You are trying to join your Canary to an Active Directory domain, but it is failing.
You can usually add Canaries to the domain without Domain Administrator privileges. When this error is seen, it usually means an additional permission (msDS-SupportedEncryptionTypes) is necessary.
During the domain join process, the Canary's computer account is created successfully in Active Directory but before the Canary can generate Kerberos authentication tickets the two systems communicate what type of encryption is involved. This is where this process is failing.
Active Directory will allow any user to join ten machines to the Domain. This includes regular Domain Users members (but they only have rights to add objects to AD, not to modify existing ones). This process is actually two steps:
- The computer account is added to AD;
- The authentication encryption type is set (requiring a write to an existing AD object).
The workaround is to grant the user additional WRITE permissions to the value msDS-SupportedEncryptionTypes on Computer objects.
We need first to delete the Computer account created in AD for the Canary from the failed attempt before we can continue.
To assign the permission to the user account, from Active Directory Users and Computer, right-click Computers and select Delegate Control:
Click Next, to start the wizard and start by selecting the username to be used to join the Canary to the Domain:
Choose to Create a custom task and click Next:
We only need to add permission to Computer objects:
Select Property-specific and scroll down and select Write msDS-SupportedEncryption Types:
Select Next and Finish to complete the Wizard.
You should be all set to successfully join the Canary to the Domain with a regular user account.