SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002767: Endian Firewall 2.3 Failed to join domain when connecting to Active Directory (NTLM) Server 2008 - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002767Endian FirewallInstallationpublic2010-03-12 12:552010-11-22 12:08
Reporterbertusfloor 
Assigned Tosimon-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.3 
Target VersionFixed in Version2.4.1 
Summary0002767: Endian Firewall 2.3 Failed to join domain when connecting to Active Directory (NTLM) Server 2008
DescriptionI have tried connecting to Active Directory on a client Endian Firewall 2.3 and also at our office on a fresh install of Endian Firewall 2.3. We have never been able to connect.

Tried varies, this is how it is now:

Proxy\http\authentication - selected windows active directory (ntlm)
then authentication realm = wit.local, under domainname = wit.local, PDC = SBS2008, PDC ip = 10.0.0.2,

Clicked Join, entered admin username + password, then I get the error: Failed to join domain.
Additional InformationAdded host and hostname under network\edit hosts\add a host
Made sure the timeserver is matching domain time
TagsNo tags attached.
Attached Filesjpg file icon Authentication.jpg [^] (159,125 bytes) 2010-03-14 12:58


jpg file icon AD Join.jpg [^] (141,731 bytes) 2010-03-14 12:58


jpg file icon Group policy setting.jpg [^] (195,718 bytes) 2010-03-14 13:00


jpg file icon dns.jpg [^] (45,773 bytes) 2010-03-15 07:45


jpg file icon Working DNS.jpg [^] (144,280 bytes) 2010-03-15 16:42


jpg file icon Custom DNS.jpg [^] (153,292 bytes) 2010-03-15 21:56


jpg file icon running-services.jpg [^] (149,005 bytes) 2010-03-16 07:42


jpg file icon My services.jpg [^] (158,312 bytes) 2010-03-16 08:33


jpg file icon fix.jpg [^] (76,867 bytes) 2010-03-16 09:31

- Relationships

-  Notes
(0004028)
baldy (reporter)
2010-03-12 17:22
edited on: 2010-03-12 17:26

Hi Bertus,

I have been able to successfully join Endian 2.3 my SBS2008 server domain.

On your SBS server please check your Default Domain Policy.
Expand Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options.
Scroll down to Network Security: LAN Manager authentication level. Change it from Not Defined to Send LM & NTLM - use NTLMv2 session security if negotiated.

NTLM is disabled by default on 2008.

Also when joining the domain use only an account name without domain information. E.g. administrator and not domain.local\administrator, domain\administrator or administrator@domain.local.

Regards,

Klaas-Jan

(0004030)
baldy (reporter)
2010-03-14 13:01

Added screen prints for clarification.

Regards,

Klaas-Jan
(0004031)
bertusfloor (reporter)
2010-03-15 07:43

Hi Klaas-Jan,

Thank you very much for the information and the screenshots. I have configured my firewall exactly the same and changed the setting in the default domain policy. I have also restarted the server.

I still cannot connect to AD but now get a different error: Failed to join domain: failed to find DC for domain WIT.LOCAL

I have added the DC under network\dns as per attached file.

Do you have any ideas?

Regards,
Bertus
(0004034)
baldy (reporter)
2010-03-15 16:44

Bertus,

Might be the all capitals in both server and domainname.

Regards,

Klaas-Jan
(0004035)
baldy (reporter)
2010-03-15 21:56

Bertus,

You can also add a custom nameserver for your domain on the Endian.

That way, for your internal domain name you can point it to the SBS box.

I have added a screen print from where this has to be done.

It is also mentioned in the Endian KB http://kb.endian.com/entry/49/ [^]

Regards,

Klaas-Jan
(0004036)
bertusfloor (reporter)
2010-03-16 07:16

Thank you for you help Klaas-Jan.

I changed all the names to lower-case and added a custom nameserver on the Endian Firewall. I have also synced the time. Both AD and the Endian Firewall have the exact same time and time zone.

I also ran through the network wizard and added our SBS 2008 server's IP address in as DNS 1. I also point the IP address of our SBS 2008 Server to it's name under Network > Edit Hosts.

