When joining a Windows Domain with the ProxySG I am required to use Administrator account.
As per the documentation Blue Coat recommends the use of Administrator account to join the SG to a Windows domain. It is possible however to join the domain using a workaround without using an Administrator account. Blue Coat Engineering is investigating the ability for a normal user account to be utilized without using workarounds.
The reason the failure occurs when using a normal user account is because the SG is trying to set Delegation on the computer object after it is created in the AD tree. A normal user is not able to set Delegation and the error you see is:
In the eventlog you will find:
[LsaSrvProviderIoControl() /home/service-releng/p4/scorpius/sg_6_3/src/security/likewise/lsass/server/api/provider.c:112] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 1314, symbol = ERROR_PRIVILEGE_NOT_HELD, client pid = 0" 0 250034:1 sg_syslog.cpp:78
To work around this problem you must do the following:
1) Use the Administrator account as per the documentation. This negates the problem and you will not see the error at all.
2) If you have already received the error you can login to your Active Directory Server and browse to the Computer object created for the ProxySG. Right click on that object and select Properties, and then Delegation. Change the radio button to the "Trust this computer for delegation to any service" option and click apply. Return to your proxy SG and login again using the same user credentials you tried previously that failed. You should find that this time the join works.
Rate this Page
Please take a moment to complete this form to help us better serve you.