If you've changed the host name for a domain-joined Smoothwall appliance, re-joined the Smoothwall Filter and Firewall to the domain and removed any computer accounts that were tied to the old host name but your users are being rejected when trying to authenticate, and you are seeing the above error in your Smoothwall logs, check the following:
- The Smoothwall hostname must be no larger than 15 characters (not including the DNS suffix)
- Ensure the correct DNS servers are configured on the Smoothwall (Network > Configuration > DNS
- “A” record has been created
- PTR record has been created
- Ensure the Smoothwall time has been synchronized with your domain controllers
- There should be no more than 5 minutes difference
- Ensure the devices requesting authentication are using the Smoothwall's fully qualified domain name (FQDN) in their proxy settings
- Within Active Directory, ensure your users are in a global domain security group
- Or a universal security group if they exist on a trusted sub-domain
- Ensure the devices that proxy through the Smoothwall have been rebooted since the Smoothwall re-joined the domain
- Add the Smoothwall Active Domain user to the domain's administrators
- It may be that the template used to create the user account does not give permission to add or delete computer accounts
- Remove the auto-generated computer account from your Active Directory
- Remove any duplicated computer accounts you may find duplicates for
smoothwall:sid_number
- Ensure the user who is receiving the failed Kerberos authentication error does not have a space in their username
- Recreate the client Kerberos ticket
klist purge
- In your devices, ensure Enable Integrated Windows Authentication is selected in Advanced tab of Internet Properties