Error: Internal Server Error on Endpoint Protection Manager Web console

book

Article ID: 170453

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Protection Manager (SEPM) Web console displays the message "Internal Server Error" after initializing.

The SEPM Web console will display the following message: Internal Server Error

From ajaxswing.log:

2017/11/07 19:26:58:297 : Thread-3 : [com.creamtec.ajaxswing.core.ClientAgentFactory$1] Exception while warming up client agent for applicaton sepm (Exception java.io.IOException, Cannot run program "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ajaxswing\WEB-INF\ajaxswing\bin\clientAgent.bat": CreateProcess error=5, Access is denied)
java.io.IOException: Cannot run program "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ajaxswing\WEB-INF\ajaxswing\bin\clientAgent.bat": CreateProcess error=5, Access is denied
                at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)
                at java.lang.Runtime.exec(Runtime.java:620)
                at java.lang.Runtime.exec(Runtime.java:485)
                at com.creamtec.ajaxswing.core.JVMFactory.execJVMProcess(JVMFactory.java:165)
                at com.creamtec.ajaxswing.core.JVMFactory.launchJVM(JVMFactory.java:129)
                at com.creamtec.ajaxswing.core.JVMFactory.getAvailableJVM(JVMFactory.java:63)
                at com.creamtec.ajaxswing.core.ClientAgentFactory.createNewAgent(ClientAgentFactory.java:248)
                at com.creamtec.ajaxswing.core.ClientAgentFactory$1.run(ClientAgentFactory.java:168)
Caused by: java.io.IOException: CreateProcess error=5, Access is denied
                at java.lang.ProcessImpl.create(Native Method)
                at java.lang.ProcessImpl.<init>(ProcessImpl.java:386)
                at java.lang.ProcessImpl.start(ProcessImpl.java:137)
                at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)
                ... 7 more

From catalina.err:

2017/11/06 11:08:23:314 : [com.creamtec.ajaxswing.core.ClientAgentFactory$1] Exception while warming up client agent for applicaton sepm
java.io.IOException: Cannot run program "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\webapps\ajaxswing\WEB-INF\ajaxswing\bin\clientAgent.bat": CreateProcess error=5, Access is denied
                at java.lang.ProcessBuilder.start(ProcessBuilder.java:1048)
                at java.lang.Runtime.exec(Runtime.java:620)
                at java.lang.Runtime.exec(Runtime.java:485)
                at com.creamtec.ajaxswing.core.JVMFactory.execJVMProcess(JVMFactory.java:165)
                at com.creamtec.ajaxswing.core.JVMFactory.launchJVM(JVMFactory.java:129)
                at com.creamtec.ajaxswing.core.JVMFactory.getAvailableJVM(JVMFactory.java:63)
                at com.creamtec.ajaxswing.core.ClientAgentFactory.createNewAgent(ClientAgentFactory.java:248)
                at com.creamtec.ajaxswing.core.ClientAgentFactory$1.run(ClientAgentFactory.java:168)
Caused by: java.io.IOException: CreateProcess error=5, Access is denied
                at java.lang.ProcessImpl.create(Native Method)
                at java.lang.ProcessImpl.<init>(ProcessImpl.java:386)
                at java.lang.ProcessImpl.start(ProcessImpl.java:137)
                at java.lang.ProcessBuilder.start(ProcessBuilder.java:1029)
                ... 7 more

 

Additionally from catalina.err:

Nov 06, 2017 11:08:34 AM com.sygate.scm.util.Utility getOSNameFromRegistry
WARNING: Utility>> getOSName: Warning, Could not retrieve OS name from Windows Registry <ProductName>, default to System.getProperty() value.
Nov 06, 2017 11:08:34 AM com.sygate.scm.util.Utility getOSNameFromRegistry
WARNING: Cannot run program "reg.exe": CreateProcess error=5, Access is denied

Cause

This problem happens when the Symantec Endpoint Protection Manager Webserver service account does not have permissions to launch cmd.exe and/or reg.exe. This commonly happens on computers that have had a lockdown/hardening Group Policy Object (GPO) applied to them.

The SEPM service accounts inherit permissions from the Users group, which by default, has Read & execute, and Read permissions to both reg.exe and cmd.exe. If permissions are removed or modified for the Users group, the SEPM Webserver service will be unable to launch batch files or read the registry using reg.exe.

Resolution

Ensure the Users group has Read & execute, and Read permissions to C:\Windows\System32\cmd.exe and C:\Windows\System32\reg.exe. If this is not possible due to security policies, ensure that the NT Service\semsrv, NT Service\semwebsrv, and NT Service\semapisrv users have Read & Execute, and Read permissions to these same file locations.

Note: The SEPM service accounts are all local accounts. You must specify the local computer instead of the domain when manually adding permissions for these accounts.

If these permissions are set by a GPO manual changes to these permissions may be overwritten each time the GPO is processed. In this case, you must make the permissions changes in the GPO, not on the local computer.