Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

InterScan Messaging Security Virtual Appliance (IMSVA) can't connect to LDAP server when Kerberos is enabled

    • Updated:
    • 16 May 2016
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • Platform:
    • Bare Metal N/A
    • Virtual Appliance すべて
Summary

IMSVA can't connect to the LDAP server when Authentication Method is set to "Advanced: Uses Kerberos authentication for Active Directory". When LDAP connection test is unsuccessful, it causes failure in saving the LDAP settings.

The packet capture from IMSVA indicates the LDAP server responded with error "KDC_ERR_S_PRINCIPAL_UNKNOWN", as seen below:

MSG Type: KRB-ERROR (30)
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: <realm name>
Server Name (Principal): <host name>
Name-type: Principal (1)
Name: <host name>

Unlike the older versions, Microsoft Active Directory 2008 doesn't return Smart Protection Network (SPN). This is the root cause of the problem.

Details
Public

If you are using IMSVA version 8.2, please apply IMSVA SP2 Patch 1 first, before proceeding to the following solution:

  1. Using the root account, SSH to IMSVA or logon to IMSVA's console directly.
  2. Backup and then open the /opt/trend/imss/config/imss.ini file with the following vi command:

    cp /opt/trend/imss/config/imss.ini /opt/trend/imss/config/imss.ini.bak
    vi /opt/trend/imss/config/imss.ini

  3. Add or edit the SPN for each LDAP server under the "LDAP-SPN" section. As an example:

    ldap1.example.com=ldap1@EXAMPLE.COM
    ldap2.example.com=ldap2@EXAMPLE.COM

     
    • "Ldap1.example.com" and "ldap2.example.com" are the hostnames or IP addresses of the LDAP servers and must be the same as configured on the IMSVA Web console.
    • "ldap1@EXAMPLE.COM" and "ldap2@EXAMPLE.COM" are SPNs. By default, SPN follows the format "hostname@DOMAIN_NAME_IN_UPPERCASE".
  4. Save the changes and close the file.
  5. Restart the IMSVA web console using the following command:

    /opt/trend/imss/script/S99ADMINUI restart

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
1114163
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.