vastool status error: "FAILURE: 304 VAS does not know the correct password for the AD object." (4255898)

Running "vastool status" gives the following error message: "FAILURE: 304 VAS does not know the correct password for the AD object."

When running a vastool kinit you get the error:

Failed to authenticate host/, error=VAS_ERR_KRB5: Failed to obtain credentials. Keytab: , Client: HOSTNAME@YOURDOMAIN.COM, Service: krbtgt/HOSTNAME@YOURDOMAIN.COM, Server: dc.yourdomain.com

Caused by:
KRB5KDC_ERR_PREAUTH_FAILED (-1765328360): Preauthentication failed

If you are using SAP SSO using the HOST/ method you may see the following error:

*** ERROR => SncPAcquireCred()==SNCERR_GSSAPI [sncxxall.c 1439]
GSS-API(maj): Miscellaneous failure (see text)
GSS-API(min): Preauthentication failed
Could't acquire INITIATING credentials for name="p:hostname@YOURDOMAIN.COM"

The password for the Computer object in AD is not in sync with the one in the keytab (/etc/opt/quest/vas/host.keytab). This usually occurs for the following reasons:

1) Another machine is using the same computer object. Ensure this is the only machine using this computer object, and if sharing the computer object (some cluster situations), that it is setup correctly to not cause this. This can occur if the machine has been cloned while joined to QAS.

2) In AD, the computer object was accidentally re-set (Right-click on the computer object, select Reset Account).

3) In AD, the computer object was deleted/re-created.

4) Other software has been installed onto the machine that creates a AD Computer Object (For example Samba)

5) You are using Windows 2008 or Windows 2008 RODCs and using an early QAS version prior to 3.5.2.67 - in these circumstances the monthly password roll can fail.

Run the following command to reset the credentials for the Active Directory (AD) computer object and synch this with the keytab. Replacing [username] with an AD user who has privileges to reset the QAS Computer accounts password.

# /opt/quest/bin/vastool -u [username] passwd -rk /etc/opt/quest/vas/host.keytab host/

Eg: /opt/quest/bin/vastool -u administrator passwd -rk /etc/opt/quest/vas/host.keytab host/

Wait a couple of minutes and then rerun "vastool status" again to ensure there are no more issues.