Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
952
Views
0
Helpful
2
Replies

Joining ACS express to AD

Go to solution
fermendo
Level 1
Level 1

‎09-06-2010 03:41 PM - edited ‎03-10-2019 05:23 PM

Hi all,

I'm trying to join an ACS express (5.0) to AD. Communication between ACS and AD DCs is correct, but when trying to join the domain I get the following warning:

1.  Saved settings, but error in joining domain. Error: Domain Controller not reachable by name. DNS is setup correctly, however the domain controller is not reachable via the name that is in DNS. This can be caused by the domain controller being unavailable. It may also be caused by the DNS domain name not matching between the AD domain controller and ACS Express appliance.

I have verified that the domain controller is reachable by name, and actually in the logs I can see that at some point the ACS tries to create the computer name in the location specified:

Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.bind.ldap xxxxxx.mx.hdi.com:389 fetch dn="<WKGUID=aa312825768811d1aded00c04fd8d5cd,DC=mx,DC=hdi,DC=com>" filter="(objectclass=*)"     (erased name)

ACS tries to create a zone, but at some point the following error message appears:

Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.osutil GSSKerberos::initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:177 rc: -1765328377)

At that point, the binding fails and ACS fails to join the domain.

Any help is highly appreciated,

Thanks!!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Lauren Sullivan
Level 1
Level 1

‎09-07-2010 01:00 PM 

That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN   (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC.  Can you double-check
that it's in a host/domain.name format?

Also, what OS is on the DC you're using?  We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Lauren Sullivan
Level 1
Level 1

‎09-07-2010 01:00 PM 

That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN   (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC.  Can you double-check
that it's in a host/domain.name format?

Also, what OS is on the DC you're using?  We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.
0 Helpful

Go to solution
fermendo
Level 1
Level 1
In response to Lauren Sullivan

‎09-14-2010 11:15 AM

Hello Lauren,

Thanks a lot for your answer, the format was correct, but the OS was 2008. So we were able to upgrade to version 5.0.1 this past weekend and today is working fine.

Thanks again!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents