Arctera Enterprise Vault™ Insight Surveillance Installation Guide
- Introducing Insight Surveillance
- Preparing to install Insight Surveillance
- Configuration options for Insight Surveillance
- Prerequisites for Arctera Insight Surveillance
- Security requirements for temporary folders
- Configuring Intelligent Review API Authentication and Authorization
- Installing Insight Surveillance
- Installing the Insight Surveillance server software
- Configuring Insight Surveillance for use in a SQL Server Always On environment
- Installing Insight Surveillance in a clustered environment
- Installing the Insight Surveillance server software
- Appendix A. Ports that Insight Surveillance uses
- Appendix B. Troubleshooting
- Appendix C. Installing and configuring the Enhanced Auditing feature
Error messages when the Intelligent Review (IR) API authentication and authorization fails
This is a Kerberos double hop error. This error appears if the Kerberos constrained trusted delegation is not set correctly between the Surveillance Server and the Surveillance Database Server.
To fix this error, perform the following steps:
Verify if the Surveillance Server is trusted for delegation.
Check if the installation setup/environment has Kerberos constrained trusted delegation is set properly. Verify the SQL Service Service Principal Names (SPNs) for correctness, duplication, and missing SPNs. Use the Kerberos Configuration Manager tool.
Verify if the Surveillance Server is using Fully Qualified Domain Name (FQDN) and not IP Addresses for connecting to the Surveillance Configuration and the customer databases. For configuration database, verify if the <install dir \Arctera Intelligent Review\IR.APIEndPoint \appsettings.json-> ConfigDBConnection key is using the FQDN and not IPAddress for connection string. For the customer database, verify if the configuration database->tblCustomer table for the 'Server' field for that customer is using FQDN and not IPAddress.
Verify if the SQL Server service account is a user, then that user is trusted for delegation, and various properties like the user is allowed for the delegation are set correctly.
Refer to the sample screen below.
To fix this issue, perform the following procedure:
- Create the correct SPNs. For example, If the SQL Service is running as a Vault Service account (VSA) user, create or check if proper SPNs exist for VSA.
- Create SPNs for the availability group listener as well as the actual SQL nodes.
- Enable the Surveillance Server to trust for delegation (only the listener). Refer to the sample image below.
Note:
Choose Add… while trusting for delegation and choose the SQL Service account (VSA) on which the SPNs are configured.
- Restart the Active Directory Domain service on the Domain Controller.
- Restart Internet Information Services (IIS) on the Surveillance Server.
- Call the Intelligent Review (IR) API directly or via Enterprise Vault. Refer to the sample image below.