ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Endpoint Protection Manager login fails for AD sync'd users in Protected Users AD Group

book

Article ID: 172295

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When a Symantec Endpoint Protection Manager (SEPM) user is configured to authenticate via Active Directory (AD) and that user is a member of the AD "Protected Users" security group, they are no longer able to log into the SEPM.

When logging in the user will receive a popup stating:

"The administrator's user name or password is incorrect. Type a valid user name or password."

 

The SEPMs scm-server-*.logs will show:

SEVERE: LDAP Authentication Failed [path=LDAPS://<domain controller:port>, user=<AD user>]. It may fail due to invalid account name, password or the account is currently locked out by domain security policy.

...

FINE: Error message = 44

Cause

When AD users are members of the AD security group "Protected Users" they are no longer able to authenticate to AD using NTML authentication among other limitations. The following Microsoft document provides further details:

Protected Users Security Group

Environment

Windows 2012 R2 or higher Domain Controller

Resolution

The SEPM does not support non-NTLM authentication at this time and will not be able to authenticate AD sync'd SEPM users who are in the AD "Protected Users" group. To resolve this issue, use one of the following solutions:

  1. Remove the AD user from the "Protected Users" group
  2. Switch the SEPM user to use the SEPMs built-in login functionality so AD authentication is not needed, the user can then remain in the "Protected Users" group