Unable to add Protection Engine to Console due to invalid credentials - Simple Bind failed
search cancel

Unable to add Protection Engine to Console due to invalid credentials - Simple Bind failed

book

Article ID: 391438

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

When trying to add a Symantec Protection Engine (SPE) server to a Protection Engine Console using Directory Authentication you receive the error message

Failed to add the following server(s):
<Server Name> Reason: Authentication failed due to invalid credentials.

 

But the credentials are valid.  More details can be found in the SPE_REST_API.log located at

  • Windows: C:\Program Files\Symantec\Scan Engine\RestAPI\log
  • Linux: /opt/SYMCScan/RestAPI/log
YYYY-MM-DD HH:MM:SS,MMM [http-nio-8008-exec-1] ERROR spe.authentication.security.CustomLdapAuthenticationProvider:130 - CustomLdapAuthenticationProvider - authentication failed due to invalid credentials. Exception: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: <Server Name>:<Port> [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <Server Name> found.]]

 

 

Environment

Protection Engine 9.x

Cause

Certificate verification has failed.  Typically caused by the certificate common name nor any of the alternate names match the LDAP or AD server hostname or IP addres.

Resolution

Resolve the issue causing certificate verification to fail.  If the certificate cannot be updated, the following workaround can be applied.

 

Workaround

A setting can be modified in the #LDAP Configuration section of application.properties on a SPE server to work around this issue.

  1. Navigate to the folder:
    • Windows: C:\Program Files\Symantec\Scan Engine\RestAPI
    • Linux: /opt/SYMCScan/RestAPI
  2. Edit Application.properties.
  3. Locate the #LDAP Configuration section.
  4. Add the line "sperestapi.ldap.certificate.validation.san.disable.property.value=true" (no quotes)
  5. Save application.properties.
  6. Restart the SPE Rest API Services
    1. Windows: In Services Manager, restart Symantec Protection Engine Rest API service
    2. Linux: /etc/init.d/symcrestapiservice restart

Then try adding the SPE server again to the console.

Additional Information

Guide to configuring Protection Engine 9.x to communicate via secure LDAP port 636
https://knowledge.broadcom.com/external/article/281083/guide-to-configuring-protection-engine-9.html

Troubleshooting AD and LDAP issues with the SPE Console and REST API Service
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/9-2-0/SPE-REST-APIs/troubleshooting-ad-ldap-issues-with-console-api.html

Powered by Wolken Software