search cancel

Rights required by the database user when Endpoint Protection Manager is configured to use SQL Windows Authentication

book

Article ID: 162899

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

  • Certain rights are required by the database user when Symantec Endpoint Protection Manager (SEPM) is configured to use SQL Windows Authentication.
  • What rights are required in NTFS and SQL Server when SQL Windows Authentication is used. 
  • SEPM tab contents may be blank or not display correctly
  • One or more of the following errors may be seen in a SEPM's system activity log:
    • ​Unable to fetch changed data from remote site [REMOTESITENAME]: Failed to load data: SQLState = S1000, NativeError = 0Error = [Microsoft][SQL Server Native Client 10.0]Unable to open BCP host data-file
    • Unable to fetch changed data from remote site [REMOTESITENAME]: Failed to load data: Return code: 1385
    • Event ID 4625 in Windows Security event log: An account failed to log on.... The user has not been granted the requested logon type at this machine.
    • From the install_log.out
      • java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'GRANITE\sepm'.
        at sun.jdbc.odbc.JdbcOdbc.createSQLException(JdbcOdbc.java:6964)
        at sun.jdbc.odbc.JdbcOdbc.standardError(JdbcOdbc.java:7121)
        at sun.jdbc.odbc.JdbcOdbc.SQLDriverConnect(JdbcOdbc.java:3080)
        at sun.jdbc.odbc.JdbcOdbcConnection.initialize(JdbcOdbcConnection.java:323)
      • OdbcUtil> testODBCInUsrCntxt>> ODBC Test Connection failed. retValue = 1058, normal output of process:
        CreateProcessAsUser failed with error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Cause

  • These errors will occur if the account used by the SEPM for SQL Windows Authentication does not have certain minimum required user rights and file/folder privileges.
  •  Additionally the ODBC connection created by SEPM is set to use the credentials of the user with which the SEPM is launched and requires the uses of "Secondary Logon" service to run in the context of the specified Windows Authentication user credentials.

Environment

  • Symantec Endpoint Protection Manager connected to an SQL database. 
  • Symantec Endpoint Protection Manager (SEPM) configured to use SQL Windows Authentication.

Resolution

NTFS/Windows Rights on the SEPM: 

SeNetworkLogonRight
"Access this computer from the network"
Required for:

  • Core Manager connections through jTDS, used for all central SEPM business logic.
  • Launching the PHP process in user context for ODBC connections, used for the Reporting subsystem.
  • Credential verification during the Management Server Configuration Wizard (MSCW)

SeInteractiveLogonRight
"Allow log on locally"
Required for:

  • Launching the Microsoft BCP tool in user context, used for bulk data import/export during replication & database backup/restore.
  • Launching the SEPM connection verification & configuration tool ODBCUtil.exe in user context, used during the MSCW.
  • Credential verification & database removal during uninstallation.

These rights can be viewed using "whoami /priv" in a command line running under the desired account name, e.g. "runas /user:username cmd" and in the new command window run "whoami" to verify current user then "whoami /priv"

With Windows Authentication, the database user also requires file permissions to some SEPM directories, so that the processes running in user context can access
necessary files.  Paths are relative to the SEPM installation directory:

List, Read, Execute permissions:
.\bin   For the verification & configuration tools during MSCW & uninstallation
.\php   For the Reporting subsystem

Read, Write permissions:
.\data  For the BCP tool data import/export

Additionally, it is required to have Secondary Logon service running/manual to use SEPM with Windows Authentication for SQL DB. There are two scenarios under which we need Secondary Logon Service:

  1. The configuration wizard's ODBCUtil.
  2. Tasks that download data from Symantec, when configured to use a proxy with NTLM authentication, which is: LiveUpdate, threat con, top threat list & version checks. (This scenario is under the precondition that we use a proxy with NTLM Authentication, if not, there is no effect.)

Most other SEPM components won't be affected with this service because they launch their user-context processes (as required for Windows Authentication) using lower-level API calls than the Secondary Logon service implements.

If your environment requires that this service be disabled, you may disable the service, after the SEPM is fully installed and configured and is not using a proxy with NTLM authentication.  The SEPM will function normally with Secondary Logon disabled. You will have to enable it whenever running the SEPM Configuration Wizard, upgrading the SEPM, or where NTLM proxy authentication is used.

 

SQL Server Permissions: 

In order to perform task on the SQL database without interruption the following rights are required:

sysadmin
"Database Server Administrator" 
Required For: 

  • Initial database creation and setup

Note: sysadmin rights are not required for existing databases. Once database creation and setup is completed, the rights can be revoked, and will only be required again if a new database needs to be created and configured. This right can also be dismissed if you Manually create the Endpoint Protection Manager SQL database.

db_owner
"Database Owner" 
Required For: 

  • Managing daily database operations
  • Altering database settings 
  • Upgrading database schema
  • Backup database
  • Performing database necessary

public
"Public Access" 

Required for:

  • Viewing database
  • Connecting to the database necessary 

Along with these roles, the account needs to have the "Alter any Login" Securable for the SQL server. 

Required for:

  • Creating the "Reporter_(dbname)" account nesseary for SEPM reporting. 
  • Managing the "Reporter_(dbname)" account nesseary for SEPM reporting. 

Note: "Alter Any Log in" Securable has been added to the PUBLIC role in SEPM 14.x and newer when performing a fresh installation, therefore there is no need to add the same permission to the account in newly installed SEPM environments running 14.x and newer.
Please refer to 
TECH256922 

For more information on SQL Server Database Engine Permissions, Please visit Microsoft's SQL Docs