search cancel

Unable to Re-Register UNAB Endpoint in Active Directory

book

Article ID: 254369

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

When attempting to re-register a UNAB endpoint in Active Directory, the following error occurs.

Binding to Active Directory...
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: ##
SASL data security layer installed.
AD Schema version 87 (Windows Server 2016)
'unabendpoint01' will be used as the computer name for the endpoint in AD.
ERROR: The following object in AD has the same UserPrincipalName attribue as the endpoint. This is not allowed and will cause Kerberos errors:
     CN=unabendpoint01\.........,OU=Computers,DC=ad,DC=domain,DC=com
ACTION: Please resolve the conflict in AD before attempting to register.

Environment

Unix Authentication Broker 12.8, 14.0, 14.1

Cause

When UNAB registers with Active Directory, it creates a computer object for the endpoint. If the server is rebuilt or there was an issue deregistering either during a reinstall or during troubleshooting, that object could be left in AD. If the computer object is there when UNAB attempts to register, the registration will fail with this error.

Resolution

Verify that the object is not active and remove it from Active Directory, then run the register command again.

Attachments