Cannot authenticate NAC via Active Directory

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Not a Problem
  • (Edited)
2017-02-11 14:16:04,522 ERROR [SambaInstallationManager] Failed to join domain: "ERUTIP.LOCAL" for user: "administrator" with error code: 1 kinit succeeded but ads_sasl_spnego_krb5_bind failed: Unspecified GSS failure.  Minor code may provide more information : Clock skew too great
ADS join did not work, falling back to RPC...
Unable to find a suitable server for domain ERUTIP
Unable to find a suitable server for domain ERUTIP
Failed to join domain: failed to connect to AD: Unspecified GSS failure.  Minor code may provide more information : Clock skew too great

2017-02-11 14:16:04,523 ERROR [SambaInstallationManager] Looked up IP "ERUTIP.LOCAL" => ERUTIP.LOCAL/10.120.120.121 and was able to ping it.
2017-02-11 14:16:04,527 ERROR [SambaInstallationManager] The user: "erutip\administrator" and password were verified via LDAP and we verified the user is a domain admin.
Photo of ECOMMERCE\hbudus

ECOMMERCE\hbudus

  • 120 Points 100 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Hello hbudus,

The devil is in the details! Here is what is wrong, "Clock skew too great". The time and date needs to match what is on your AD controllers. It is probably an incorrect time zone somewhere.

Are you using NTP to keep your clocks in sync? Ideally you want everything on your network using the same time source.
Photo of ECOMMERCE\hbudus

ECOMMERCE\hbudus

  • 120 Points 100 badge 2x thumb
Hi Steve,

I checked it. NAC, Purview, Netsight, Wireless Controller and Microsoft Active Directory has same time and timezone.
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Oh boy. I have also had this problem in the past. You are not getting the full story in these error messages. The "time error" is probably a red-herring [insert punchline].

I'll bet that there are better clues in the Windows Event Logs of your AD servers. How many AD servers do you have? If it's only a couple, I would check the Security Event logs on all of your controllers and see what they are reporting from the Windows side of things.