Loading...
Loading...
When attempting to query Active Directory objects from a Trusted Domain, a PowerScale cluster in a Trusting Domain produces an error. This may result in being unable to add user objects to Share Permissions, ACLs, so forth. The following entries appear in lsass logs: lsass[85427]: [lsass] Ignoring failure enumerating trusts for forest , <CustomerDomain.com> Error was ERROR_AUTHENTICATION_FIREWALL_FAILED (1935) This error may show up while running the command, isi auth mapping token for the user object in the Trusted Domain: # isi auth mapping token --user="CustomerDomain.com\\TestUserAccount" Failed to map user 'CustomerDomain.com\TestUserAccount': No such user This error appears in the example of adding a user object to share permissions: # isi smb shares permission create --share=ShareName --zone=ZoneName "CustomerDomain.com\\TestUserAccount" Failed to create persona 'USER:CustomerDomain.com\TestUserAccount' The packet captures show as follows: 347 2015-12-02 13:38:59.050609 10.29.1.61 141.119.201.2 KRB5 21 196 KRB Error: KRB5KDC_ERR_POLICY NT Status: Unknown error code 0xc0000413 0.016839 This issue occurs as a result of enabling Selective Authentication on the AD Trusts. Selective Authentication is a feature whereby the Domain Admin may manage Trusts in a granular fashion. Trusts may be verified as follows: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753821(v=ws.11)?redirectedfrom=MSDN Tip: Netdom provides the best output to troubleshoot this issue.
Selective Authentication is enabled on the relevant trusts in Active Directory Domains and Trusts objects. The feature is described in detail at the articles below: Security Considerations for Trusts: https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx Configuring Selective Authentication Settings: https://technet.microsoft.com/en-us/library/cc755844%28v=ws.10%29.aspx
Add the User or Group in question to Allowed to Authenticate Permission for the Cluster Object, or remove Selective Authentication per kb's below: A TGS request for the krbtgt account fails with KDC_ERR_POLICY and an extended status of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xC0000413) https://support.microsoft.com/en-us/kb/2959395 Grant the "Allowed to Authenticate" permission on Computers in the Trusting Domain or Forest: https://technet.microsoft.com/en-us/library/cc816733%28v=ws.10%29.aspx
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.