AAA, NAC, Guest Access & BYOD

 View Only
last person joined: 3 days ago 

Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, IntroSpect

Domain Join failing with error "KDC has no support for encryption type"

By esupport Unpublished

  
Problem:

ClearPass - AD Domain join operation failing with the ERROR "Failed to join domain: failed to connect to AD: KDC has no support
for encryption type"



Diagnostics:

ClearPass - AD Domain join operation failing with the below error :

Adding host to AD domain...
INFO - Fetched REALM 'xxxxxxxxxxxxx' from domain FQDN
'bcsd-dc01.xxxxxxxxxxxxx'
INFO - Fetched the NETBIOS name 'xxxxxxxxxxxxx'
INFO - Creating domain directories for 'xxxxxxxxxxxxx'
INFO - Using Administrator as the xxx-DC01's username
Enter Administrator's password:
kerberos_kinit_password Administrator@xxxxxxxxxxxxx failed: KDC
has no support for encryption type
Failed to join domain: failed to connect to AD: KDC has no support
for encryption type

INFO - Restoring smb configuration
INFO - Deleting domain directories for 'xxxxxxxxxxxxx'
ERROR - xxxxx.org failed to join the domain
'xxxxxxxxxxxxx' with domain controller as xxx-dc01.'xxxxxxxxxxxxx'
Join domain failed

 

--> Collected Captures and confirm that there is no proper response from the AD Domain for the "Kerberos", "TGS-Request", "AS-REQUEST"

In this case there was no response for the AS REQUEST sent from the CPPM



Solution

** Check if user account that is being used to join the domain set to use DES encryption, if the account has "Use Kerberos DES Encryption types for this account" enabled, then try DOMAIN JOIN operation with a different account that is not set to use DES encryption

 

 

General Suggestions:

** Confirm if the time in AD DC + CPPM is in Sync

** Check if the user account that is being used to join the domain had admin privilege in AD domain

 

For more information about the kerebros errors, please refer the below links :

https://social.technet.microsoft.com/Forums/office/en-US/34203037-649a-40f3-abd0-129b6afd75a6/kerberos-encryption-failing?forum=winserverDS

https://ldapwiki.com/wiki/Kerberos%20Error%20Codes

 

0 comments
11 views