Unable to add Protection Engine to Console due to invalid credentials - Referral limit exceeded
search cancel

Unable to add Protection Engine to Console due to invalid credentials - Referral limit exceeded

book

Article ID: 391442

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

When trying to add a Symantec Protection Engine (SPE) server to a Protection Engine Console using Directory Authentication you receive the error message

Failed to add the following server(s):
<Server Name> Reason: Authentication failed due to invalid credentials.

But the credentials are valid.  More details can be found in the SPE_REST_API.log located at

  • Windows: C:\Program Files\Symantec\Scan Engine\RestAPI\log
  • Linux: /opt/SYMCScan/RestAPI/log
YYYY-MM-DD HH:MM:SS,MMM [http-nio-8008-exec-1] ERROR spe.authentication.security.CustomLdapAuthenticationProvider:130 - CustomLdapAuthenticationProvider - authentication failed due to invalid credentials. Exception: org.springframework.ldap.LimitExceededException: Referral limit exceeded; nested exception is javax.naming.LimitExceededException: Referral limit exceeded [Root exception is com.sun.jndi.ldap.LdapReferralException: [LDAP: error code 10 - 0000202B: RefErr: DSID-0310079D, data 0, 1 access points

 

 

Environment

SPE 9.x

Cause

Environmental issue where AD referral is not occurring as expected.

Resolution

The following workaround can be implemented if the underlying environmental issue cannot be addressed.

A setting can be modified in the #LDAP Configuration section of application.properties on a SPE server to work around this issue.

  1. Navigate to the folder:
    • Windows: C:\Program Files\Symantec\Scan Engine\RestAPI
    • Linux: /opt/SYMCScan/RestAPI
  2. Edit Application.properties.
  3. Locate the #LDAP Configuration section.
  4. Add the two lines:
    • "sperestapi.ldap.followreferrals.enabled=false" (no quotes)
    • "sperestapi.ldap.ignorepartialresult.enabled=true" (no quotes)
  5. Save the file.
  6. Restart the SPE Rest API Services
    • Windows: In Services Manager, restart Symantec Protection Engine Rest API service
    • Linux: /etc/init.d/symcrestapiservice restart


Then try adding the SPE server again to the console.

 

Additional Information

Guide to configuring Protection Engine 9.x to communicate via secure LDAP port 636
https://knowledge.broadcom.com/external/article/281083/guide-to-configuring-protection-engine-9.html

Troubleshooting AD and LDAP issues with the SPE Console and REST API Service
https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/9-2-0/SPE-REST-APIs/troubleshooting-ad-ldap-issues-with-console-api.html

Powered by Wolken Software