A. Troubleshooting

Active Directory is complex and some of the error messages you can encounter while configuring the system are esoteric and could be caused by a variety of misconfigurations. This section will help point you in the correct direction when encountering errors.

The following are potential errors that may occur during user account authentication due to misconfiguration in the recorder Active Directory settings or Active Directory Domain Server. Each error message has typical issues and solutions listed, in addition to an optional explanation. The issues listed are not comprehensive, but are commonly encountered due to configuration errors.

Expand each error message for possible causes and solutions.

Key Table entry not found
Explanation

An entry is not found in the keytab file that was imported to the recorder or there is a configuration error.

Common Causes

  • The encryption type configuration on the recorder Active Directory page doesn’t match the encryption type of the keytab.

  • The recorder’s service principal name in the keytab file doesn’t match what is configured in the recorder Active Directory page

Solutions

  • The encryption type configuration on the recorder Active Directory page should be changed to match that of the keytab file or vice versa.

  • The correct recorder’s service principal name should be configured on the recorder Active Directory page and the keytab file.

Kerberos Error
Explanation

Incorrect Kerberos configuration on the recorder Active Directory page.

Common Causes

  • The Realm is incorrect.

  • The KDC is incorrect.

  • The encoding type is incorrect.

  • The Recorder Service Principal is incorrect.

  • Invalid keytab file is uploaded.

  • The recorder may not be synced to the same time source as the domain.

Solutions

  • The settings on the recorder Active Directory page should be correctly entered.

  • The time sync configuration on the recorder should be checked to see if the recorder and domain agree on the time.

Credential Delegation Configuration Error
Explanation

The host recorder is unable to authenticate the user to the source recorder.

Common Causes

  • The host recorder account on the Active Directory Domain does not have the “Trust this user for delegation to any service (Kerberos only)” option selected.

  • The Browser is not set up for credential delegation on the user’s PC.

Solutions

  • Make sure the “Trust this user for delegation to any service (Kerberos only)” option is selected under the “Delegation” tab in the recorder’s user account properties section on the Active Directory Domain.

  • Make sure the browser (Chrome or Firefox) is set up for credential delegation. Refer to Section 6.6.6: Single Sign-On for instructions.

Unsupported encryption type is configured on the recorder
Explanation

The Active Directory Domain does not recognize the encryption type configured on the recorder.

Common Causes

  • The recorder is configured for AES encryption when the Domain Server is not compatible with AES.

Solutions

  • Make sure the encryption type in the recorder Active Directory page matches that of the keytab file.

Invalid Kerberos realm is configured on the recorder
Common Causes

  • The realm information is configured incorrectly in the recorder Active Directory page.

Solutions

  • Make sure the realm (on the recorder Active Directory page) matches that of the Domain Controller. For example, if the fully qualified domain name is example.eventide.local, the realm is typically EVENTIDE.LOCAL

The connection to the LDAP server timed out
Common Causes

  • The recorder lost connection to the LDAP server due to a timeout.

Solutions

  • Ensure that the recorder can reach the LDAP server.

The recorder's LDAP configuration might be incorrect
Explanation

The LDAP settings on the recorder Active Directory page may be incorrect.

Common Causes

  • The port number or host name of the LDAP server may be incorrectly configured.

Solutions

  • Make sure the LDAP settings on the recorder Active Directory page are correctly configured.

The recorder keytab file might not be valid
Common Causes

  • The keytab file on the recorder might be out of date. That is, a new keytab was generated on the Domain Controller for the recorder account but not yet imported into the recorder.

Solutions

  • Make sure the keytab file on the recorder is the most recent version, by importing it in the recorder Active Directory page. The recorder will then need to be rebooted.

Receiving error "ldap_sasl_interactive_bind_s: Invalid credentials (49)"
Common Causes

  • This error could mean that the domain controller has channel binding enabled.

Solutions

  • Ensure that your system is running NexLog DX-Series v2024.1 or later, and that the ldap.conf configuration file contains the line SASL_CBINDING tls-endpoint.

The LDAP Server cannot be reached
Common Causes

  • The LDAP Server might be down or the recorder cannot connect to it.

Solutions

  • Make sure the LDAP Server is running and can be reached by the recorder

The recorder's password has expired in the Active Directory database
Common Causes

  • The password for the recorder user account on the Domain has expired.

Solutions

  • The recorder user account password on the Domain needs to be reset. If it is set to a new password, the keytab file will need to be regenerated and imported to the recorder. The recorder will then need to be restarted. It is advised to set the recorder user account password to not expire.

The recorder account has expired in the Active Directory Database
Common Causes

  • The recorder’s user account has expired in the Active Directory Database.

Solutions

  • The recorder’s user account on the Domain needs to be re-enabled.

Time skew between the recorder and the domain
Common Causes

  • The time between the Active Directory Domain Controller and the recorder is not synchronized.

Solutions

  • Configure the same NTP time source in the recorder’s NTP page as the Active Directory Domain Controller.

The recorder's key table entry doesn't match the Active Directory database
Common Causes

  • The realm configured may be incorrect.

  • The keys in the recorder keytab file may not match those in the Active Directory Database for the recorder service principal.

  • There may be a DNS problem.

Solutions

  • Make sure the realm is correctly configured in the Active Directory page.

  • Make sure the keys in the recorder keytab file match those in the Active Directory Database for the recorder service principal. The keytab file may need to be regenerated and re-imported.

  • Make sure there are no DNS issues preventing the Domain Controller from correctly identifying the recorder and vice versa

The recorder domain account has incorrect credentials
Common Causes

  • The recorder’s keytab might be out of date.

Solutions

  • Import the most recent keytab file in the recorder Active Directory page. The recorder will then need to be rebooted.

The recorder account was not found in the domain
Common Causes

  • The account for the recorder’s service principal name doesn’t exist in Active Directory or is incorrect in Active Directory.

Solutions

  • Make sure the recorder’s user account still exists (and valid) in the Active Directory.

SSO login attempts return Authentication Failure
Common Causes

  • The recorder’s AD service account sAMAccountName does not match the hostname or FQDN that the user is attempting to log in from.

Solutions

  • Check the recorder’s service account Active Directory and verify that the sAMAccountName is the same as the hostname used to access the recorder. If NLRecorder.contoso.net is the URL used to access the recorder, NLRecorder MUST be the recorder service account’s username.