Summary
You cannot enable two Microsoft 2008 Active Directory servers using the Kerberos authentication method on InterScan Messaging Security Virtual Appliance (IMSVA).
Details
This occurs because the Service Principal Name (SPN) of the second LDAP server cannot be retrieved.
To resolve this issue, apply Hot Fix Build 1438:
- Obtain a copy of this hot fix from Trend Micro Technical Support or from your Technical Account Manager (TAM).
- Install the hot fix.
- Log in to shell of IMSVA will root privileges.
- Open and edit the /opt/trend/imss/config/imss.ini file by adding the following parameters within the LDAP-SPN section:
[LDAP-SPN]
ldap1.example.com=ldap1@EXAMPLE.COM
ldap2.example.com=ldap2@EXAMPLE.COM
Notes:- "ldap1.example.com" and "ldap2.example.com" are hostnames or IP addresses of the LDAP servers and must be the same as the ones configured in the IMSVA web admin console within the LDAP section from Administration > IMSVA Configuration > Connections.
- "ldap1@EXAMPLE.COM" and "ldap2@EXAMPLE.COM" are SPNs. By default, the format of an SPN is "hostname@DOMAIN_NAME_IN_UPPERCASE".
- Save the changes and close the file.
- Restart the IMSVA web admin console service by executing the following command from the IMSVA shell:
# /opt/trend/imss/script/S99ADMINUI start