Applies to: All versions of Centrify DirectControl
Question:
When using adjoin with the self-serve flag (-S), the operation fails with the following messages in the debug log:
13:00:32 wdc-ctfapp02tst adjoin[1962]: DEBUG base.kerberos.keytab GetSaltFromKDC returns: TEST.domain.com fileserver.domain.com
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DIAG base.aduser Calculated salt was correct, bad password
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DIAG base.aduser Error: get creds: Preauthentication failed for user wdc-ctfapp02tst$@TEST.domain.com (enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC)
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DEBUG base.osutil Module=Kerberos : get creds: Preauthentication failed (reference base/adbind.cpp:393 rc: -1765328360)
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DEBUG base.osutil Module=Base : bad password (reference base/adbind.cpp:641 rc: 1030)
Jan 25 13:00:33 wdc-ctfapp02tst adjoin[1962]: DEBUG cli.adjoin Error: Invalid user or password
Syntax of adjoin:
/usr/share/centrifydc/libexec/adjoin -S -V test.domain.com
The environment uses dis-jointed DNS and so the -n flag was also attempted with the same results.
Replication was ruled out when using the -s flag. Pre-creation of computer object was successful using DirectManage Access Manager.
What could be the reason for the error messages?
Answer:
In the event of pre-authentication failure, please follow the below steps.
1) After pre-creation of the computer object on ADUC (dsa.msc), right-click on the computer entry and do a reset.
See the following link which shows the steps: http://technet.microsoft.com/en-us/library/ee198778.aspx
2) Wait for the replication to complete.
3) Attempt a self serve join again using -S and it should now work.