[IAG] A case where integrated wndow identity authentication (iwa) single sign-on fails to join the domain

Problem Description

After submitting the integrated wndow identity authentication (iwa) single sign-on configuration, it prompts that the domain joining failed

Process——

1. The validity test of the integrated wndow identity authentication single sign-on configuration on the IAG is successful;
2. About one minute after submitting the configuration, the lower right corner prompts that joining the domain failed;
3. The customer's domain environment has two domain controllers, one primary and one secondary, in different network segments;

Root cause

Before joining the domain, IAG will first resolve the domain controller's IP address based on the domain name, and then test the connectivity with the resolved IP addresses. If one of the domain controller IP addresses is unreachable, joining the domain will fail.

solution

1. Adjust the network so that the IAG and all domain controllers can communicate normally;
2. If the environment does not allow connectivity with all domain controllers, contact 4006306430 to modify it so that IAG only tests the connectivity of a certain IP.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=6549&isOpen=true