ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Endpoint Encryption App Pool stops when clients attempt to check in

book

Article ID: 162163

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

SymantecEndpointEncryptionAppPool stops when clients attempt to check in. Client check in fails. Clients receive error in EACommunicator logs "SubmitReport failed with error - The request failed with HTTP status 503: Service Unavailable." Restarting the app pool results in it stopping again once a client attempts to check in. On client machine:
EACommunicatorSrv Log will contain error:
SubmitReport failed with error - The request failed with HTTP status 503: Service Unavailable

On Management Server:
Event Viewer > Windows Logs > System contains a Warning with a Source of WAS:
"The identity of application pool SymantecEndpointEncryptionAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights."
 

Cause

In some environments the Domain User account being used for SQL database access may not have "Log on as Batch" rights on the Symantec Endpoint Encryption Management Server. When using Windows Authentication for SQL database access, the account specified is also used as the Identity for the SymantecEndpointEncryptionAppPool within IIS. If this account does not have "Log on as batch job" rights, the app pool can be started with this user, however the scripts that need to be run at check-in time will not be allowed to run and the app pool will stop.

Resolution

The "Log on as Batch" rights are assigned in the machines Local Security Policy. Depending on whether this is being controlled by Group Policy, the changes may be made on the local machine, or may need to be made in Group Policy.

To grant "Log on as batch job" rights on the local machine:

1. Click Start > Run > and type secpol.msc
2. Expand Local Policies > User Rights Assignment
3. Find and open "Log on as batch job"
4. If the "Add User or Group" button is available, use this to add the Domain User that is set as the Identity for the App Pool
Note: If the "Add User or Group" button is unavailable, then this policy is being controlled by Group Policy. If so, follow the directions below
5. Click Recycle for SymantecEndpointEncryptionAppPool in IIS > Application Pools


To grant "Log on as batch job" rights through Group Policy:

1.
Locate the Group Policy that is controlling this setting.
2. Right click > Edit
3. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
4. Find and open "Log on as batch job"
5. Use the "Add User or Group" button to add the Domain User that is set as the identity for the App Pool
6. Click Recycle for the SymantecEndpointEncryptionAppPool in IIS > Application Pools