After joining the ProxySG to the active directory domain and creating an Integrated Windows Authentication (IWA) direct realm we're receiving an error when issuing the Test Configuration on the IWA servers page.

In the lsa debug logs (https://x.x.x.x:8082/lsa/debug) we see error messages relating to:

LW_Error_to_auth_result(), mapping unknown error code 40049 to AUTH_E_ONBOX_UNMAPPED_ERROR 2425351
GSSAPI:  Error in gss_accept_sec_context() at g_accept_sec_context.c:225 [major: 851968, minor: 40049]
GSSAPI:  gss_accept_sec_context() at g_accept_sec_context.c:223 [Minor: 40049]
TRACE: lsass - [ntlm_gss_accept_sec_context() gssntlm.c:1201] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmClientAcceptSecurityContext() acceptsecctxt.c:93] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmTransactAcceptSecurityContext() clientipc.c:222] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmServerAcceptSecurityContext() acceptsecctxt.c:179] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [NtlmValidateResponse() acceptsecctxt.c:838] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:438] Failed to authenticate user (name = 'isiddhrau') -> error = 40049, symbol = LW_ERROR_FAILED_FIND_DC, client pid = 67109569
TRACE: lsass - [LsaSrvAuthenticateUserEx() auth.c:375] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
TRACE: lsass - [AD_AuthenticateUserEx() provider-main.c:1823] Error code: 40049 (symbol: LW_ERROR_FAILED_FIND_DC)
Schannel: locate_dc() DC responded to an LDAP ping, but the SG failed to connect to it. Giving up. DC: DC01.EPM.LOCAL
Schannel (corporate): Unable to connect to DC. Error 0xA309(41737)
TRACE: lsass - [ADRefreshMachineTGT() machinepwd.c:724] Error code: 41737 (symbol: LW_ERROR_KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN)
DEBUG: (null) - [LwKrb5InitializeCredentials() lwkrb5.c:515] [LwKrb5InitializeCredentials() lwkrb5.c:515] Error code: 41737 (symbol: )
WARNING: (null) - [LwTranslateKrb5Error() lwkrb5.c:892] [LwKrb5GetTgtImpl krbtgt.c:407] KRB5 Error code: -1765328378 (Message: Client '[email protected]' not found in Kerberos database (get_in_tkt.c: 1590))
KRB5:  Client '[email protected]' not found in Kerberos database (get_in_tkt.c: 1590)
KRB5-TRACE:  [83886759] 1556729129.966781: Received error from KDC: -1765328378/Client not found in Kerberos database

The IWA direct realm encountered an unmapped error code

This issue occurs when the ProxySG is joined to the Active Directory Domain and the machine account is created then deleted afterwards.

In order to resolve this issue we will need to leave the Active Directory domain on the ProxySG to clear out the cached objects. After we have left the domain we can rejoin the domain to re-create the machine account.

To leave the domain:

1. Browse to the management console of the ProxySG
2. Click into Configuration > Authentication > Windows Domain
3. Select the Domain from the list
4. Click Leave (NOTE: This will only succeed if there are no active realms defined for this Windows Domain)

To join the domain:

1. Browse to the management console of the ProxySG
2. Click into Configuration > Authentication > Windows Domain
3. Click Add New Domain
4. Enter the Hostname for the Domain (i.e. if our domain is "EPM.com" we would enter "EPM")
5. Click OK
6. Click Apply
7. Click Join 
8. Enter the Hostname for the Domain (i.e. if our domain is "EPM.com" we would enter "EPM.com")
9. Enter the username and password of a user with administrative rights in the domain to create an machine account
10. Click OK