Endpoint Protection

 View Only
Expand all | Collapse all

SEP Console Authentication Problem

Migration User

Migration UserAug 31, 2010 01:06 AM

Migration User

Migration UserAug 31, 2010 01:50 AM

Migration User

Migration UserAug 31, 2010 02:00 AM

Migration User

Migration UserAug 31, 2010 11:00 PM

  • 1.  SEP Console Authentication Problem

    Posted Aug 30, 2010 08:35 AM
    hi there,

    i've configured SEPM so that users could logged on with domain accounts...

    suddenly occured problem, that using domain authentication. when user was trying to log in,

    "Authentication Failure.  Please try again." windows was appearing....

    then i created a user, which could log in without domain authentication...

    it worked several days and then same error messages....

    my question is next:
    1. where are logs kept?
    2. what may be the reason of following issue?


  • 2.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 08:38 AM

    The user that you are referring is that SEPM user or a user created in Domian

    If  the user is created in Windows , do you have a passowrd policy where the password expires after a duration?



  • 3.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 08:41 AM
      |   view attached
    1. While  using Domain authentication, did the password for the user change in your  AD? Check if that  might  have  happended. As far as the  user without Domain authentication failing to authenticate, the  password  expires  every 60 days by default.

    For that  user, you  can set  the  password   to never  expire. See screenshot.


  • 4.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 08:41 AM


  • 5.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 08:55 AM
    this user with which i'm trying to log in to SEPM Console is Domain Account.

    you mean the password policy in SEPM Console?


  • 6.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 08:56 AM
    yes but this is in case of account created in SEPM....
    what about domain authentication?


  • 7.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 09:02 AM
    The password  for that   domain user  must  have  changed.... is  it?


  • 8.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 09:04 AM
    Can you log into the server (SEPM) with the local credentials. 
    The default ADMIN account you created with the installation of the server?

    Next verify the settings, that VISHAL has posted above and ensure that the server name for authentication is correct. 

    * * * * * *
    You can open a command prompt and type:
    SET | more

    This will display an output for you in which you will see a line that says:

    LOGONSERVER=\\[domain controller]
    * * * * * * *

    Ensure they are correctly configure and that noone has moved the FSMO roles from say:  "Active Directory Controller 1" as defined in this list to "Active Directory Controller 2".

    If the server- Active Direcotry controller; is unable to authenticate your users, you will constantly have this problem... 


  • 9.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 10:19 AM
    yes i can log on with local credentials (i mean default Admin account)....


  • 10.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 10:23 AM
    You are authenticating to the proper server for "Directory Authentication"?
    It is setup correctly?


  • 11.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 10:24 AM

     I do not  see, any other  reason, for  you  to get  Authentication failure  message, while logging  from a domain account, other  than its  password , in your  AD, being  changed.......



  • 12.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 10:28 AM

    I think you might have two domains in your SEPM ( this domain is differnt from your AD domain)
    if you have created limited admin in SEPM wrt to Domain; then you need to put the domain name in the log in console
    open sepm console
    put id  and password
    under domain select the domain where the admin account exists
     



  • 13.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:03 AM
    Rafeeq,

    In SEPM i have default domain (named Default).
    my AD Domain name is for example abc.com...

    i ve added 2 users who has to administer the SEPM console....
    and when they re trying to log in with domain authentication, error message is throwed...

    should i have to create a domain named abc.com?


  • 14.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:23 AM
    No, you  don't  need to create domain named abc.com...

    The  users  you  configured, are  system administrator's, administrators, or limited administrators?

    If they are  limited  administrators, then while  logging into sepm, please  type the domain also, as Default( case sensitive)


  • 15.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:35 AM

    vishal,

    i created 1 system administrator account and one limited adminstrator


    with SEP authentication everythings fine

    but with domain authentication - fail..


    this issue makes me nervous



  • 16.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:47 AM
    Just to clarify:

    You created  a system administrator, and  a limited  administrator, both  using  SEPM authentication.
    Then you  also created another  system administrator, and  another  limited  administrator, with  Directory  server  authentication.

    The accounts  with SEPM authentication work, but the  ones  with SEPM authentications  do not..

    Kindly  confirm..


