Unable to open the Symantec Mail Security for Microsoft Exchange console on Windows 2008 or earlier server in a domain containing a Windows 2012 Domain Controller.

Article:TECH202495  |  Created: 2013-02-05  |  Updated: 2014-12-30  |  Article URL http://www.symantec.com/docs/TECH202495
Article Type
Technical Solution


Issue



When attempting to open the Symantec Mail Security for Microsoft Exchange (SMSMSE) console on a Windows 2008 or earlier server, when there is a Windows 2012 Domain Controller in the environment, you receive the following error:

"You either have insufficient permissions to access this application or your user credentials are not refreshed."


Error



 "You either have insufficient permissions to access this application or your user credentials are not refreshed."


Environment



Windows 2012 Domain Controller.

Exchange/SMSMSE installed on a Windows 2008 or earlier server.
 


Cause



 After running SecurityCheck.exe from http://www.symantec.com/docs/TECH84031 it produces the following error:

Group XX 
group.Value: S-1-18-1 
Conversion valid: True 
iex.Message: Some or all identity references could not be translated. 
iex.UnmappedIdentities.Count: 1 
Unmapped identity SID: S-1-18-1 
Error encountered while performing test: Object reference not set to an instance of an object.

The SID S-1-18-1 is only supported in a Windows 2012 environment, it can not be resolved to an NT name on a Windows 2008 server.  This causes the SMSMSE console to fail to authenticate successfully.

As per http://msdn.microsoft.com/en-ca/library/cc980032.aspx and http://msdn.microsoft.com/en-ca/library/11e1608c-6169-4fbc-9c33-373fc9b224f4#id24

SID S-1-18-1 (SERVICE_ASSERTED_IDENTITY) is "a SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials" and it "is not supported in Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7 (All), and Windows Server 2008 R2 (Standard, Foundation, Enterprise, Datacenter, or Itanium-based Systems). In Windows Server 2012, only Kerberos KDCs provide this SID for protocol transition (S4U2Self) based service tickets."


Solution



Microsoft has released a patch that addresses this problem, see http://support.microsoft.com/kb/2830145 for details.

The authentication code in SMSMSE Version 7.0.3 and 7.5.0 has been changed so that this problem will no longer cause authentication to fail.

Workaround

Install the SMSMSE console on a Windows 2012 server or a Windows 8 workstation and remotely administer SMSMSE.

 


Supplemental Materials

SourceETrack
Value3070314



Article URL http://www.symantec.com/docs/TECH202495


Terms of use for this information are found in Legal Notices