SEP clients stuck in "Authentication Pending" in the Enrollment Statistics during ECC client registration
search cancel

SEP clients stuck in "Authentication Pending" in the Enrollment Statistics during ECC client registration

book

Article ID: 171884

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

After creating a SEPM Controller connection to one or more Symantec Endpoint Protection Managers (SEPMs) in the Endpoint Detection and Response (EDR) appliance console, the Enrollment Statistics for all or some SEP clients is Authentication Pending.  In some instances, the clients appear to be registered, but do not appear to send endpoint activity recorder events to Symantec EDR or to log databases (such as Splunk, QRADAR, or ICDx).

Cause

SEP clients remain in an Authentication Pending state due to one of the following circumstances:

  • There is a mismatch between the hostname/IP in the EDR certificate and the hostname/IP configured in the SEPM Controller for SEP Policies.
  • If the SEPM server.crt certificate is created with a Fully Qualified Domain Name (FQDN), the name of the SEPM Controller connection in the EDR appliance console must match. If the SEPM server.crt certificate is created with an IP address, then the name of the SEPM Controller connection in the EDR appliance console must also match.
  • SEPM failed to push the SEP External Communications Policy and EDR certificate to the SEP client. 
  • Communications from a SEP client passes through intervening network devices (such as an HTTPS proxy server) before arriving to EDR. One or more of those devices interfered with the communication.
  • Multiple EDR appliances are configured to use the same SEPM and SEP group in the SEPM Group Inclusions list. 
  • The same SEP group is configured across multiple SEPMs, which are configured to treat that SEP group in different ways.
  • EDR does not support enabling FIPS mode. Enabling FIPS mode involves a large number of changes to the ciphers available on a Windows endpoint  where SEP client is installed.  Other, less extreme changes to the available ciphers may still result in exhausting all the ciphers which Symantec EDR advertises during the SSL/TLS handshake.
  • EDR Virtual Edition receives more than 400 events per second from SEP clients.
  • EDR 4.6.0 requires that the certificate for securing SSL include a valid Subject Alternate Name.
  • The SEPM endpoint group is not defined in the SEPM Group Inclusions for EDR.
    • Endpoints will not authenticate if the group they are a member of is not configured for enrollment.  
  • The "External Communications Setting" for the group's default location is set to 'local'
  • Common Network Transport Library and Configuration Definitions  (i.e. STIC Definitions) are missing on Endpoint Client. ( To validate open SEP Client  >Help >Troubleshooting >Definitions>Common Network Transport Library and Configuration and check Definitions and Engine section)