  • 17.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:49 AM
    Does those acccont exists in your AD ? the one you are trying to authenticate
    those should be existing AD accounts...


  • 18.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:53 AM
      |   view attached
    Kindly  make  sure, that, the user name, and  the account  name, are the  same, when you  configure  administrator account  in sepm, with directiory  server auth.

    See below:



  • 19.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 12:33 PM
    Hi folks,

    If you're not familiar with this particular contest, please take a look here:
    https://www-secure.symantec.com/connect/blogs/security-solutions-contest-be-king-week

    If you can solve this thread, among the others included for this week, you can be crowned "King for a week" and win a prize.

    So, do your research, post your best comment as a possible solution, and you could win!

    Eric


  • 20.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 12:51 PM
    When logging into SEPM you need to put the Username ,Password and Select your Domain ( abc.com from the scroll down)


  • 21.  RE: SEP Console Authentication Problem
    Best Answer

    Posted Aug 30, 2010 12:54 PM
    This may seem redundant...
    But I did not see the answer to this anywhere.
    What version of Windows is the SEPM server?
    What version of Windows is the Authenticating Server (Active Directory controller)?

    FOR LDAP AUTHENTICATION:
    Do you have a Firewall (windows Forewall maybe) enabled on the Authentication server? 
    Can you, from a command prompt:
    Telnet [authentication server_name] 389

    389 at the end represents the LDAP port number.  If the port is blocked, or if LDAP is incorrectly setup, you will not be able to authenticate your clients.
    * * * * * * *
    FOR ACTIVE DIRECTORY AUTHENTIFICATION:
  • TCP 135 : MS-RPC
  • TCP 1025 & 1026 : AD Login & replication
  • TCP 389 : LDAP
  • TCP & UDP 53 : DNS
  • TCP 445 : SMB , Microsoft-ds
  • TCP 139 : SMB
  • UDP 137 & 138 : NetBIOS related
  • UDP 88 : Kerberos v5
  • * * * * * * * * * * *
    Have you tried connecting to the SEPM through the web console, to see if the users are able to login through that.

    Lastly, and just to make sure, the accounts are not locked out?  Are the accounts being locked after several attempts to login? 
    If they are not being locked out, this could be a sign that SEPM is not communicating (passing the credentials) to the server.


  • 22.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 01:23 PM
      |   view attached
    Here, changed setup in test environment.

    Did exactly as the document:
    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/05224c9dda7f295eca25742e0018cf01?OpenDocument

    And lo and behold.  Authentication failure.

    I know my accounts are good.  I know I can authenticate to my servers.

    Receive the follwoing error.

    Constantine, can you confirm that you receive this error as well??

    LDAP error...


  • 23.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 02:04 PM
    In case of domain authentication, user will change his password in AD, then the SEPM will synchronize with AD again and update the password for that user from AD.

    Aniket


  • 24.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 02:04 PM
    I changed my authenticating server and no more Authentication Failures.

    I did a CMD
    Set
    and changed the settings in SEPM to match those of the:

    LOGONSERVER=\\SERVERNAME

    And now authentication works.

    My problem was SEPM server needed to be restarted because it was still querying the incorrect logonserver.


  • 25.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 02:09 PM

    When the users try to login, please post the scm-ui.log log in %temp%.

    Can you post the entire tomcat\logs folder as a ZIP file?

    Aniket
     



  • 26.  RE: SEP Console Authentication Problem



  • 27.  RE: SEP Console Authentication Problem

    Posted Aug 30, 2010 11:59 PM

    Have you changed the  Directory Server  under Admin\Servers ? As in earlier there was a diffrent server and now you have a diffrent server, If yes then the issue may be occuring as we need  Both sections  to be changed in order for SEPM to properly access the Directory Server for using synchronized Administrator Accounts.

    Steps that you need to try

    Login to SEPM
    Go to Admin-->Servers and click on the SEPM server.
    Click on Edit Server Properties.
    In the Server Properties click on the Directory Servers tab.
    Edit the old Directory Server to point to the new Directory Server.
    Click OK.

    Now go to Admin-->Administrators.
    Click on the Administrator you wish to edit.
    Click on Edit Administrator Properties.
    Go to the Authentication tab.
    Specify the correct Directory Server for this account to reference.



