Policy reports run in remote CCS console return 'No data available to generate report'
search cancel

Policy reports run in remote CCS console return 'No data available to generate report'


Article ID: 152499


Updated On:


Control Compliance Suite Windows


Remote CCS console cannot generate reports with Policy Manager module data even though data is present in Reporting database.


Policy reports run in remote CCS console return 'No data available to generate report' where the same reports run in CCS console local to the Symantec Application Server service return results as expected.


Service accounts are not configured with delegation.



To configure the service accounts with unconstrained delegation:

1. Identify the user accounts to be used as the service accounts for DSS and Application Server.

The user accounts must have the necessary privileges.

2. Create the Service Principal Name (SPN) for the Application Server and the DSS services.

The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use.

You must associate an SPN to a single user account.

The service-name portion of the SPN must match the following:

SetSpn -A Symantec.CSM.AppServer/your_CCS_application_server's_machine_name your_domain_name\your_appserver_service_account_name
SetSpn -A Symantec.CSM.AppServer/your_CCS_application_server's_fully_qualified_machine_name your_domain_name\your_appserver_service_account_name


SetSpn -A Symantec.CSM.AppServer/ccs_app_server mydomain\ccsappsvc
SetSpn -A Symantec.CSM.AppServer/ccs_app_server.mydomain.local mydomain\ccsappsvc

SetSpn -A Symantec.CSM.DSS/your_CCS_DSS_server's_machine_name your_domain_name\your_DSSserver_service_account_name
SetSpn -A Symantec.CSM.DSS/your_CCS_DSS_server's_fully_qualified_machine_name your_domain_name\your_DSSserver_service_account_name


SetSpn -A Symantec.CSM.DSS/ccs_dss_server mydomain\ccsdsssvc
SetSpn -A Symantec.CSM.DSS/ccs_dss_server.mydomain.local mydomain\ccsdsssvc

3. Enable delegation for the Application Server's service account.

The following service accounts are to be enabled:

Windows Server 2000 Domain:
In the user properties for the Application Server account, go to Account tab and check the option, Account is trusted for delegation.

Windows Server 2003 Domain:
In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only).

4. When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. This is not mandatory, but sometimes specifying a short NetBIOS name can cause problems.

5. To verify what SPN are registered the following can be run;

SetSpn -L your_appserver_service_account_name (i.e ccsappsvc)

Sample output:

SetSpn -L ccsappsvc
Registered ServicePrincipalNames for CN=CCS Application Service Account,CN=Users,DC=mydomain,DC=local:

SetSpn -L your_DDSserver_service_account_name (i.e. ccsdsssvc)

Sample output:

SetSpn -L ccsdsssvc
Registered ServicePrincipalNames for CN=CCS DSS Service Account,CN=Users,DC=mydomain,DC=local: