KB22289 - Active Directory troubleshooting procedure

This article provides a troubleshooting procedure for resolving Active Directory login issues.

 You may experience the following error, when setting up a Windows 2003/2008 Active Directory Authentication Server:

Error
Error while joining domain JTACLAB. Possible causes:
- The specified administrator credentials do not properly authenticate.
- The specified domain or domain controller may not be valid.
Also, the device's clock must be in sync with the Active Directory server.

1. Verify the Active Directory Server configuration in IVE > Auth Servers.
   
   Click Test Configuration to confirm the configuration is correct and the Auth Server is reachable.

• If you receive an error stating that the Auth Server is unreachable, make sure to ping the Auth Server from the following location:
  
  Troubleshooting > Tools > Commands > ping
  
  (The Authentication Server needs to be reachable).

• Ensure that the IP Address and Domain name credentials are entered correctly.

• Verify that you are using an NTP server; the Clock should be the same between the Domain Controller and the IVE.

• Try setting the time manually from the browser, under System > Status > System Date & Time click Edit.

• Try testing by using different user names with domain admin/enterprise admin privileges; verify the credentials.

• Change the computer object name in View Advanced Options.
  
  The next time you click Test Configuration in the Auth Server, a new computer name is added in the Active Directory container.

• Select only Kerberos and NTLM V2 and see if that works.

• Uncheck Kerberos and select only NTLM v2, v1 from the Authentication Protocol (steps 8 and 9 can be performed, if the Kerberos/NTLM protocols are failing).

• Select the User may belong to Domain Local Groups across trust boundaries option in the AD/NT auth instance (this option is under View Advanced Options).

• Try restarting the services/Reboot the IVE if this issue is intermittent.

• Create a new Active Directory Auth Server instance. Refer to the following link for Active Directory configuration:
  
  //www.pulsesecure.net/base/images/kb-images/kb-files/techpubs/software/ive/guides/howtos/How_To_AD_LDAP_Configuration.pdf

• Create a new LDAP server instance. Refer to the following link for LDAP configuration:
  
  //www.pulsesecure.net/base/images/kb-images/kb-files/techpubs/software/ive/guides/howtos/How_To_AD_LDAP_Configuration.pdf

• For information on setting the cryptographic services, if you are using Windows 2008 Server, refer to KB16105 - Role mapping with group lookup for Pulse Secure PCS device is not working in Windows Server 2008 and Service Pack 2