After joining the ProxySG to the active directory domain and creating an Integrated Windows Authentication (IWA) direct realm we're receiving an error when issuing the Test Configuration on the IWA servers page.
In the lsa debug logs (https://x.x.x.x:8082/lsa/debug) we see error messages relating to:
LW_Error_to_auth_result(), mapping unknown error code 40049 to AUTH_E_ONBOX_UNMAPPED_ERROR 2425351
GSSAPI: Error in gss_accept_sec_context() at g_accept_sec_context.c:225 [major: 851968, minor: 40049]
GSSAPI: gss_accept_sec_context() at g_accept_sec_context.c:223 [Minor: 40049]
TRACE: lsass - [ntlm_gss_accept_sec_context() gssntlm.c:1201] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmClientAcceptSecurityContext() acceptsecctxt.c:93] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmTransactAcceptSecurityContext() clientipc.c:222] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmServerAcceptSecurityContext() acceptsecctxt.c:179] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmValidateResponse() acceptsecctxt.c:838] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:438] Failed to authenticate user (name = 'isiddhrau') -> error = 40049, symbol = LW_ERROR_FAILED_FIND_DC, client pid = 67109569
TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:375] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [AD_AuthenticateUserEx() provider-main.c:1823] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
Schannel: locate_dc() DC responded to an LDAP ping, but the SG failed to connect to it. Giving up. DC: DC01.EPM.LOCAL
Schannel (corporate): Unable to connect to DC. Error 0xA309(41737)
TRACE: lsass - [ADRefreshMachineTGT() machinepwd.c:724] Error code: 41737 (symbol: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)
DEBUG: (null) - [LwKrb5InitializeCredentials() lwkrb5.c:515] [LwKrb5InitializeCredentials() lwkrb5.c:515] Error code: 41737 (symbol: )
WARNING: (null) - [LwTranslateKrb5Error() lwkrb5.c:892] [LwKrb5GetTgtImpl krbtgt.c:407] KRB5 Error code: -1765328378 (Message: Client '[email protected]' not found in Kerberos database (get_in_tkt.c: 1590))
KRB5: Client '[email protected]' not found in Kerberos database (get_in_tkt.c: 1590)
KRB5-TRACE: [83886759] 1556729129.966781: Received error from KDC: -1765328378/Client not found in Kerberos database
The IWA direct realm encountered an unmapped error code
This issue occurs when the ProxySG is joined to the Active Directory Domain and the machine account is created then deleted afterwards.
In order to resolve this issue we will need to leave the Active Directory domain on the ProxySG to clear out the cached objects. After we have left the domain we can rejoin the domain to re-create the machine account.
To leave the domain:
To join the domain: