Description
This article explains how to fix the FortiAuthenticator error:
- Failed to join Windows AD network: Domain Name from the FortiAuthenticator logs.
Scope
FortiAuthenticator.
Solution
Configure Windows Active Directory Domain Authentication.
- Go to Authentication -> Remote Auth. Servers -> LDAP and edit Remote LDAP Server.
- Enable Windows Active Directory Domain Authentication.
- Set Kerberos's real name.
- Set Domain NetBIOS name.
- Set FortiAuthenticator NetBIOS name.
- Set Administrator username. -> Domain Administrator.
- Set Administraror password.
To know Kerberos's real name:
- Go to Windows Server -> Server Manager -> Tools -> Active Directory Domains and Trust.
- The Active Directory domain names are listed.
- The Active Directory domain name is also the corresponding Kerberos realm name and DNS domain name.
- It is also possible to use the command 'set' in Windows CMD.
- Or to use the command: 'echo %userdnsdomain%' in Windows CMD.
To know the Domain NetBIOS name.
- Use the command 'set' in Windows CMD and identify: USERDOMAIN=
- Or use the command: 'echo %userdomain%'
In summary, there are some ways to know Kerberos and NetBIOS information:
- To Know Kerberos by Windows CMD type: echo %userdnsdomain%
- To Know NetBIOS by Windows CMD type: echo %userdomain%
To know FortiAuthenticator NetBIOS name.
- FortiAuthenticator NetBIOS name is FortiAuthenticator Hostname.
- FortiAuthenticator needs to have Internal DNS configured.
- It is necessary to create an internal DNS Registry Host Type A with FortiAuthenticator Hostname and FortiAuthenticator IP.
- To open the DNS manager, open the Start menu, and select Windows Administrative Tools -> DNS.
- To create a new entry, click on Action -> New Host (A or AAAA), put the name and it will take the FQDN with domain name, then put the IP address for A record.
After complete configuration.
- Go to Monitor -> Authentication -> Windows AD -> Should show Connection: joined domain, connected:
- And logs show.
If there are still issues with joining, check/change the following:
- Internal DNS is configured: go to System -> Networks -> DNS and set at least one internal DNS server.
- FortiAuthenticator must be able to resolve and reach the domain to join.
- The time/time zone is correct on the FortiAuthenticator and in sync with the DC, use the same NTP source on both if possible.
- If there is a FortiAuthenticator computer account (or duplicates) on the DC (Active Directory Users and Computers, expand the domain, Computers), delete all of them, it will be recreated once the FortiAuthenticator joins the domain.
- Make sure to use a domain admin account.
- If there is a firewall between FortiAuthenticator and AD, for example, a FortiGate, make sure that the domain join ports are not blocked. The ports used with Windows AD domain authentication are TCP/88, 135, 139, and 445.
The FortiAuthenticator should be joined to the domain, and check Logging, Log Access, and Logs. If none of these help and joining the domain is still not possible, raise a ticket with the TAC Support TEAM.
Related documents:
Troubleshooting Tip: How to work with FortiAuthenticator Technical Support
