When the IP user cache is disabled in InterScan Web Security Virtual Appliance (IWSVA), users may experience occasional authentication pop-ups appear when browsing the internet and they are asked to provide their Active Directory credentials. At the same time, the log file of the Authentication Daemon (var/iwss/log/AuthDaemon.log.YYYYMMDD.XXXX) contains the following error message:
[ERROR]: connect_ntlm_type_1 return error: 91
The error message "connect_ntlm_type_1 return error: 91" indicates that IWSVA is trying to connect to the domain controller to authenticate a user, but for some reason the connection fails. In this case, IWSVA will display an authentication pop-up to the user, because it has no other way to identify the user. In order to mitigate this, it is recommended to enable LDAP high availability so IWSVA would try to contact another domain controller if the connection to the first one fails for whatever reason.
To configure LDAP high availability, do the following:
- Log on to the web console and go to Administration > IWSVA Configuration > User Identification > User Identification.
- Under Directory Settings > Advanced, click on the name of your domain to expand the settings for it.
- Scroll down to Authentication High Availability, put a tick next to Enable high Availability and select Fail over.
- In the Additional Server field, enter a second LDAP server and the port number for the connection. This should be the same port number used for the connection to the default LDAP server.
- Click Save at the bottom of the page.
Click image to enlarge