ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

User and System Accounts Required by Endpoint Encryption

book

Article ID: 161258

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Endpoint Encryption requires the following accounts. Each account should use a separate username. It is particularly important that the IIS client authentication account is unique.

Environment

Symantec Endpoint Encryption 11.3 and above.

Resolution

Database creation account

You must have an account that can access Microsoft SQL Server so that you can install and configure the Endpoint Encryption Management Server. You can either use a Microsoft Windows domain account or a Microsoft SQL account.

If you use a Microsoft Windows domain account, it must have local administrator rights on the Endpoint Encryption Management Server computer.

If you use Microsoft SQL authentication, Symantec Endpoint Encryption uses this account to create and configure the Endpoint Encryption Management Server database during installation. Endpoint Encryption does not store the credentials for this Microsoft SQL account.

The account login requires the following roles for a new install and for upgrading to releases prior to 11.3.1:

  • db_datareader
  • db_datawriter
  • public
  • sysadmin

When upgrading to release 11.3.1 and above, the account login requires the following roles:

  • db_datareader
  • db_datawriter
  • db_owner
  • public

 



Database Access account

The database access account is used by the Endpoint Encryption Services web site (web service) to interact with the Endpoint Encryption database. The Configuration Manager also uses this account. You can either use Microsoft Windows authentication or Microsoft SQL authentication. Symantec recommends that you use Microsoft Windows authentication for your database access account.

If you use Microsoft Windows authentication you must provide an existing Microsoft Windows domain account. It should not be an administrator. It does require privileges on the database, registry, and the file system. If you use Microsoft Windows authentication for database access account, the account is also used as a logon account for the AD Synchronization service.

If the login that you specify for your database access account does not exist, the installer creates and configures the login and the corresponding database user. If the login already exists, then you have an option to use it. The installer creates the corresponding database user is created and configured for you by installer. The database access account requires the following database roles:

  • db_datareader
  • db_datawriter
  • public
     

The installer grants the database access account Execute permission but if you are creating a database access account after installation you will need to grant the Execute permission on the SEEMSDb database to the database access account manually.

Note: Please see article 178363 for how to set up the rights for the database access account.

Tip: In addition to the above permissions, the SQL Server service needs to have the proper permissions to be able to use with Symantec Endpoint Encryption.  Local Service will not be enough permissions for Symantec Endpoint Encryption. 
 



IIS client authentication account

Each client computer shares a single domain user account. It uses this account for basic authentication to IIS on the Endpoint Encryption Management Server. The IIS client authentication account is a regular Domain User account and does not require specific privileges.

 



Policy Administrator account

Policy Administrators require read-write access to the Endpoint Encryption database. You can use either a Microsoft Windows or a Microsoft SQL account. This account lets the Policy Administrator use the snap-ins of the Management Console.

If you choose to use a Microsoft Windows account for database access, you can create a Policy Administrators group to make administration easier.
 



Active Directory synchronization account

Synchronization with Active Directory requires a domain account. The Active Directory synchronization service uses this account to bind to Active Directory. You may need to extend the account's privileges to include read permissions to the deleted objects container in Active Directory.

Note: When you install, if you select the option to use an existing database, make sure that the database access account (Windows/SQL) conforms to the roles and permissions that are specified above. If it does not, then you must manually provision the account.

Additional Information

152737 - Minimum Database Permissions for Symantec Endpoint Encryption Administrators

161258 - User and System Accounts Required by Endpoint Encryption

178363 - How to: Set up Database Access Account Rights - Symantec Endpoint Encryption

179347 - HOW TO: Install Symantec Endpoint Encryption Management Server and the Manager on Standard Windows Operating System

174725 - Grant Additional Administrators Access to Endpoint Encryption Manager Server Console

220948 - Symantec Endpoint Encryption Management Server OR Symantec Endpoint Encryption Configuration Manager does not open properly