Trying to join ProxySG or Advanced Secure Gateway (ASG) to the domain, but you keep seeing "ERROR_PRIVILEGE_NOT_HELD" error message.

In the Event Log, you will see this message:

[LsaSrvProviderIoControl() /home/service-releng/p4/scorpius/sg_6_3/src/security/likewise/lsass/server/api/provider.c:112] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 1314, symbol = ERROR_PRIVILEGE_NOT_HELD, client pid = 0"  0 250034:1   sg_syslog.cpp:78

As per the documentation Blue Coat recommends the use of Administrator account to join the ProxySG or ASG to a Windows domain. It is possible however to join the domain using a workaround without using an Administrator account. Blue Coat Engineering is investigating the ability for a normal user account to be utilized without using workarounds.

The reason the failure occurs when using a normal user account is because the SG is trying to set Delegation on the computer object after it is created in the AD tree. A normal user is not able to set Delegation and the error you see is:

ERROR_PRIVILEGE_NOT_HELD

 To work around this problem you must do the following:

1) Use the Administrator account as per the documentation. This negates the problem and you will not see the error at all.

2) If you have already received the error you can login to your Active Directory Server and browse to the Computer object created for the ProxySG. Right click on that object and select Properties, and then Delegation.  Change the radio button to the "Trust this computer for delegation to any service" option and click apply. Return to your ProxySG and login again using the same user credentials you tried previously that failed. You should find that this time the join works.