After upgrading the Endpoint Protection Manager (SEPM) to 14.2 MP1, Active Directory and LDAP Server authentication fails. Accounts that are linked to a directory server fail login attempts and groups linked by directory server do not sync.
The SEPM may present a warning message that the, "AD Server may be down!". One or more of the messages below may be present in the following logs.
scm-server-0.log
2018-10-04
16:43:23.695 THREAD 298 SEVERE: Symantec Endpoint Protection Manager could not connect to the
target directory server. Check the directory server configuration,
and try again.
com.sygate.scm.server.util.ServerException: Symantec Endpoint Protection Manager could not connect to the
target directory server. Check the directory server configuration,
and try again.
YYYY-MM-DD HH:MM:SS.XXX
THREAD 300 SEVERE:
javax.naming.CommunicationException: <Domain names>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <Domain names> found]
YYYY-MM-DD HH:MM:SS.XXX THREAD 82 SEVERE:
javax.naming.CommunicationException: java.security.cert.CertificateException: No subject alternative names matching IP address <IP Address> found [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <IP Address> found]; remaining name ''
The 14.2 MP1 version of the SEPM includes JRE 8 update 181. This release of Java includes the following fix:
➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint
identification algorithms have been enabled by default.
This means that LDAP connections must connect to a specific endpoint. This change is by design to improve the security of directory server connections.
To resolve this issue, point the SEPM server to the FQDN of a specific domain controller or LDAP server when using the secure connection option. (e.g. dc.domain.com instead of domain.com)
Alternatively, you can disable Endpoint Identification for directory server connections by modifying the start-up parameters of the semsrv service, or disable secure connections to the directory server by unchecking the "secure connection" checkbox. But it is always recommended you use addresses for specific DCs or LDAP servers in SEPM config rather than just a domain name, and add backup servers under "Directory Replication Servers" tab. A domain name by itself may resolve to a choice that cannot be reached by SEPM.
To disable Endpoint Identification:
1. Disable tamper protection on the client.
2. Browse to the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\semsrv\Parameters]
3. There should be 17 JVM Options (listed 0-16) in this key. You will add JVM Option 17.
"JVM Option Number 17"="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
4. After adding JVM Option 17, increase the JVM Option count to 18. (18 decimal, 12 hexadecimal)
"JVM Option Count"=dword:00000012
5. Restart the SEPM services.