‎07-13-2010

Re: Clearpass Add to Domain error

The time on clearpass is correct wit hcurrent time. I will give you Kudos if customer comes back with incorrect time on domain controller lol

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Chief Airhead
Posts: 1,119
Registered: ‎07-13-2010

Re: Clearpass Add to Domain error

Domain controller time is also correct. 

 

 

I believe it has something to do with: 

KDC has no support for encryption type

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass Add to Domain error

Is the user account that is being used to join the domain set to use DES encryption?

 

des-ad.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Chief Airhead
Posts: 1,119
Registered: ‎07-13-2010

Re: Clearpass Add to Domain error

No. Should it?

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass Add to Domain error

No, it shouldn't. That error is usually tied to an encryption failure between the client and AD. What is the forest functional level?

 

You might have to open a TAC case.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Chief Airhead
Posts: 1,119
Registered: ‎07-13-2010

Re: Clearpass Add to Domain error

[ Edited ]

I changed the password so it no longer hast the "$" character and now it gives me this error message:

 

 

Adding host to AD domain...
INFO - Fetched REALM 'xxxx.LOCAL' from domain FQDN 'xxxx.local'
INFO - Fetched the NETBIOS name 'xxxx_NT'
INFO - Creating domain directories for 'xxxx_NT'
Enter srynearson's password:
[2013/09/20 10:22:52, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor
code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'xxxx_NT'
ERROR - ClearPass1 failed to join the domain xxxx.LOCAL with domain controller a
s xxxx.local
Join domain failed

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Clearpass Add to Domain error

[ Edited ]

"Server not found in Kerberos database" usually points to a DNS issue.


Does OCDE.local resolve in DNS?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Chief Airhead
Posts: 1,119
Registered: ‎07-13-2010

Re: Clearpass Add to Domain error

Yes.

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
Search Airheads
Showing results for 
Search instead for 
Did you mean: