Error: "The pool failed to enable external authentication" on XenServer

Description

Unable to join the XenServer hosts to Active directory domain. The computer account is created in the domain but the following error continues to appear:
Enabling Active Directory Authentication on pool … “Error: The pool failed to enable external authentication.”

In the xensource.log the following errors are logged:

[20110712T19:41:11.478Z|debug|xs1baa-r219|1639419 unix-RPC|host.enable_external_auth D:9068d9ad49a0|extauth_plugin_ADlikewise] Request 1/60 to 
external authentication server returned KRBTGT Not_found, waiting 5 secs to try again
[20110712T19:41:42.394Z|debug|xs1baa-r219|1639419 unix-RPC|host.enable_external_auth D:9068d9ad49a0|extauth_plugin_ADlikewise] Likewise raised an 
error for cmd /opt/likewise/bin/lw-find-user-by-name "--minimal" "domain.com\KRBTGT" : (40008) No such user

Resolution

Resolution1

By default Active Directory should allow the computer object to browse the KRBTGT user. If this is blocked, then there is some type of policy in place in Active Directory preventing access. Refer to the Microsoft documentation on troubleshooting permission issues.

Resolution 2

The Likewise management console snap-in must be used to add the KRBTGT user to the default cell and users you plan to use to authenticate using external authentication.

Complete the following steps to add the user to the default cell and users:

Launch the Likewise Enterprise Console.
Click Launch Cell Manager link as shown in the following screen shot:
Right-click Users, select New, and select User, as shown in the following screen shot:
Add KRBTGT user and other users that authenticates using XenServer external authentication.
Use XenCenter to enable external authentication successfully.

Problem Cause

Note: The KRBTGT user is used to verify if the XenServer can access Active Directory.

The following are the two causes for this issue:

The XenServer computer object created in the join process does not have rights to see the KRBTGT user. This could be being blocked by a group policy object (GPO).
An existing Enterprise Likewise installation is already integrated with Active Directory. The Likewise code changes behavior when it finds a default cell and needs to be able to read the following user attributes: uid, uidNumber, gidNumber, loginShell, and unixHomeDirectory. If a default cell is defined, then the krbtgt user must be added to the default cell for XenServer to enable external authentication.
Run the following command at the command line interface of XenServer Host to identify if a default cell is defines:
/opt/likewise/bin/lw-get-status
If the output shows the authentication provider mode is set to “Default Cell”, then this confirms that Likewise Enterprise is in control of Active Directory configuration.
Normally the authentication provider is set to “Un-provisioned”.

LSA Server Status:
Compiled daemon version: 5.0.0.0
Packaged product version: 5.4.0.51423
Uptime: 31 days 0 hours 47 minutes 37 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Default Cell
Domain: DOMAIN.COM
Forest: domain.com
Site: corp
Online check interval: 300 seconds
Sub mode: Schema

Issue/Introduction

This article contians information about how to resolve the issue of unable to join the XenServer hosts to Active Directory domain.

Welcome to "KB Articles"