Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Joining ACS express to AD

Hi all,

I'm trying to join an ACS express (5.0) to AD. Communication between ACS and AD DCs is correct, but when trying to join the domain I get the following warning:

1.  Saved settings, but error in joining domain. Error: Domain Controller not reachable by name. DNS is setup correctly, however the domain controller is not reachable via the name that is in DNS. This can be caused by the domain controller being unavailable. It may also be caused by the DNS domain name not matching between the AD domain controller and ACS Express appliance.

I have verified that the domain controller is reachable by name, and actually in the logs I can see that at some point the ACS tries to create the computer name in the location specified:

Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.bind.ldap xxxxxx.mx.hdi.com:389 fetch dn="<WKGUID=aa312825768811d1aded00c04fd8d5cd,DC=mx,DC=hdi,DC=com>" filter="(objectclass=*)"     (erased name)

ACS tries to create a zone, but at some point the following error message appears:

Sep 6 16:28:59 IRMXACSE adjoin[14632]: DEBUG base.osutil GSSKerberos::initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:177 rc: -1765328377)

At that point, the binding fails and ACS fails to join the domain.

Any help is highly appreciated,

Thanks!!!

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Joining ACS express to AD

That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN   (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC.  Can you double-check
that it's in a host/domain.name format?

Also, what OS is on the DC you're using?  We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.
2 REPLIES
New Member

Re: Joining ACS express to AD

That error resolves to KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN   (-1765328377L). Usually, this is due to either
a missing Service Principal name for AD account or the SPN not being recognized by KDC.  Can you double-check
that it's in a host/domain.name format?

Also, what OS is on the DC you're using?  We've seen this error with 2008 DCs and Express 5.0, which was
resolved by upgrading to 5.0.1.
New Member

Re: Joining ACS express to AD

Hello Lauren,

Thanks a lot for your answer, the format was correct, but the OS was 2008. So we were able to upgrade to version 5.0.1 this past weekend and today is working fine.

Thanks again!

573
Views
0
Helpful
2
Replies
CreatePlease login to create content