Edit

Share via


Troubleshoot authentication errors that occur when you join Windows-based computers to a domain

This article describes several authentication related error messages that can occur when you join client computers that are running Windows to a domain. This article also provides troubleshooting suggestions for these errors. For networking related error messages, see Troubleshoot networking errors that occur when you join Windows-based computers to a domain.

Original KB number:   4341920

Where to find the NetSetup.log file

The NetSetup.log file contains most information about domain join activities. The file is located on the client machine at %windir%\debug\NetSetup.log. This log file is enabled by default. No need to explicitly enable it.

You have exceeded the maximum number of computer accounts you are allowed to create in this domain

Make sure that you have permissions to add computers to the domain, and that you don't exceed the quota that is defined by your domain administrator.

To join a computer to the domain, the user account must be granted Create computer object permissions in Active Directory.

Note

By default, a nonadministrator user can join a maximum of 10 computers to an Active Directory domain.

Logon failure: The target account name is incorrect

Check that the domain controllers (DCs) are registered by using correct IP addresses on the Domain Name System (DNS) server, and that their Service Principal Names (SPNs) are registered correctly in their Active Directory accounts.

Logon failure: the user has not been granted the requested logon type at this computer

Make sure that you have permissions to add computers to the domain. To join a computer to the domain, the user account must be granted the Create computer object permission in Active Directory.

Additionally, make sure that the specified user account is allowed to log on locally to the client computer. To do this, configure the Allow log on locally setting in Group Policy under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

Logon failure: unknown user name or bad password

Make sure that you use the correct user name and password combination of an existing Active Directory user account when you're prompted for credentials to add the computer to the domain.

No mapping between account names and security IDs was done

This error is likely a transient error that is logged when a domain join searches the target domain to determine whether a matching computer account was already created or whether the join operation has to dynamically create a computer account on the target domain.

Not enough storage is available to complete this operation

This error can occur when the Kerberos token size is larger than the maximum default size. If this situation, you have to increase the Kerberos token size of the computer that you try to join to the domain. For more information, see:

The account is not authorized to login from this station

This problem is related to mismatched Server Message Block (SMB) signing settings between the client computer and the DC that is being contacted for the domain join operation. To further investigate the current and recommended values in your environment, see:

The account specified for this service is different from the account specified for other services running in the same process

Make sure that the DC through which you're trying to join the domain has the Windows Time service started.