Policy reports run in remote CCS console return 'No data available to generate report'
Article ID: 152499
Updated On:
Products
Issue/Introduction
Remote CCS console cannot generate reports with Policy Manager module data even though data is present in Reporting database.
Symptoms
Policy reports run in remote CCS console return 'No data available to generate report' where the same reports run in CCS console local to the Symantec Application Server service return results as expected.
Cause
Service accounts are not configured with delegation.
Resolution
To configure the service accounts with unconstrained delegation:
1. Identify the user accounts to be used as the service accounts for DSS and Application Server.
The user accounts must have the necessary privileges.
2. Create the Service Principal Name (SPN) for the Application Server and the DSS services.
The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use.
You must associate an SPN to a single user account.
The service-name portion of the SPN must match the following:
SetSpn -A Symantec.CSM.AppServer/your_CCS_application_server's_machine_name your_domain_name\your_appserver_service_account_name
SetSpn -A Symantec.CSM.AppServer/your_CCS_application_server's_fully_qualified_machine_name your_domain_name\your_appserver_service_account_name
Example;
SetSpn -A Symantec.CSM.AppServer/ccs_app_server mydomain\ccsappsvc
SetSpn -A Symantec.CSM.AppServer/ccs_app_server.mydomain.local mydomain\ccsappsvc
SetSpn -A Symantec.CSM.DSS/your_CCS_DSS_server's_machine_name your_domain_name\your_DSSserver_service_account_name
SetSpn -A Symantec.CSM.DSS/your_CCS_DSS_server's_fully_qualified_machine_name your_domain_name\your_DSSserver_service_account_name
Example;
SetSpn -A Symantec.CSM.DSS/ccs_dss_server mydomain\ccsdsssvc
SetSpn -A Symantec.CSM.DSS/ccs_dss_server.mydomain.local mydomain\ccsdsssvc
3. Enable delegation for the Application Server's service account.
The following service accounts are to be enabled:
Windows Server 2000 Domain:
In the user properties for the Application Server account, go to Account tab and check the option, Account is trusted for delegation.
Windows Server 2003 Domain:
In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only).
4. When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. This is not mandatory, but sometimes specifying a short NetBIOS name can cause problems.
5. To verify what SPN are registered the following can be run;
SetSpn -L your_appserver_service_account_name (i.e ccsappsvc)
Sample output:
SetSpn -L ccsappsvc
Registered ServicePrincipalNames for CN=CCS Application Service Account,CN=Users,DC=mydomain,DC=local:
Symantec.CSM.AppServer/CCS_APP_SERVER.MYDOMAIN.LOCAL
Symantec.CSM.AppServer/CCS_APP_SERVER
SetSpn -L your_DDSserver_service_account_name (i.e. ccsdsssvc)
Sample output:
SetSpn -L ccsdsssvc
Registered ServicePrincipalNames for CN=CCS DSS Service Account,CN=Users,DC=mydomain,DC=local:
Symantec.CSM.DSS/CCS_DSS_SERVER.MYDOMAIN.LOCAL
Symantec.CSM.DSS/CCS_DSS_SERVER
Feedback
