Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

“Connect LDAP Server1 failed” error appears when using Kerberos authentication in InterScan Messaging Security Virtual Appliance (IMSVA)

    • Updated:
    • 27 Jan 2016
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • Platform:
    • N/A N/A
Summary

When you use Kerberos authentication in configuring LDAP, you receive the error message “Connect LDAP Server1 failed”.

Checking the packet capture, it seems that IMSVA is successfully authenticated by the Authentication Server. However, when IMSVA requests a ticket from the Ticket Granting Service, it states SERVER-X in its request rather than the configured LDAP server, SERVER-A. After a ticket for SERVER-X is granted, IMSVA contacts the LDAP server and gives the following error:

LDAPMessage bindResponse(2) invalidCredentials (8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1)

Checking related configuration files for LDAP and Kerberos, you find no information on SERVER-X. Instead, the tb_global_setting table shows the following:

insert into tb_global_setting values('LDAP_SVR_1','host','SERVER-A.some.domain.com','imss.ini',''); 
insert into tb_global_setting values('LDAP-Setting','server-spn','SERVER-A@some.domain.com','imss.ini','');

The krb5.conf contains the following lines:

[realms]
HC.CSCSISTERS.ORG={
kdc=auth01.cscsisters.org:88>
admin_server=SERVER-A.some.domain.com
Details
Public

The issue occurs because there is more than one Service (SRV) record of an LDAP server.

During Kerberos authentication, IMSVA queries DNS to identify the Server Principal Name of the LDAP server. Because two records are returned, IMSVA does not know which one is correct and just uses the first one, SERVER-X.some.domain.com, when requesting a ticket for the LDAP service. Thus, IMSVA is granted a ticket for SERVER-X, when it actually needs to connect to SERVER-A.some.domain.com.

To resolve the issue:

  1. Add the following into /opt/trend/imss/config/imss.ini:

    [LDAP-Setting]
    server-spn=SERVER-A@some.domain.com

  2. Restart the console by running the following command:

    /opt/trend/imss/script/S99ADMINUI

  3. Configure the LDAP again.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1095092
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.