Error: "The pool failed to enable external authentication" on XenServer

Error: "The pool failed to enable external authentication" on XenServer

book

Article ID: CTX130592

calendar_today

Updated On:

Description

Unable to join the XenServer hosts to Active directory domain. The computer account is created in the domain but the following error continues to appear:
Enabling Active Directory Authentication on pool … “Error: The pool failed to enable external authentication.”

In the xensource.log the following errors are logged:

[20110712T19:41:11.478Z|debug|xs1baa-r219|1639419 unix-RPC|host.enable_external_auth D:9068d9ad49a0|extauth_plugin_ADlikewise] Request 1/60 to 
external authentication server returned KRBTGT Not_found, waiting 5 secs to try again
[20110712T19:41:42.394Z|debug|xs1baa-r219|1639419 unix-RPC|host.enable_external_auth D:9068d9ad49a0|extauth_plugin_ADlikewise] Likewise raised an 
error for cmd /opt/likewise/bin/lw-find-user-by-name "--minimal" "domain.com\KRBTGT" : (40008) No such user

Resolution

Resolution1

By default Active Directory should allow the computer object to browse the KRBTGT user. If this is blocked, then there is some type of policy in place in Active Directory preventing access. Refer to the Microsoft documentation on troubleshooting permission issues.

Resolution 2

The Likewise management console snap-in must be used to add the KRBTGT user to the default cell and users you plan to use to authenticate using external authentication.

Complete the following steps to add the user to the default cell and users:

  1. Launch the Likewise Enterprise Console.

    User-added image

  2. Click Launch Cell Manager link as shown in the following screen shot:

    User-added image
  3. Right-click Users, select New, and select User, as shown in the following screen shot:

    User-added image

  4. Add KRBTGT user and other users that authenticates using XenServer external authentication.

    User-added image
  5. Use XenCenter to enable external authentication successfully.


Problem Cause

Note: The KRBTGT user is used to verify if the XenServer can access Active Directory.

The following are the two causes for this issue:

  • The XenServer computer object created in the join process does not have rights to see the KRBTGT user. This could be being blocked by a group policy object (GPO).

  • An existing Enterprise Likewise installation is already integrated with Active Directory. The Likewise code changes behavior when it finds a default cell and needs to be able to read the following user attributes: uid, uidNumber, gidNumber, loginShell, and unixHomeDirectory. If a default cell is defined, then the krbtgt user must be added to the default cell for XenServer to enable external authentication.
    Run the following command at the command line interface of XenServer Host to identify if a default cell is defines:
    /opt/likewise/bin/lw-get-status
    If the output shows the authentication provider mode is set to “Default Cell”, then this confirms that Likewise Enterprise is in control of Active Directory configuration.
    Normally the authentication provider is set to “Un-provisioned”.

    LSA Server Status:
    Compiled daemon version: 5.0.0.0
    Packaged product version: 5.4.0.51423
    Uptime: 31 days 0 hours 47 minutes 37 seconds
    [Authentication provider: lsa-activedirectory-provider]
    Status: Online
    Mode: Default Cell
    Domain: DOMAIN.COM
    Forest: domain.com
    Site: corp
    Online check interval: 300 seconds
    Sub mode: Schema

    Issue/Introduction

    This article contians information about how to resolve the issue of unable to join the XenServer hosts to Active Directory domain.