I am still getting this error: Failed to join domain: "failed to find DC for domain WIT.LOCAL"
(0004037)
bertusfloor (reporter)
2010-03-16 07:42

I attached a screenprint of running services - is this right?
(0004038)
baldy (reporter)
2010-03-16 08:43

Bertus,

I have added a screenprint of my services, only, imho significant, difference is the DNS proxy.

DNS proxy is running on all Endian 2.3 installations I have done so far.

Those installations also have smtp proxy enabled, not sure whether those 2 are related.

I will try to setup a clean 2.3 system with no options enabled and check if that one can join the domain.

Btw, your error still says WIT.LOCAL (uppercase).

Regards,

Klaas-Jan
(0004040)
bertusfloor (reporter)
2010-03-16 09:33

It's working!

I looked at the DNS proxy you suggested, and changed the server name to the IP as per the fix.jpg attached and could connect straight away.

Thanks Klaas-Jan!
(0004041)
simon-endian (developer)
2010-03-16 09:37

hi,

with 2.3 it is not required to make a dns proxy and host entry.

some questions for clearification:
- did you enable the http proxy before trying to join the domain? (toggle button at proxy > http > configuration)
- did you save & apply the settings at proxy > http > authentication, before trying to join (this is currently required)
- did you use the same value for authentication realm and domain name? in your case you should use WIT.LOCAL (uppercase at authentication realm and lowercase at domain name)
- what did you use for PDC and BDC hostname? this should be the computername of the windows server (there is a bug related to BDC hostname. so you should leave it empty)

Regards,
Simon
(0004042)
bertusfloor (reporter)
2010-03-16 09:51

I did not enable the http proxy before joining the domain, only afterwards to troubleshoot.
I always saved the settings, restarted and made sure the settings applied before trying again.
Yes I did use the same value for the authentication realm and domain name (first upper case and then later lower-case for both). -> I reverted back to my old settings and tested this. It did not work.
I left BDC empty and for PDC I did entered the server name.

It connects as soon as I add the IP address instead of the host name under >Proxy >DNS >DNS Routing.

- Issue History
Date Modified Username Field Change
2010-03-12 12:55 bertusfloor New Issue
2010-03-12 14:43 ra-endian Assigned To => simon-endian
2010-03-12 14:43 ra-endian Status new => acknowledged
2010-03-12 17:22 baldy Note Added: 0004028
2010-03-12 17:26 baldy Note Edited: 0004028
2010-03-14 12:58 baldy File Added: Authentication.jpg
2010-03-14 12:58 baldy File Added: AD Join.jpg
2010-03-14 13:00 baldy File Added: Group policy setting.jpg
2010-03-14 13:01 baldy Note Added: 0004030
2010-03-15 07:43 bertusfloor Note Added: 0004031
2010-03-15 07:45 bertusfloor File Added: dns.jpg
2010-03-15 16:42 baldy File Added: Working DNS.jpg
2010-03-15 16:44 baldy Note Added: 0004034
2010-03-15 21:56 baldy Note Added: 0004035
2010-03-15 21:56 baldy File Added: Custom DNS.jpg
2010-03-16 07:16 bertusfloor Note Added: 0004036
2010-03-16 07:42 bertusfloor File Added: running-services.jpg
2010-03-16 07:42 bertusfloor Note Added: 0004037
2010-03-16 08:33 baldy File Added: My services.jpg
2010-03-16 08:43 baldy Note Added: 0004038
2010-03-16 09:31 bertusfloor File Added: fix.jpg
2010-03-16 09:33 bertusfloor Note Added: 0004040
2010-03-16 09:37 simon-endian Note Added: 0004041
2010-03-16 09:51 bertusfloor Note Added: 0004042
2010-03-16 09:52 bertusfloor Status acknowledged => resolved
2010-03-16 09:52 bertusfloor Resolution open => fixed
2010-11-22 12:08 peter-endian Fixed in Version => 2.4.1
2010-11-22 12:08 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker