When attempting to join the ProxySG to our Active Directory Windows Domain with Kerberos RC4/MD5 encryption disabled, it is failing to join.
Active directory domain will have the following Kerberos security settings imposed in the domain policy:
Note: The RC4/MD5 are not selected therefore the AD will not accept any requests containing those encryption types
Domain join failed:
"EPM" failed to join
KDC has no support for encryption type
Active directory domain has RC4/MD5 Kerberos encryption disabled however due to the fact that the logon named supplied does not exactly match the name in Active directory the ProxySG needs to hash the credentials. This hashing procedure is done with RC4/MD5 so it will not be possible to join the Active directory domain unless the logon name is entered as it appears in active directory.
For example, if the User logon name in active directory is specified as below:
In the ProxySG we would need to exactly enter "John DoE", if we were to enter instead "john doe". The ProxySG will hash this and the request will be made with RC4/MD5 which will cause the ProxySG to fail to join the domain.
Consult with the Active directory team and determine the User logon name for the account being used to join the Active directory domain and confirm the case sensitivity of that account. Once we have the correct account name we will be able to join the Active directory domain.
Subscribing will provide email updates when this Article is updated. Login is required.