Vscan server disconnect due to Kerberos pre-authentication failure

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 206

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9
VSCAN
ONTAP AV Connector

Issue

VSCAN server is in disconnected status as the machine account on the domain-tunnel server has failed to authenticate to the domain server.

Cluster1::> vserver vscan connection-status show-all -vserver <vserver-name> Connection Vserver Node Server Status Disconnect Reason ----------- ----------------- --------------- -------------- -----------------

DataSVM node1 10.x.y.z disconnected -

ONTAP AV connector polls cluster management LIF via domain user
AVShim log:
- REST API call to 10.231.x.y> using account " domain1\user1" failed. The remote server returned an error: (401) Unauthorized.
EMS log from domain tunnel vserver:
- Mon Jun 02 13:28:34 -0500 [vserver-name: secd: secd.kerberos.preauth:error]: A Kerberos pre-authentication failure occurred for SVM "domain-tunnel-vserver" due to invalid credentials for domain-tunnel-vserver$@domain.com.
- Mon Jun 02 21:35:52 -0500 [vserver-name: secd: secd.kerberos.preauth:error]: A Kerberos pre-authentication failure occurred for SVM "domain-tunnel-server" due to out-of-sync machine account password.
- Sun Jun 22 04:36:43 -0500 [hz-com-clsp-a04-s03: OffboxVScanTableUpd: Nblade.scannerDisconnected:notice]: Vserver "cpsprod-a0439" disconnected from Vscan server (IP: 10.x.y.z).