KB40682 - Active Directory authentication server 'XXXX': No logon servers are currently available. Device could not connect to any domain controller of the domain

This article provides information about the critical message for "Active Directory authentication server 'XXXX': No logon servers are currently available. Device could not connect to any domain controller of the domain" and the reasons why this message appears.

When Active Directory mode is configured for authentication, the following critical error message will appear the event logs:

Active Directory authentication server 'XXXX': No logon servers are currently available. 
Device could not connect to any domain controller of the domain

In the User access log, the message will indicate the failed authentication attempt and the corresponding username:

info - [62.251.41.189] - acmegizmo(PulseSecure)[] - 2017/02/17 07:44:17 - 
Active Directory authentication server 'XXXX': No logon servers are currently available. 
Device could not connect to any domain controller of the domain.

This issue will occur due to multiple reasons when kerberos authentication fails.  The most common reasons are the following:

• Incorrect username
• Incorrect password
• User account is locked out

This issue is applicable to all Pulse Connect Secure versions with Active Directory mode configured and kerberos authentication is enabled. This is not applicable to Active Directory Legacy Mode or Active Directory with kerberos authentication is disabled.

Pulse Secure is working to reduce the frequency of the log message to only critical scenarios.  PRS-353429 has been filed to improve the log message in a future release.

To properly root cause the issue, perform the following steps:

1. ​Login to admin console
2. Navigate to Maintenance > TroubleShooting > Tools > TCPDump
3. In the filter field, enter udp port 88
4. Click Start Sniffing

Once enabled, have an end user replicate the issue or monitor the user access logs until the error occurs.  Once the issue occurs, stop and save the TCPDump and provide a copy of the event and user access logs.



In the tcpdump, there may be multiple kerberos error messages.  Here are a list of the most common error messages and why:
 

Informational:

These message can be safely ignored as these will not result in a failed authentication.

• KDC_ERR_PREAUTH_REQUIRED - User account has kerberos preauthentication is required.  User will be prompted for credentials after this message
• KCD_ERR_RESPONSE_TOO_BIG - KDC response is too large for UDP.  Pulse Connect Secure device will fail back to TCP to complete the authentication.

Errors:

• KDC_ERR_PREAUTH_FAILED - End user input the incorrect username or password.  
• KDC_ERR_ETYPE_NOTSUPP - Encryption type sent from PCS to KDC is not supported.
• KDC_ERR_S_PRINCIPAL_UNKNOWN / KDC_ERR_C_PRINCIPAL_UNKNOWN - User account does not exist in KDC or duplicate accounts may exist.
• KDC_ERR_CLIENT_REVOKED - Account has expired or disabled

Workaround:

Until a fixed release is provided, administartors can disable kerberos protocol and enable NTML protocol.