Video Screencast Help

SWG vs Windows Server 2008 R2 Kerberos authentication

Created: 28 Sep 2012 • Updated: 02 Oct 2012 | 6 comments
Polunin Sergey's picture
This issue has been solved. See solution.

I have a problem configuring ldap intergation with windows server 2008 R2 domain.

Everything works well, when i choose "Simple" method.

But when i switch to "kerberos" it fails

Firewall is disabled on dc and dc is accessible. Where should i dig?

Discussion Filed Under:

Comments 6 CommentsJump to latest comment

BenDC's picture

Try checking the secuirty/authentication type logs on the DC.

Polunin Sergey's picture

In fact there are two errors:

1. First one is: 

The session setup from computer 'SWG' failed because the security database does not contain a trust account 'SWG$' referenced by the specified computer.


If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. If this is a Read-Only Domain Controller and 'SWG$' is a legitimate machine account for the computer 'SWG' then 'SWG' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller capable of servicing the request (for example a writable domain controller). Otherwise, the following steps may be taken to resolve this problem:

If 'SWG$' is a legitimate machine account for the computer 'SWG', then 'SWG' should be rejoined to the domain.

If 'SWG$' is a legitimate interdomain trust account, then the trust should be recreated.

Otherwise, assuming that 'SWG$' is not a legitimate account, the following action should be taken on 'SWG':

If 'SWG' is a Domain Controller, then the trust associated with 'SWG$' should be deleted.

If 'SWG' is not a Domain Controller, it should be disjoined from the domain.

2. And the scond: .

The session setup from the computer SWG failed to authenticate. The following error occurred:  Access is denied.

I remember similar error in Ironport setup. The solution was to "join" Ironport  appliance to the domain. Account for the Ironport was created during set up. Maybe there is something similar here.

SMLatCST's picture

Can you confirm if you have the "Separate Management and Inline interface" option enabled, and if so that you have the correct corrseponding entries in your DNS?

Polunin Sergey's picture

I've found what is wrong. I've specified FQDN instead of IP in Kerberos settings and error is gone.