Security

Hi experts,

I am trying to join CPPM to an AD domain in my lab. I am using this guide:

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Add-Clear-Pass-to-Domain/ta-p/187614

I get the following error:

The entire text is as shown below:

Join domain failed
Adding host to AD domain...
INFO - Fetched REALM 'SUPRA.NET' from domain FQDN 'supra.net'
INFO - Fetched the NETBIOS name 'SUPRA'
INFO - Creating domain directories for 'SUPRA'
Enter Administrador's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'SUPRA'
ERROR - CPPM-VM failed to join the domain SUPRA.NET with domain
controller as supra.net
Join domain failed

Check to ensure the clocks are in sync.

Hi Julian,

It looks issue is due to invalid domain controller FQDN.

Domain controller name provided when attempting to join Clearpass to domain. This should point to a valid FQDN of the domain controller. To verify this if we perform an nslookup form Clearpass (From CLI using 'network nslookup <domain controller>'), this should return the IP address of a domain controller (Note: We should receive the interface IP address of the DC). 

Make sure that Clearpass FQDN is resolvable from the DC. If not, we need to add an entry to the DNS server. 

Regards,

Pavan

If my post addresses your query give kudos:)

Check this video on a working AD join: http://community.arubanetworks.com/t5/Video/Aruba-ClearPass-Workshop-Getting-Started-2-Initial-ClearPass-VM/ta-p/292202

I think 3 things are common issues for domain joins:

1) Not entering the name of a Domain Controller, but the domain name as the FQDN (must be the FQDN of a domain-controller); mentioned by PAVAN

2) Split DNS issues, make sure that ClearPass is configured to query the DNS server on the domain controller (when properly setup with full DNS forwarding, a DNS server that forwards to the domain controller will work as long as all domain DNS records are resolvable)

3) Make sure time is synced (cappalli); to be safe use your domain-controller as NTP timeserver for your ClearPass.

Hi Tim, Pavan and Herman,

First of all thank you for your help. I have tried all of your recommendations and also seen the video but it still doesn't work and I get the same error. In order to discard errors I have built my own AD server. I explain the things I have checked:

• ClearPass points to a valid FQDN of the domain controller as said by Pavan. This is the ouput of the command "network nslookup <domain controller>"
• For his recommendation "Make sure that Clearpass FQDN is resolvable from the DC. If not, we need to add an entry to the DNS server." My ClearPass didn't have a configured FQDN, only its IP address and hostname, so I think that wasn't the problem. Anyway and because I didn't know if ClearPass FQDN was mandatory to join AD domain I configured one and added an entry to the DNS server. Then I have confirmed Clearpass FQDN is resolvable from the DC:In CPPMIn DC
• For Herman's recommendation "Split DNS issues, make sure that ClearPass is configured to query the DNS server on the domain controller (when properly setup with full DNS forwarding, a DNS server that forwards to the domain controller will work as long as all domain DNS records are resolvable)". I have only Primary DNS configured in ClearPass which is the DC IP address.
• I am sure both CPPM and DC are time synced. To be sure I have configured the DC as NTP server for CPPM as said by Tim/Herman.

With all of that, the error still is the same:

What can I do guys? Thanks again.

Regards,

Julián

Make sure File and Printer Sharing for Microsoft Networks is enabled on the NIC on the domain controller(s).

Hi Tim,

Yes, it is :(

Regards,

Julián

Hi guys,

I have seen some posts regarding the same issue and even installed a new AD in another lab server but I still get the same error. Any ideas?

Regards,

Julián

Please open a TAC case.

Hi all,

After opening a TAC case my issue was solved. The solution was very simple and the cause was I didn't enter the full domain controller name in the Domain Controller field but only the domain name. In my case I just enter supra.tro where the full DC is ws2012.supra.tro. After entering this, ClearPass was successfully joined to the AD domain. Thank you very much for your help.

Regards,

Julián

Julian,

Good to know it got fixed, In my post I have mentioned to proivde FQDN to relsove this issue, it looks you missed it.

Regards,

Pavan

Hi Pavan,

Yes, and I did it using 'network nslookup <domain controller>' but the command didn't provide the full FQDN:

However, I got the full FQDN using 'network nslookup -q srv <domain controller>':

https://community.arubanetworks.com/t5/tkb/articleprintpage/tkb-id/AAANACGuestAccessBYOD/article-id/607

And with that command I got the full domain controller name :)

Regards,

Julián