PowerScale: OneFS: Selective Authentication: ERROR_AUTHENTICATION_FIREWALL_FAILED

Resumen: Authentication fails due to Selective Authentication with the error: ERROR_AUTHENTICATION_FIREWALL_FAILED

Este artículo se aplica a Este artículo no se aplica a Este artículo no está vinculado a ningún producto específico. No se identifican todas las versiones del producto en este artículo.
Consulte estos recursos

Síntomas

When attempting to query Active Directory objects from a Trusted Domain, a PowerScale cluster in a Trusting Domain produces an error. This may result in being unable to add user objects to Share Permissions, ACLs, so forth.

The following entries appear in lsass logs:

lsass[85427]: [lsass] Ignoring failure enumerating trusts for forest , <CustomerDomain.com> Error was ERROR_AUTHENTICATION_FIREWALL_FAILED (1935)



This error may show up while running the command, isi auth mapping token for the user object in the Trusted Domain:

# isi auth mapping token --user="CustomerDomain.com\\TestUserAccount"
Failed to map user 'CustomerDomain.com\TestUserAccount': No such user



This error appears in the example of adding a user object to share permissions:
 

# isi smb shares permission create --share=ShareName --zone=ZoneName "CustomerDomain.com\\TestUserAccount"
Failed to create persona 'USER:CustomerDomain.com\TestUserAccount'



The packet captures show as follows:
 

347 2015-12-02 13:38:59.050609 10.29.1.61 141.119.201.2 KRB5 21 196 KRB Error: KRB5KDC_ERR_POLICY NT Status: Unknown error code 0xc0000413 0.016839



This issue occurs as a result of enabling Selective Authentication on the AD Trusts. Selective Authentication is a feature whereby the Domain Admin may manage Trusts in a granular fashion.

Trusts may be verified as follows:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753821(v=ws.11)?redirectedfrom=MSDN

Tip: Netdom provides the best output to troubleshoot this issue.

Causa

Selective Authentication is enabled on the relevant trusts in Active Directory Domains and Trusts objects. The feature is described in detail at the articles below:

Security Considerations for Trusts:

https://technet.microsoft.com/en-us/library/cc755321%28v=ws.10%29.aspx

Configuring Selective Authentication Settings:

https://technet.microsoft.com/en-us/library/cc755844%28v=ws.10%29.aspx

Resolución

Add the User or Group in question to Allowed to Authenticate Permission for the Cluster Object, or remove Selective Authentication per kb's below:

A TGS request for the krbtgt account fails with KDC_ERR_POLICY and an extended status of STATUS_AUTHENTICATION_FIREWALL_FAILED (0xC0000413)

https://support.microsoft.com/en-us/kb/2959395

Grant the "Allowed to Authenticate" permission on Computers in the Trusting Domain or Forest:

https://technet.microsoft.com/en-us/library/cc816733%28v=ws.10%29.aspx
 

Productos afectados

PowerScale OneFS

Productos

Isilon
Propiedades del artículo
Número del artículo: 000018338
Tipo de artículo: Solution
Última modificación: 25 nov. 2025
Versión:  7
Encuentre respuestas a sus preguntas de otros usuarios de Dell
Servicios de soporte
Compruebe si el dispositivo está cubierto por los servicios de soporte.