IMSVA can't connect to the LDAP server when Authentication Method is set to "Advanced: Uses Kerberos authentication for Active Directory". When LDAP connection test is unsuccessful, it causes failure in saving the LDAP settings.
The packet capture from IMSVA indicates the LDAP server responded with error "KDC_ERR_S_PRINCIPAL_UNKNOWN", as seen below:
MSG Type: KRB-ERROR (30)
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: <realm name>
Server Name (Principal): <host name>
Name-type: Principal (1)
Name: <host name>
Unlike the older versions, Microsoft Active Directory 2008 doesn't return Smart Protection Network (SPN). This is the root cause of the problem.
If you are using IMSVA version 8.2, please apply IMSVA SP2 Patch 1 first, before proceeding to the following solution:
- Using the root account, SSH to IMSVA or logon to IMSVA's console directly.
- Backup and then open the /opt/trend/imss/config/imss.ini file with the following vi command:
cp /opt/trend/imss/config/imss.ini /opt/trend/imss/config/imss.ini.bak
- Add or edit the SPN for each LDAP server under the "LDAP-SPN" section. As an example:
- "Ldap1.example.com" and "ldap2.example.com" are the hostnames or IP addresses of the LDAP servers and must be the same as configured on the IMSVA Web console.
- "ldap1@EXAMPLE.COM" and "ldap2@EXAMPLE.COM" are SPNs. By default, SPN follows the format "hostname@DOMAIN_NAME_IN_UPPERCASE".
- Save the changes and close the file.
- Restart the IMSVA web console using the following command: