“Connect LDAP Server1 failed” error appears when using Kerberos authentication in InterScan Messaging Security Virtual Appliance (IMSVA)

Product / Version includes:

Interscan Messaging Security Virtual Appliance9.0 , Interscan Messaging Security Virtual Appliance8.5

Last updated: 2021/08/28

Solution ID: KA-0003111

Category: Troubleshoot

Summary

When you use Kerberos authentication in configuring LDAP, you receive the error message “Connect LDAP Server1 failed”.

Checking the packet capture, it seems that IMSVA is successfully authenticated by the Authentication Server. However, when IMSVA requests a ticket from the Ticket Granting Service, it states SERVER-X in its request rather than the configured LDAP server, SERVER-A. After a ticket for SERVER-X is granted, IMSVA contacts the LDAP server and gives the following error:

LDAPMessage bindResponse(2) invalidCredentials (8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1)

Checking related configuration files for LDAP and Kerberos, you find no information on SERVER-X. Instead, the tb_global_setting table shows the following:

insert into tb_global_setting values('LDAP_SVR_1','host','SERVER-A.some.domain.com','imss.ini',''); 
insert into tb_global_setting values('LDAP-Setting','server-spn','SERVER-A@some.domain.com','imss.ini','');

The krb5.conf contains the following lines:

[realms]
DC.DOMAIN.COM={
kdc=auth.domain.com:88>
admin_server=SERVER-A.some.domain.com

You also need to make a change on IMSVA so it will not overwrite the manually edited krb5.conf

(1) open file /opt/trend/imss/config/imss.ini
(2) find section "[LDAP]" and add "DonotUpdateKRB5CONF=yes" under this section.
 [LDAP]
DonotUpdateKRB5CONF=yes

The issue occurs because there is more than one Service (SRV) record of an LDAP server.

During Kerberos authentication, IMSVA queries DNS to identify the Server Principal Name of the LDAP server. Because two records are returned, IMSVA does not know which one is correct and just uses the first one, SERVER-X.some.domain.com, when requesting a ticket for the LDAP service. Thus, IMSVA is granted a ticket for SERVER-X, when it actually needs to connect to SERVER-A.some.domain.com.

To resolve the issue:

Add the following into /opt/trend/imss/config/imss.ini:
[LDAP-Setting]
server-spn=SERVER-A@some.domain.com
Restart the console by running the following command:
/opt/trend/imss/script/S99ADMINUI restart
Configure the LDAP again.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

“Connect LDAP Server1 failed” error appears when using Kerberos authentication in InterScan Messaging Security Virtual Appliance (IMSVA)

“Connect LDAP Server1 failed” error appears when using Kerberos authentication in InterScan Messaging Security Virtual Appliance (IMSVA)

Product / Version includes:

Summary