  • 28.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 01:06 AM
    Use the user name as domain name\user and try.....


  • 29.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 01:39 AM

    it seems that you have a special symbols in domain account password (for example $, % @)
    that is why you cannot login to console


  • 30.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 01:50 AM
    yes jason,
    i do.

    i receive same error


  • 31.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 01:58 AM

    Click on Admin, Servers and highlight the entry for the SEPM server.  Choose to Edit Server Properties.  Click Directory Servers, Edit, and supply a User name and password that are currently valid.


  • 32.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 02:00 AM

    Can you please paste the scm-server-1.log:


  • 33.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 02:33 AM
    May be Domain Controller policies overude by the SEPM policies, So please check the common policy of Local Domain Controller Policies even.


  • 34.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 05:58 AM

    Also remember that in SEPM both user name and password are case sensitive...


  • 35.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 10:46 AM
    Hi folks,

    Although many users may be experiencing something "similar" to Constantine's issue, as you guys are trying to solve this thread, let's stick to Constantine's initial posting.  If there are others who have the same, or similar issue, please continue to watch this thread as it hopefully gets solved.  If, after a few days it's not solved, I'd like to suggest posting a new thread with whatever problem you are having, and refer to this thread as additional information, or link to a particular post here to provide more information.

    Thanks for understanding!  When we focus on one question/issue at a time, it helps everyone in the long run.

    Best,

    Eric


  • 36.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 10:58 AM
    Have you tried changing from AD authentication to LDAP authentication?

    Where value of LDAPBaseDN is:
    For company named example.mycompany.com

    DC=example,DC=mycompany,DC=com

    Or if it does not want to take that, could be asking for:

    CN=users,DC=example,DC=mycompany,DC=com 

    If that's where your user base is located and has not moved.


  • 37.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 06:06 PM
    thanks Hear4U for support,

    i ll try to deskcribe my issue about Domain Authentication in SEPM Console.

    my SEPM Console (11.0.6) is working on Windows 2008 R2 Standart edition. with embedded database.

    for the first time i ve created a users in SEPM Console and tried to access with SEP Authentication. i did it with success.
    also i tried to set week passwords also complex passwords as well.

    one of reply was about special symbols. may be this was a problem accessing SEPM via web.. and if it is right argument, this will be a bug in SEPM Console.

    im using IE8 web browser for access to Web interace.

    in active directory, i created a new account, also added on sep console and tried to access  the SEPM console via web. i ve set weak password.
    i logged in success fully
    i ve set syncronisation time on one hour. after successful log on, i changed the password of this account and tried to log in again... there was error occured "Authentication failure". (dont know why). during this time i can import any organization unit from domain.

    and there is also a problem when i m trying to add my domain acount in SEPM console to access with Domain Authentication. error message was same.  Authentication failed. and after several invalid logons account is locked.

    there was one screen shot about this error. jason posted it. same is to me.

    i dont know what is the cause of this problem. 

    thanks in advance.


  • 38.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 06:25 PM

    what if you access SEPM locally; does that authenticate you?
    You were able to log in to SEPM using AD authentication; it was only after password change u were not able to log in(not sure where u changed it),So the AD authentication actually worked in your case.. Its confusing for me :)
     



  • 39.  RE: SEP Console Authentication Problem

    Posted Aug 31, 2010 11:00 PM
    Please paste the scm server 0.log


  • 40.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 12:18 AM
    Whether both old and new passwords throwing Authentication failed error?


  • 41.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 01:53 AM
    Constantine,

    Make sure your 2008 server's locale settings are all English(USA). Does this help?

    Did you change the active directory user's password on the active directory?



  • 42.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 02:45 AM

    Are you following these steps  ???
     
    1. Create user account in Active Directory to redirect the authentication.

    2. Set the local workstation name and SEPM machine name as the property of "The following computers" instead of "All computers".
    "Active Directory Users and Computers" > User's properties > Account tab > "Log On To...".

    3. Set the IP address to sync AD server.

    4. Create a new admin account in SEPM.

    5. Set the synchronized AD account.

    6. Log on with created admin account.

    7. Authentication failure.


  • 43.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 02:48 AM
    Rafeeq,
    with newly created user i can authenticate as from local also from Web interface as well.
    but there is problem with older users. which i'm adding in SEPM and then trying to access from web console (domain authentication) also from locally on SEPM machine.


