Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 17723 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Failed to join domain: failed to set machine spn: Operations error

Jasin
I have to say that I switched from Untangle to Astaro and am very impressed. I only have 1 problem. I am trying to get SSO working on and it will not join to the domain.

When I hit apply with correct credentials it DOES add a computer object in the computers OU but it does not finish. Has anyone seen this before? I get different errors for password being wrong or user not found so something else is up. Domain is Win2k8 R2.

Thank you


name="SYSTEM_AD_JOIN_FAILED (Cannot join active directory domain.)" user="jasin" srcip="192.168.2.5" facility="webadmin" client="index.plx" call="ad_join_domain" joinresult="Failed to join domain: failed to set machine spn: Operations error" user_name="sin" domain="SIN-SERVER.NET"


This thread was automatically locked due to age.
  • 0
    Hi, Jasin, and welcome to the User BB!

    All I can think of is either a time difference of more than five minutes or the presence of an account with the same name already existing in the AD.  What does the Kerberos log in the Win2k8 server say about the attempt?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Bob,

    Thank you for the quick response. I confirmed that the time is in sync. There is no duplicate account. It does create a new account in AD. I see no failures in AD, Kinda stumped at this point.

    A computer account was created.

    New Computer Account:
    Security ID: SIN-SERVER\astaro$
    Account Name: astaro$
    Account Domain: SIN-SERVER

    Attributes:
    SAM Account Name: astaro$
    Primary Group ID: 515
    AllowedToDelegateTo: -
    Old UAC Value: 0x0
    New UAC Value: 0x85

    A computer account was changed.
    Subject:
    Computer Account That Was Changed:
    Security ID: SIN-SERVER\astaro$
    Account Name: astaro$
    Account Domain: SIN-SERVER

    An attempt was made to reset an account's password.
    Subject:
    Target Account:
    Security ID: SIN-SERVER\astaro$
    Account Name: astaro$
    Account Domain: SIN-SERVER
  • 0
    If an Astaro is supplying Mail Security, I usually give it a hostname equivalent to the content of the highest-priority MX record, for example, mail.domain.com.  Then, assuming the internal domain is domain.local, when the Astaro is joined to the domain, it joins as mail.  Did you use a resolvable FQDN as the hostname?  Have you configured DNS in 'Network Services'?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    You should have in "network services-dns-request routing' a dns request route pointing to your internal domain and your dns servers
  • 0 in reply to Longman
    I do, Like I said a computer object is created. So Its making it to the domain. It is just erroring out in the process with the SPN.
  • 0
    Ran into this issue today - resolution is to make sure you have the domain controller(s) as DNS Forwarder object(s) under Network Services / DNS / Forwarders.
  • 0

    Hi, Vega, and welcome to posting here!

    The different solutions suggested by Vega and Longman both work, depending on how you have DNS configured in your network.  Anyone finding this thread may be interested in DNS Best Practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi All,

    I know it's been a long gone thread, but Seems I'm having the same issue, but may I know where to find that "Network Services-DNS Forwarders" part?? Can you give me the exact location for it? Thanks!

  • 0 in reply to Conrado Sambat

    Hi Conrado and welcome to the UTM Community!

    If your question is about UTM WebAdmin, it's the 'Forwarders' tab in 'Network Services >> DNS'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML