Security

Reply
Regular Contributor I
Posts: 357
Registered: ‎03-02-2017

Problem when joining CPPM to AD domain

Hi experts,

 

I am trying to join CPPM to an AD domain in my lab. I am using this guide:

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Add-Clear-Pass-to-Domain/ta-p/187614

 

 

I get the following error:

joinaddomain.PNG

 

The entire text is as shown below:

 

Join domain failed
Adding host to AD domain...
INFO - Fetched REALM 'SUPRA.NET' from domain FQDN 'supra.net'
INFO - Fetched the NETBIOS name 'SUPRA'
INFO - Creating domain directories for 'SUPRA'
Enter Administrador's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'SUPRA'
ERROR - CPPM-VM failed to join the domain SUPRA.NET with domain
controller as supra.net
Join domain failed

 
 
Do you understand this error? Could anyone shed some light on this? Please help.
 
Regards,
Julián
Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: Problem when joining CPPM to AD domain

Check to ensure the clocks are in sync.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 508
Registered: ‎02-19-2015

Re: Problem when joining CPPM to AD domain

Hi Julian,

 

It looks issue is due to invalid domain controller FQDN.

 

Domain controller name provided when attempting to join Clearpass to domain. This should point to a valid FQDN of the domain controller. To verify this if we perform an nslookup form Clearpass (From CLI using 'network nslookup <domain controller>'), this should return the IP address of a domain controller (Note: We should receive the interface IP address of the DC). 

Make sure that Clearpass FQDN is resolvable from the DC. If not, we need to add an entry to the DNS server. 

 

Regards,

Pavan

 

If my post addresses your query give kudos:)

MVP
Posts: 554
Registered: ‎11-04-2011

Re: Problem when joining CPPM to AD domain

Check this video on a working AD join: http://community.arubanetworks.com/t5/Video/Aruba-ClearPass-Workshop-Getting-Started-2-Initial-ClearPass-VM/ta-p/292202

 

I think 3 things are common issues for domain joins:

1) Not entering the name of a Domain Controller, but the domain name as the FQDN (must be the FQDN of a domain-controller); mentioned by PAVAN

2) Split DNS issues, make sure that ClearPass is configured to query the DNS server on the domain controller (when properly setup with full DNS forwarding, a DNS server that forwards to the domain controller will work as long as all domain DNS records are resolvable)

3) Make sure time is synced (cappalli); to be safe use your domain-controller as NTP timeserver for your ClearPass.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Regular Contributor I
Posts: 357
Registered: ‎03-02-2017

Re: Problem when joining CPPM to AD domain

Hi Tim, Pavan and Herman,

 

First of all thank you for your help. I have tried all of your recommendations and also seen the video but it still doesn't work and I get the same error. In order to discard errors I have built my own AD server. I explain the things I have checked:

 

  • ClearPass points to a valid FQDN of the domain controller as said by Pavan. This is the ouput of the command "network nslookup <domain controller>"errorjoinAD.PNG
  • For his recommendation "Make sure that Clearpass FQDN is resolvable from the DC. If not, we need to add an entry to the DNS server." My ClearPass didn't have a configured FQDN, only its IP address and hostname, so I think that wasn't the problem. Anyway and because I didn't know if ClearPass FQDN was mandatory to join AD domain I configured one and added an entry to the DNS server. Then I have confirmed Clearpass FQDN is resolvable from the DC:In CPPMerrorjoinAD2.PNGIn DCerrorjoinAD3.PNG
  • For Herman's recommendation "Split DNS issues, make sure that ClearPass is configured to query the DNS server on the domain controller (when properly setup with full DNS forwarding, a DNS server that forwards to the domain controller will work as long as all domain DNS records are resolvable)". I have only Primary DNS configured in ClearPass which is the DC IP address.
  • I am sure both CPPM and DC are time synced. To be sure I have configured the DC as NTP server for CPPM as said by Tim/Herman.

With all of that, the error still is the same:

errorjoinAD4.PNG

What can I do guys? Thanks again.

 

Regards,

Julián

 

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: Problem when joining CPPM to AD domain

Make sure File and Printer Sharing for Microsoft Networks is enabled on the NIC on the domain controller(s).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 357
Registered: ‎03-02-2017

Re: Problem when joining CPPM to AD domain

Hi Tim,

 

Yes, it is :(

 

Regards,

Julián

Regular Contributor I
Posts: 357
Registered: ‎03-02-2017

Re: Problem when joining CPPM to AD domain

Hi guys,

 

I have seen some posts regarding the same issue and even installed a new AD in another lab server but I still get the same error. Any ideas?

 

Regards,

Julián

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: Problem when joining CPPM to AD domain

Please open a TAC case.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I
Posts: 357
Registered: ‎03-02-2017

Re: Problem when joining CPPM to AD domain

Hi all,

 

After opening a TAC case my issue was solved. The solution was very simple and the cause was I didn't enter the full domain controller name in the Domain Controller field but only the domain name. In my case I just enter supra.tro where the full DC is ws2012.supra.tro. After entering this, ClearPass was successfully joined to the AD domain. Thank you very much for your help.

 

Regards,

Julián

Search Airheads
Showing results for 
Search instead for 
Did you mean: