Symantec Login
Evangeline Mellon
If you search the logs for the username, and verify the timestamp, this should take you straight to the problem login.
Here we can see "Authentication failed", followed with the reason it failed "could not find user with the name: jane.doe"
There are many reasons that this might fail, the most common would be a bad password, or an account is locked out etc... in any case this should always provide you with additional data about what went wrong with the login attempt.
Another possible reason for the failed authentication is related to the IP addresses in the krb5.ini (or krb5.conf) file. If the domain controllers (DCs) have been decommissioned and new DCs with new IP addresses replaced them, it is possible the information has not been changed in the krb5.ini file. This will cause authentication to fail.
- Stop all of the DLP Services
- Start the Notifier Service
- Start the Manager Service
- These are the only two services that are required in order to login to the console, for now leave the IncidentPersister and the DetectionServerController Server services off. They aren't necessary and it will prevent them from cluttering up the logs.
- Now pull up the "localhost..log" for that day.
Path to "localhost..log": C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\logs\tomcat
Filename: localhost.2022-02-02.log
- Scroll all the way to the bottom of the log to get to the most recent messages.
- Slowly scroll back up until you find the last error that was seen. Continue scrolling up to the top of that error message (note that error text is indented in, so it should be easy to spot).
In this case, we can see that I cannot connect to my database, continuing down the error message, we see that the listener can't identify the connect descriptor. In this case I had modified my jdbc.properties file to change the connection string and I changed the connect descriptor from "protect" to "protect2" which doesn't exist. So when DLP attempts to reach out to the database, it can't identify the correct database to connect to and the connection is refused.
If you are unable to identify the root cause with either of these issues, please create a case with support and provide them with your full set of Enforce logs and the error message you identified so they can help review the information. Including the username and/or the approximate date/time of the issues is very useful for helping us narrow down what is going on in the logs.
Symantec Endpoint Encryption has web portal capability to be able to access recovery keys, reporting and other useful information. The method of login for default configurations is through Windows authentication via the Server Roles.
Another method that allows authentication in a more automatic way is via "One-Click". This will allow you to click a button to login and automatically log you in where you have already had authentication happen with other means. This article will describe the steps to do this.
The Symantec Endpoint Encryption Management Server Configuration Manager (SEEMS Configuration Manager) - Advanced Settings page lets you configure a custom URL for the Web Portal, but it is required that DNS is already configured and resolving properly, in addition to TLS certificates matching to be able to use this. To find out the default URL for your server, look at "Section 1 of 3" in the Dashboard KB above. SEE Client Configuration consideration should also be reviewed and could cause unforeseen challenges. Subsequently, choose to do this only if the default URL is not sufficient.
While configuring the URL, ensure to follow the syntax that is described in the beginning of this topic. Symantec Endpoint Encryption uses the configured URL and updates the hyperlink displayed on the SEE Help Desk snap-in page. However, configuring the URL does not configure DNS settings for the custom host name provided in the URL. So, before you configure the URL ensure to configure the DNS setting appropriately and confirm that the URL is valid.
All Ports and URLs Match: The Web service used by clients for communication with Symantec Endpoint Encryption Management Server and web-based Help Desk Recovery console share the same port. So, the port number specified on the Web Server Configuration page and the Help Desk Recovery Configuration page must match. Be sure to use this (load balancer) URL when you generate the client installers.
TLS Certification Information: If you want to use TLS, then share the TLS certificate between the web service used by clients for communication with Symantec Endpoint Encryption Management Server and web-based Help Desk Recovery console. So, the hostname given in the web service URL (used by clients to communicate with the server) and the host name given in the custom URL for web-based Help Desk Recovery must be the same.
Load Balancers: If your infrastructure uses a load balancer to distribute client requests across a number of servers, then ensure that the URL that you customize in the Help Desk Recovery Configuration page must match the URL of the load balancer for the web-based Help Desk Recovery console.
Ultimately, it is easier to simply keep using the default URL that was configured initially for the SEE Management Server. This customized URL is not specific to the One-Click, but is on the same page, so for convenience, we list information on this topic here.
One-Click Login authentication - Uses Kerberos Authentication instead of the standard Windows Authentication that is available by default.
Once configured, a predefined ticket that contains user credentials removes the need for sign-in credentials.
Kerberos authentication Prerequisite setup tasks:
Item 1: Kerberos is a network authentication protocol that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another securely. For a help-desk administrator authenticating from their client browser to the Symantec Endpoint Encryption web-based Help Desk Recovery console, using Kerberos means using a single-click login,
rather than a form-based (user/password) login.
Item 2: To enable Kerberos authentication, you must configure multiple settings using the Symantec Endpoint Encryption Management Server Configuration Manager (SEEMS Configuration Manager).
Note: Although you can set some of the server and database fields in the Symantec Endpoint Encryption Suite Installation Wizard, to access all configuration pages necessary for Kerberos, after Symantec Endpoint Encryption is installed, you will need to launch the SEEMS Configuration Manager application. In this example you can see the "About" page of the SEEMS Configuration Manager listed here:
Tip: It is critical to know the configuration of your working environment before making these changes. We highly recommend taking screenshots of any of the screens you use in your environment so you can revert back to the successful settings if needed.
When you check this box, you are indicating that the Service Principal Name has been customized (commands above were run successfully), changing the website settings.
After you save this website configuration, you must reset IIS.
Item 6: In the SEEMS Configuration Manager, click the plus sign next to Advanced Settings, then click on "Management Console", and check the box "Enable One-Click Sign In".
This will change the authentication method to use Kerberos for the SEE Management Server web console.
Item 7: Configure the supported client browsers to enable Kerberos authentication.
To enable One-Click Login (Kerberos authentication) for the web-based Help Desk Recovery console, you must modify the following browser settings as shown in
1. Navigate to User Settings > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
2. Enable the "Site to Zone Assignment List" policy.
3. Set Value Name to "" and Value to 1 (1 = Local Intranet).
I need your help, I am trying to record and create a test case of a web Microsoft sharepoint site.
When i launch the browser, I will need to input username and password then click login, now after login, a prompt will show regarding VIP Symantec Authentication Provider which is link to my mobile and requesting for my authentication in order to proceed to the sharepoint site.
I have two factor authentication for sign-in to a financial site. The most secure method available is to use Symantec VIP Access. However, I haven't found a way to automate this. In addition, 1Password now asks me if I want to save/update the login every time which is very annoying. I never want to update because the password consists of a 4 digit PIN with the 6 digit code from VIP Access addended to it.
1) Have to copy VIP Access code each time I log in and paste it into the password field (along with 4 digit PIN which is stored in 1Password)
2) Every time I log in I have to click to close the offer to update the password
At the moment there isn't a way to have 1Password automate this type of sign in process, and copying and pasting will be the best method here. You can turn off the pop up that asks if you'd like to update your item after you sign in with the steps below - however this will turn it off for all websites, so you'll need to remember to click Save in 1Password on the inline menu before signing in when you do want to change a login or save a new one.
I can definitely understand how this could get annoying, especially with a website you use frequently, and I've gone ahead and filed a feature request with our Product team to see if this is a sign in process we can better support in future.
Two-Factor Authentication generates a unique security code every 30 seconds on your mobile device or physical token, adding a dynamic credential component to your existing login ID and password. This helps prevents unauthorized access to your account, even if your login ID and password have been compromised.
c80f0f1006