Hi Deepak,
There are different steps required in joining and rejoining the domain than to just being joined to the domain, and so I have seen a lot of times where maybe a DNS server or LDAP server is down, but it isn't noticed until upgrading, when the ASG is trying to rejoin the domain. For example, the first step in joining a domain is the ASG reaching out over DNS for an SRV record. If there is something wrong with the SRV record, or if other DC changes were made that would prevent you from joining the domain, you will not notice until the domain needs to be rejoined, and any existing appliances already joined to the domain (like your two HA appliances) would not know anything was wrong unless they themselves tried to rejoin the domain.
I guess a good analogy of this would be the starter on your car. If your car is already on, and you have a bad starter, you wont notice until the next time you try and start the car. For a car, it may be a few hours, or whenever you are low on gas and need to fill up again. For a ProxySG / ASG, it can literally be months, (or it sounds like maybe years in your case) before you would try and rejoin the domain again.
If you are getting an access denied message, then it sounds like an account was misconfigured in AD, and so you will want to work with that team to figure out why you are denied. As far as knowing the username and password, there is not a way to find that out from the ProxySG.
For more reference on authentication, see
this guide.
Thanks!
Original Message:
Sent: 07-25-2020 05:17 AM
From: Deepak Sureshbabu
Subject: Proxy ASG Authenticatio broke after upgrade from 6.6.5.16 > 6.7.2.1> 6.7.5.6
Need help as we had an failed upgrade of our Proxy ASG S200-40 appliance yesterday.We were running 6.6.5.16 version and as recommended by TAC team we proceeded with the upgrade path first to 6.7.2.1 then to 6.7.5.6. After first upgrade to 6.7.2.1 everything was working good.And post upgrade to 6.7.5.6 , LDAP stopped working and we lost access to the device.We logged in with local credentials.However we see that IWA and LDAP as faling. However the domain still stayed joined.Very unfortunate that we wont be able to join domain again due to some DC level changes happened for all the accounts. We tried to create a temp service account however we still joining domain says access denied.
1.Anyone faced same issue before?
2.Luckily we had two appliances in HA and one is working now in production and which is already joined to domain and working fine (Why the domain controller level changes doesn't affect the working proxy)
3. Anyway to know the account or username used from the working proxy to join the domain? Last Domain joined happened way before my tenure with the client and no one has the username or password information which was used?
Awaiting urgent help!!