Common AD Authentication Failures

AD authentication is an integration of Kerberos authentication and LDAP authentication. Therefore, AD messages are classified into Kerberos and LDAP messages. AD authentication is similar to LDAP authentication. In AP authentication mode, Kerberos messages are used for authentication before LDAP authentication.

• The device time is not synchronized with the AD server time.

  If the error message Info: Time not synchronized with the AD server. is displayed in the test-aaa command output, the device time is different from the AD server time. Modify the system time of the device to be synchronized with the AD server time.

  Use either of the following two methods to modify the system time of the device:

  1. Synchronize the time (including the time zone and time) of the PC used to log in to the web system through the web system.

     The following figure shows how to set the system time of the device on the web system:

  2. Run the following commands to configure the time zone and then the time.

     <HUAWEI> clock timezone Beijing add 8:00:00
     <HUAWEI> clock datetime 10:02:00 2020-11-25

• The password of the test account is incorrect.
  If the error message "Info: Ticket granting failed." is displayed when you run the test-aaa command, the possible causes are as follows:

  • The user name or password of the test account is incorrect. Check whether the user name and password of the test account are correct.
  • The cipher suite configured on the device is different from that supported by the AD server. You need to run the ad-server cipher-suite command on the device to configure the cipher suite supported by the AD server. By default, the cipher suite is aes256-hmac-sha1. To set the cipher suite to rc4-hmac-md5, you need to install the weak encryption algorithm plug-in on the device.
• For other test results, see Run the test-aaa Command for Testing.

The procedure is similar to Run the test-aaa Command for Testing in the LDAP over SSL Scenario.