Unable to join a new Node on an existing TMG 2010 Array

First of all, happy new year!! It took me a long time to come back here due many other projects going on…I’m actually feeling like I still in December as I didn’t really have time off during the holidays. Very different from Brazil (where I’m originally from), there things are slow during the holidays and keep going slow until Carnival (usually in February). This is actually very funny to me, because recently when I was writing my next book (about Security+ Certification in Portuguese) I told my editor: “let’s release the book in March” and he said: “This year Carnival is in March, so nobody will really read books in March, let’s release in April” , he got a good point for sure. But, since I moved to US I notice that the year really starts on January 2nd :).

Anyway, here it goes the first post of this year and it is about a collaboration with a colleague of mine that was originally troubleshooting this issue. The problem here was when trying to join a new node to an existing TMG Array and the following error message appeared:

The user that was trying to join had permission on the Array level as shown below:

We also could see on ProcMon that this user was making the connection to the remote server while the issue was happening:

Unfortunately in this situation as the error message was showing right away, nothing was really useful in TMG Setup logs (located at %windir%\temp) . Now what? Well, now you need to move to a more deep data gathering and use TMG Data Packager in both servers (EMS and Node that is trying to join). In this particular scenario it was possible to see the error “ldap_modify_s failed” followed by 0x80070005 (which is Access Denied) while trying to change some properties on ADAM (ADLDS). After reviewing the source code for this specific error at this moment of the failure it was possible to understand that in order to perform such action the user needs Enterprise level rights, in this case the user was not there as shown below:

Once we added the user in there (Enterprise Level) it was possible to join without any issue. So…when deploying TMG, make sure to remember that the user that is joining new members to the array need to have Enterprise Level permission.