Unable to open the Symantec Mail Security for Microsoft Exchange console on Windows 2008 or earlier server in a domain containing a Windows 2012 Domain Controller.
search cancel

Unable to open the Symantec Mail Security for Microsoft Exchange console on Windows 2008 or earlier server in a domain containing a Windows 2012 Domain Controller.

book

Article ID: 157651

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

When attempting to open the Symantec Mail Security for Microsoft Exchange (SMSMSE) console on a Windows 2008 or earlier server, when there is a Windows 2012 Domain Controller in the environment, you receive the following error:

"You either have insufficient permissions to access this application or your user credentials are not refreshed."

 "You either have insufficient permissions to access this application or your user credentials are not refreshed."

Cause

 After running SecurityCheck.exe from http://www.symantec.com/docs/TECH84031 it produces the following error:

Group XX 
group.Value: S-1-18-1 
Conversion valid: True 
iex.Message: Some or all identity references could not be translated. 
iex.UnmappedIdentities.Count: 1 
Unmapped identity SID: S-1-18-1 
Error encountered while performing test: Object reference not set to an instance of an object.

The SID S-1-18-1 is only supported in a Windows 2012 environment, it can not be resolved to an NT name on a Windows 2008 server.  This causes the SMSMSE console to fail to authenticate successfully.

As per http://msdn.microsoft.com/en-ca/library/cc980032.aspx and http://msdn.microsoft.com/en-ca/library/11e1608c-6169-4fbc-9c33-373fc9b224f4#id24

SID S-1-18-1 (SERVICE_ASSERTED_IDENTITY) is "a SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials" and it "is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7 (All), and Windows Server 2008 R2 (Standard, Foundation, Enterprise, Datacenter, or Itanium-based Systems). In Windows Server 2012, only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets."

Resolution

There are two possible solutions to this error:

  1. Microsoft has released a patch that addresses this problem, see http://support.microsoft.com/kb/2830145 for details.
  2. SMSMSE 7.5.2 has changed the authentication method for the SMSMSE to authenticate, which no longer requires all groups associated with a user token to be translated. 7.5.2 or later will not experience this error regardless of whether the patch has been applied.

Workaround

Install the SMSMSE console on a Windows 2012 server or a Windows 8 workstation and remotely administer SMSMSE.

 

 

Applies To

Windows 2012 Domain Controller.

Exchange/SMSMSE installed on a Windows 2008 or earlier server.
 

Powered by Wolken Software