Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2921: adjoining with the self-serve flag fails with "Preauth" error messages in logs

Authentication Service ,  

12 April,16 at 11:38 AM

Applies to: All versions of Centrify DirectControl 
 
Question:
 
When using adjoin with the self-serve flag (-S), the operation fails with the following messages in the debug log:
 
13:00:32 wdc-ctfapp02tst adjoin[1962]: DEBUG base.kerberos.keytab GetSaltFromKDC returns: TEST.domain.com fileserver.domain.com
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DIAG  base.aduser Calculated salt was correct, bad password
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DIAG  base.aduser Error: get creds: Preauthentication failed for user wdc-ctfapp02tst$@TEST.domain.com (enctype: AES-256 CTS mode with 96-bit SHA-1 HMAC)
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DEBUG base.osutil Module=Kerberos : get creds: Preauthentication failed (reference base/adbind.cpp:393 rc: -1765328360)
Jan 25 13:00:32 wdc-ctfapp02tst adjoin[1962]: DEBUG base.osutil Module=Base : bad password (reference base/adbind.cpp:641 rc: 1030)
 
Jan 25 13:00:33 wdc-ctfapp02tst adjoin[1962]: DEBUG cli.adjoin Error: Invalid user or password
 
 
Syntax of adjoin:
 
  /usr/share/centrifydc/libexec/adjoin -S -V test.domain.com
 
The environment uses dis-jointed DNS and so the -n flag was also attempted with the same results. 
 
Replication was ruled out when using the -s flag. Pre-creation of computer object was successful using DirectManage Access Manager. 
 
What could be the reason for the error messages?
 
Answer:
 
In the event of pre-authentication failure, please follow the below steps.
 
1) After pre-creation of the computer object on ADUC (dsa.msc), right-click on the computer entry and do a reset.
 
See the following link which shows the steps: http://technet.microsoft.com/en-us/library/ee198778.aspx
 
2) Wait for the replication to complete.
 
3) Attempt a self serve join again using -S and it should now work.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-3925: How to add Centrify parameter to a group policy articleKB-2962: adjoin self-serve fails for pre-created computer with hostname > 15 chars with error:get creds: Client not found in Kerberos database articleKB-2346: adjoin self-serve fails for precreated computer with hostname > 15 chars, in disjointed DNS with error:Constraint violation : 0000200B:.., Att 9026b (dNSHostName) articleKB-3308: adjoin fails with "KRB5 error code 68 for user xyz@US.yourdomain.local (enctype: ArcFour with HMAC/md5)"