Security

Anyone know the reason for this clearpass error message and the fix?

Adding host to AD domain...
INFO - Fetched REALM 'XXXX.LOCAL' from domain FQDN 'XXXX.local'
INFO - Fetched the NETBIOS name 'XXXX'
INFO - Creating domain directories for 'XXXX'
Enter srynearson's password:
[2013/09/20 07:21:22, 0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password srynearson@XXXX.LOCAL failed: KDC has no support for e
ncryption type
Failed to join domain: failed to connect to AD: KDC has no support for encryptio
n type
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'XXXX'
ERROR - ClearPass1 failed to join the domain XXXX.LOCAL with domain controller a
s XXXX.local
Join domain failed

The time on clearpass is correct wit hcurrent time. I will give you Kudos if customer comes back with incorrect time on domain controller lol

Domain controller time is also correct. 

I believe it has something to do with: 

KDC has no support for encryption type

Is the user account that is being used to join the domain set to use DES encryption?

No. Should it?

No, it shouldn't. That error is usually tied to an encryption failure between the client and AD. What is the forest functional level?

You might have to open a TAC case.

I changed the password so it no longer hast the "$" character and now it gives me this error message:

Adding host to AD domain...
INFO - Fetched REALM 'xxxx.LOCAL' from domain FQDN 'xxxx.local'
INFO - Fetched the NETBIOS name 'xxxx_NT'
INFO - Creating domain directories for 'xxxx_NT'
Enter srynearson's password:
[2013/09/20 10:22:52, 0] libads/sasl.c:819(ads_sasl_spnego_bind)
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.
Minor code may provide more information : Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Unspecified GSS failure. Minor
code may provide more information : Server not found in Kerberos database
INFO - Restoring smb configuration
INFO - Restoring krb5 configuration file
INFO - Deleting domain directories for 'xxxx_NT'
ERROR - ClearPass1 failed to join the domain xxxx.LOCAL with domain controller a
s xxxx.local
Join domain failed

"Server not found in Kerberos database" usually points to a DNS issue.

Does OCDE.local resolve in DNS?

Yes.

did this ever get resolved? I'm having the same issue

Running into the same issue and wondering if there were any updates?

J

We're still receiving the same error.

kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS
failure. Minor code may provide more information : Server not found in Kerberos database

J

We solved this issue by using a singler domain server, instead of using the domain FQDN when joining the domain.  The reverse looking was changing when using the domain FQDN causing the failure.  After joining the domain it seems that Clearpass then uses the domain FQDN, instead of the singler domain server, so domain failover is still in place.

Thanks again for all the help with this issue,

J

@on entering the domasin details and recieving the kerberos error as previuos users have i pointed the join to a specific DC but not ising the @ but with domainname.domain.co.uk used a specific admin account with no odd characters and hey presto no errors DNS resolved and domain added.

---

@jemerson7 wrote:

We solved this issue by using a singler domain server, instead of using the domain FQDN when joining the domain.  The reverse looking was changing when using the domain FQDN causing the failure.  After joining the domain it seems that Clearpass then uses the domain FQDN, instead of the singler domain server, so domain failover is still in place.

 

Thanks again for all the help with this issue,

J

---