Joining ACS express to AD

Answered Question
Sep 6th, 2010
User Badges:

Hi all,


I'm trying to join an ACS express (5.0) to AD. Communication between ACS and AD DCs is correct, but when trying to join the domain I get the following warning:


1.  Saved settings, but error in joining domain. Error: Domain Controller not reachable by name. DNS is setup correctly, however the domain controller is not reachable via the name that is in DNS. This can be caused by the domain controller being unavailable. It may also be caused by the DNS domain name not matching between the AD domain controller and ACS Express appliance.


I have verified that the domain controller is reachable by name, and actually in the logs I can see that at some point the ACS tries to create the computer name in the location specified:


Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.bind.ldap xxxxxx.mx.hdi.com:389 fetch dn="<WKGUID=aa312825768811d1aded00c04fd8d5cd,DC=mx,DC=hdi,DC=com>" filter="(objectclass=*)"     (erased name)




ACS tries to create a zone, but at some point the following error message appears:

Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.osutil GSSKerberos::initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:177 rc: -1765328377)


At that point, the binding fails and ACS fails to join the domain.


Any help is highly appreciated,


Thanks!!!

Correct Answer by Lauren Sullivan about 6 years 8 months ago
That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN   (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC.  Can you double-check
that it's in a host/domain.name format?

Also, what OS is on the DC you're using?  We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Lauren Sullivan Tue, 09/07/2010 - 13:00
User Badges:
That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN   (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC.  Can you double-check
that it's in a host/domain.name format?

Also, what OS is on the DC you're using?  We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.
fermendo Tue, 09/14/2010 - 11:15
User Badges:

Hello Lauren,


Thanks a lot for your answer, the format was correct, but the OS was 2008. So we were able to upgrade to version 5.0.1 this past weekend and today is working fine.


Thanks again!

Actions

This Discussion