    Prachand,
    i ve sent you output in pm.


    Bekir,
    locale settings are set to English (USA)


    AravindKM, 
    user which i created and set simple password, it authenticated well. then i changed password, and it could not authenticate with new password (i think its because of syncronisation). when i tried to enter old password, it pass me to SEPM console.


    AravindKM, 
    user which i created and set simple password, it authenticated well. then i changed password, and it could not authenticate with new password (i think its because of syncronization). when i tried to enter old password, it pass me to SEPM console.


  • 44.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 03:11 AM

    We have to be missing a spot here. There is nothing different for newly created AD users or old ones. Same AD authentication is done every single time.


  • 45.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 04:07 AM


    Constantine,

    I've tested this in my environment. I've synced my RU6 SEP Manager with my AD server (it was never synced before).
    I created a new administration user following the attached screens.
    The initial password of the user was 123456, I've changed it the 1234567, then to 12345678 and then to Symc4now!
    I tried logging in for each password change and I was successful everytime.

    Another point I came across is that I can log in with the first previous password as well. In other words, when I changed the password to Symc4now! the previous password which was 12345678 was working as well. But not 1234567. I don't know what this is but it shouldn't be relevant with your issue. It might be another bug or function as design, i don't know.


    Check out the attached screenshot....

    In my setup, while I'm logging on to the SEPM, I enter "newuser" as the user name and password of the "seetest" user account of the active directory. And do not change the domain section of the logon screen because this is about the SEP domains.
    You'll need to change the inputs according to your settings...

    That's all.

    Let us know :D
    and I login like this:




  • 46.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 04:52 AM

    trying to post solution again

    this is a part of installation guide


    The name can be a combination of alphanumeric values
    and the special characters ~#%_+=|:./. The special
    characters `!@$^&*()-{}[]\\<;>,? are not allowed.


  • 47.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 07:21 AM
    Viachaslau,
    can u tell me exact pages on administration guide manual, where is written that special characters is not allowed


  • 48.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 08:10 AM

    i told about installation guide
    page number 72
    i had the same problem with domain accounts
    when i changed password (without disallowed characters) it begin to work


  • 49.  RE: SEP Console Authentication Problem

    Posted Sep 01, 2010 08:15 AM

    just try entering special charectors in the sepm log in screen; are u able to type? doe it get printed? may be it does not get printed and u r getting authentication problem.
     



  • 50.  RE: SEP Console Authentication Problem



  • 51.  RE: SEP Console Authentication Problem

    Posted Sep 04, 2010 04:01 PM
    thanks for response viacheslau,

    i ve read this page and there is really written that special caracters are not allowed, but in case of sql server database settings...

    and also, when user is trying to log on to SEPM via Directory Service Authentication, how SEPM will know that there is special symbols, these passwords are not stored somewhere....



  • 52.  RE: SEP Console Authentication Problem

    Posted Sep 04, 2010 04:01 PM
    thanks for response viacheslau,

    i ve read this page and there is really written that special caracters are not allowed, but in case of sql server database settings...

    and also, when user is trying to log on to SEPM via Directory Service Authentication, how SEPM will know that there is special symbols, these passwords are not stored somewhere....



  • 53.  RE: SEP Console Authentication Problem

    Posted Sep 05, 2010 04:06 AM

    It doesn't know, it's just the Java interface who does not accept some characters into that box. That's all. It's probably just a limitation of programming language.


  • 54.  RE: SEP Console Authentication Problem

    Posted Sep 08, 2010 07:39 AM
    hi all,
    i apologyse for late responce...

    at last i solved this damn problem.

    when i began to troubleshoot, i discovered that service account for SEPM was somhow locked.
    i ve unlocked  this account and  increase invalid logon attempts (not to lock every time)...
    reconfigured again all configuraiton for logging from web via Domain Authentication and worked fine.
    also i set every 1 hour to happen syncronization with directory services in SEPM.

    after all, it helped me... :)

    also i ensured in 100 % that there is no limitation on special symbols in password....
    works fine...


    thank you guys for help