Domain Join or Rejoin Fails After Upgrade to 7.3.26, 7.4.10+
search cancel

Domain Join or Rejoin Fails After Upgrade to 7.3.26, 7.4.10+

book

Article ID: 411340

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

When attempting to join or rejoin a domain, Edge SWG running version 7.3.26 or 7.4.10+ experienced an "Invalid credentials" or "% Client not found in Kerberos database" error. This issue prevented the proxy from joining the domain. The issue was worked around by downgrading the Edge SWG to versions 7.3.25/7.4.9 or prior releases. 

From the GUI, the error was displayed: 


Invalid credentials. Ensure the user name has the correct case and the
password is valid. 



An LSA debug indicates the following error:

LW_ERROR_PASSWORD_MISMATCH

 

Environment

This issue affects environments that use IWA Direct authentication on SGOS versions 7.3.26.1, 7.3.26.2, 7.4.10.1 or 7.4.11.1.

Cause

This issue was introduced with a Kerberos (KRB5) update in versions 7.3.26 and 7.4.10. The problem lies in how affinity is handled, causing the proxy to switch Domain Controllers (DCs) between the machine account credential update and the subsequent acquisition of the Ticket Granting Ticket (TGT). 

This issue is more likely to occur in larger Active Directory deployments where multiple Domain Controllers are available.

Resolution

Released versions equal to or greater than 7.3.26.3, 7.3.27.1 and 7.4.12.1 contain a fix for this issue. 

 

 

Powered by Wolken Software