Active Directory Join Failing
-
Hello all,
Can’t seem to get my clients to join AD…
FOG Server Version: 1.5.0-RC-13
FOG Client Version: 0.11.15 (Upgraded after having same problems with 0.11.14 that came with 1.5.0-RC-13)
Host is Windows 10 1709 Education EditionFOG Active Directory Tab for Host:
Domain Name: domain.lan
Org Unit: blank
Domain Username: SF
Domain Password: Entered and manually confirmed correct
Domain Password Legacy: Left Blank (However, I tried by using FOGCrypt on that as well, no luck)FOG.log on host is showing:
HostnameChanger Logon failure: unknown username or bad password, code = 1326
SF account is getting locked on domain. And Security Event Log on DC is showing bad password. (So at least I know the FOG Client is passing the correct username)
Any ideas?
Thanks,
Jeff
-
@jeffscott There is a bug related to this that is present in the 1.5.0 release. You are using 1.5 RC 13, so I am not sure if the bug was present in that RC or not, but it’s likely that it is. 1.5.1 should be released in a week or so. My recommendation is to sit tight until 1.5.1 is released - and once released, update to it.
-
I’m not sure i understand what the bug is.
Is the Domain Password (not legacy) encrypted or decrypted?
1.5.0 the auto-encrypted element of the password was removed, though encrypted passwords should still work. I’m not aware of any problems happening with them currently.
-
@tom-elliott from what i can say is that with some RC something changed regarding to host settings, one day i mentioned that the password for domain join was empty. After filling it again it won’t be shown as encrypted. Afai remember in the past it was shown encrypted regardsless it was entered plain or not.
I don’t know if this is related to that problem but after i filled our ad password again it was working like expected even when not showed encrypted in the webif.
Regards X23
-
@x23piracy right in the past the field was encrypted but how it was stored defeated the purpose of encrypting it in the first place.
-
Well, I upgraded to v1.5.2 and I’m still getting the same problem. I manually joined one client using the same credentials I have configured in FOG just to confirm my sanity in that I had the correct username/password and it was successful.
Account is getting locked out on the Domain so I still know it is passing the correct username… Evidently, it is not passing the correct password…
-
@jeffscott said in Active Directory Join Failing:
Evidently, it is not passing the correct password…
Correct. Try to reset the user/pass via the web gui to what it is supposed to be and see if the issue persists. If it persists, let us know so we can continue to troubleshoot this with you.
-
Yes, I’ve tried that several times. Even tried using the Domain Admin…
-
@Joe-Schmitt what are your thoughts on this?
-
Joe Schmitt Senior Developerlast edited by Joe Schmitt Apr 25, 2018, 10:12 AM Apr 25, 2018, 4:08 PM
@jeffscott the quickest way to see what’s going on is to do the following steps on a problematic machine:
- Open an administrative CMD, and run
net stop fogservice - Navigate to your FOG server’s web portal, select the host you are working on and perform these steps:
- Press
Reset Encryption Dataif its an option
- Press
- Download our Debugger.exe and run it
- The Debugger will open a console that has a
fog:prompt, please enter these commands, pressing enter after each one (replace{server-ip}with your actual FOG server IP):middleware configuration server http://{server-ip}/fogmiddleware authentication handshakedump cycle save
The debugger should point you to a
FOGCycle.txtfile. This contains all the information the server tells the client, completely decrypted. Can you make sure thehostnamechangersection has the correct active directory login/OU information? You can then hopefully debug the problem better and identify what credential the client is receiving.To clean up:
- Close the debugger
- click
Reset Encryption Dataagain on the host in the gui - start back up the fog service if you want
@Moderators feel free to copy & paste these steps for people with similair issues in the future. The steps shouldn’t change in the foreseeable future.
- Open an administrative CMD, and run
-
OK, I performed that procedure and I can see the password that it is passing is no where near correct…
Looks like it is an encrypted version??? (I can’t even tell what one of the characters is)
-
@Tom-Elliott it seems the server is not sending the password correct.
-
Where have you changed the Password?
-
2 Places:
Initially in FOG Configuration, FOG System Settings, Active Directory Defaults
&
Subsequently re-entered it in Host Management, Active Directory for the Host I’m testing with
Entering the password in the “Domain Password” Field. Leaving “Domain Password Legacy” field blank
-
@jeffscott just to clarify, you’re using the plaintext password in the non legacy password field? Maybe we can remote tomorrow so I can see what’s going on?
-
Hey Tom,
Sorry, I was away for a few days…
Yes, I’m using the non-legacy password field. Yes, I’d be willing to do a remote session.
Thanks,
Jeff
-
Hey Tom,
I’m just now coming back around to this…
Any updates on this?
Thanks,
Jeff
-
@jeffscott I’m willing whenever you’re able. Maybe this afternoon? (I’m on EDT)
-
-
Any chance we can revisit this?