Error "The call to Kerberos 5 failed" when trying to join ProxySG appliance to domain

book

Article ID: 166960

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You receive the error "The call to Kerberos 5 failed" when trying to join an ProxySG appliance to the domain during IWA-Direct authentication configuration.

Cause

The issue is caused by one of the following:
  1. Join credentials contain complex or Cyrillic characters. 
  2. You are running SGOS 6.2.7.1 or an earlier version and experiencing known issue B#169883.
  3. You previously joined the domain, left the domain, and are trying to join again using the Join option (not Rejoin).
  4. DNS cannot resolve resolve _kerberos-master._tcp.domain.com.
  5. Old DNS records exist, causing the Kerberos KDC name to be resolved incorrectly.

Resolution

Perform the appropriate step to resolve the issue.

  1. Simplify the password. Although complex passwords are supported, Kerberos might not be able to decrypt them if the contain non-UTF8 characters.
  2. Upgrade to SGOS 6.2.7.1 or later.
  3. Delete the machine account from Active Directory and click Join again.
  4. Force the DNS server to resolve _kerberos-master._tcp.domain.com  to a good Kerberos master domain for TCP communication.
  5. Remove the incorrect DNS record.