Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9542: Unable to join domain with Error: (Kerberos) : Message stream modified

Authentication Service ,  

11 December,17 at 09:57 PM

Problem: 

When attempting to join a machine to the domain, adjoin fails with the error:

Error: (Kerberos) : Message stream modified
due to unexpected configuration or network error.
Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.
Join to domain '<domain>', zone '<zone>' failed.

 

In the logs you might see the following errors:

GSSAPI Mechanism with Kerberos error ": Message stream modified" (reference base/adbind.cpp:577 rc: -1765328343)
GSSAPI Mechanism with Kerberos error ": Message stream modified"

Cause: This can be caused by a bad domain controller or a DNS issue.

Resolution: 

  1. Resolve any DNS errors or warnings displayed after running the command: adcheck <domain>
  2. Check Active Directory for any leftover Service Connection Point objects and cleanup AD if any are found.
  3. Run an adjoin command with the -s option to specify a good domain controller.

            Syntax Example:
       # adjoin <domain> -z <zone_name> -u <domain_admin> -s <domain_controller>

                where 

                -s <domain_controller> specifies the preferred DC. 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6041: How to show current license type in use by adclient articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-3925: How to add Centrify parameter to a group policy articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-7441: List of error codes Adclient and DAD daemons generated for Solaris and Linux clients