Resolution

  1. Check to ensure the that the endpoint's SEPM group is included in the SEPM group inclusions.
    1. Check to see if the group is defined specifically in the SEPM group inclusions.
    2. Check to see if the option "Include inherited sub-groups automatically" is enabled under SEPM group inclusions.
      • Check to see if the endpoint's SEPM group is set to inherit policies from the default "My Company" group.
    3. If Group Inclusion is not used, be sure that you have enabled the option "Apply private cloud policies to all non-default SEPM groups." on the SEP Policies screen for this SEPM Controller.
  2. Attempt to access the EDR appliance console using the FQDN. Does the browser accept the certificate?  If not, the client doesn't trust the certificate the certificate trust needs to be resolved.
  3. Attempt to access the EDR appliance console using the IP address. Does the browser accept the certificate?  If not, the client doesn't trust the certificate the certificate trust needs to be resolved.
  4. If the browser allows access to EDR UI, but shows that the certificate is invalid, open the certificate and check to see if it includes the Subject Alternate Name. If the Subject Alternate Name is missing, generate a new certificate. If DNS does not resolve the Subject Alternate Name, perform DNS troubleshooting to resolve.
  5. Attempt to access the SEPM console using the FQDN. Does the browser accept the certificate?  If not, the client doesn't trust the certificate the certificate trust needs to be resolved.
  6. Attempt to access the SEPM console using the IP address. Does the browser accept the certificate?  If not, the client doesn't trust the certificate the certificate trust needs to be resolved.
  7. If the browser accepts the certificate for the EDR appliance console when using the IP address or only when using the FQDN, check the URL in the EDR appliance console on the Settings > Global > Endpoint Communications Channel > SEP Policies page to ensure that what is in the certificate matches the Symantec EDR Manager settings. 
  8. If the browser accepts the certificate for the SEPM console only when using either the FQDN or IP address, change the name of the SEPM Controller Connection in the EDR appliance console on the Settings > Global > Endpoint Communications Channel > SEPM Controller Connection page to match the contents of the server.crt of the SEPM instance. 
  9. If changing the EDR appliance console URL on the SEP Policies page resolves the behavior, refer to SEP client does not accept the ATP certificate, leaving the SEP client in "Authentication Pending"
  10. In SEPM, select the Clients tab, then navigate to a client group that contains one of the clients that failed to register with Symantec EDR.
  11. In SEPM, click External Communication Policy. Select the Insight Proxy tab.  If the hostname or IP address of the EDR appliance does not appear, add it.   
  12. In SEPM, select the Proxy tab. Is a proxy is listed?
    1. If a proxy is listed on the Proxy tab, place the test client into a new client group with same settings, but omit the Proxy from the Proxy tab. Update the policy on the SEP client, then click the Try Now button on the ATP Communications Status. If the SEP client status for the Symantec EDR connection changes to Connected, further troubleshooting should focus around the configuration of the HTTPS Proxy between the SEP client and Symantec EDR.
  13. If EDR and SEP are designed to have a proxy setting for the SEP client to permit the SEP client to communicate with the EDR management server, and that Proxy setting is no longer present, refer to Proxy and Submission settings are reset to Proxy and Submission settings are reset to default values after updating the Private Cloud settings through Advanced Threat Protection or the REST API
  14. Update to EDR 4.0 or later to resolve an Authentication Pending status for SEP clients in ATP v3.1.0. 
  15. In the EDR appliance console, click Search > Database > Entities.   Customize the columns to show Last EDR Contact, Last SEPM Contact, SEP Group.  Then use a divide-and-conquer strategy to isolate the cause.
  16. Check whether FIPS mode is enabled. As explained above, EDR does not support FIPS mode. For details, see Are the Advanced Threat Protection platform or Symantec Endpoint Detection and Response appliance software FIPS compliant?
  17. Install the EDR certificate to the trusted root certificate store of an endpoint in Authentication Pending 
  18. Verify that the Clients -> <GROUP_NAME> -> Policies -> Settings for Location: Default -> Location-specific Settings -> External Communications Settings is set to "Group" (see https://knowledge.broadcom.com/external/article/258606 for details)
  19. If symptoms persist after following these steps, contact Symantec Enterprise Security Support
    1. Providing a SymDiag with Advanced debug log options in SymDiag for Endpoint Protection clients enabled (run it for two heartbeat intervals and an additional 5 minutes) will aid support in their review of this issue.
  20. Update the Common Network Transport Library and Configuration Definitions  (i.e. STIC Definitions) on Endpoint. You may validate definitions through SEP UI ,Open SEP Client >Help >Troubleshooting >Definitions>Common Network Transport Library and Configuration). Also ensure that 'Engines' section on same page shows the version details for Common Network Transport Engine and Common Network Transport Framework as shown below.

Note - The definition and engine version can vary.

   

Additional Information

The Endpoints once Enrolled to EDR may get re-Enrolled in certain conditions such as,

  • Certificate updates on EDR.
  • SEPM controller connection removed and re-added.
  • Endpoint client is removed/purged from SEPM due to any reason.
  • Changes in Group Inclusion configuration.
  • SEP client is upgraded or reinstalled.
  • SEP client is moved to group where there is no Group Inclusion configured and then again it moved back to original group.
  • The SEP clients Group Inclusion configuration is changed to different EDR Appliance.
Powered by Wolken Software