Security

Reply
New Contributor
Posts: 3
Registered: ‎06-01-2016

clearpass join ad error "ticket expired"

Hi,

 

Trying to join a ClearPass server to an AD.

 

All seems to go well, but in the end I get an error with message:

INFO - Using Administrator as the AD01's username
Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Ticket expired
Failed to join domain: failed to connect to AD: Unspecified GSS
failure. Minor code may provide more information : Ticket expired
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'CP'
ERROR - CPPM failed to join the domain CP.INT with domain controller
as ad01.cp.int
Join domain failed

 

I see the computername back in AD, in eventviewer I see the Kerberos authentication go well.

 

TRied it several times to join, even installed ClearPass again.  But can't find any message related on the website.

 

time is ok on both servers, not exceeding the 5 minutes. FQDN of domain controller is ok

Does anyone have an idea?

 

Thanks in advance

 

kind regards Andre

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: clearpass join ad error "ticket expired"

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Common-Clearpass-domain-Joining-errors/ta-p/192591
Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 3
Registered: ‎06-01-2016

Re: clearpass join ad error "ticket expired"

Hi Victor,

 

Thanks for your reply.

 

I read the URL you posted. However, the error message I have is not in there. This URL is talking about time difference, FQDN, privilege level and constraint.

all of these are correct.

 

The message I get is talking about a ticket expired. Seems to be related to Kerberos. But on the AD I see that the machine is registering itselfs, administrator user is granted.

 

The specific message I receive is:

Enter Administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Ticket expired

 

So if someone has a suggestion, it would be welcome.

 

Thanks again.

 

 

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: clearpass join ad error "ticket expired"

Did you setup an NTP server in ClearPass?

 

Is your ClearPass server and domain confgirued with the same timezone?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 3
Registered: ‎06-01-2016

Re: clearpass join ad error "ticket expired"

Hi Victor,

 

It was indeed the timezone difference on both servers. Time was exactly the same. So that was a bit confusing.

 

Thanks for your help.

 

Kind regards André

Search Airheads
Showing results for 
Search instead for 
Did you mean: