search cancel

Directory Server authentication fails after upgrading the Endpoint Protection Manager to 14.2 MP1

book

Article ID: 172686

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading the Endpoint Protection Manager (SEPM) to 14.2 MP1, Active Directory and LDAP Server authentication fails.  Accounts that are linked to a directory server fail login attempts and groups linked by directory server do not sync. 

The SEPM may present a warning message that the, "AD Server may be down!".  One or more of the messages below may be present in the following logs.

scm-server-0.log

2018-10-04 16:43:23.695 THREAD 298 SEVERE: Symantec Endpoint Protection Manager could not connect to the
target directory server. Check the directory server configuration,
and try again.
com.sygate.scm.server.util.ServerException: Symantec Endpoint Protection Manager could not connect to the
target directory server. Check the directory server configuration,
and try again.

2018-10-04 16:47:35.526 THREAD 300 SEVERE:
javax.naming.CommunicationException: corporate.domain.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching corporate.domain.com found]

YYYY-MM-DD HH:MM:SS.XXX THREAD 82 SEVERE: 
javax.naming.CommunicationException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx.xxx found [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address xxx.xxx.xxx.xxx found]; remaining name ''

Cause

The 14.2 MP1 version of the SEPM includes JRE 8 update 181.  This release of Java includes the following fix:

➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint
identification algorithms have been enabled by default.

This means that LDAP connections must connect to a specific endpoint. This change is by design to improve the security of directory server connections. 

Resolution

To resolve this issue, point the SEPM server to the FQDN of a specific domain controller or LDAP server when using the secure connection option.  (e.g. dc.domain.com instead of domain.com) 

Alternatively, you can disable Endpoint Identification for directory server connections by modifying the start-up parameters of the semsrv service, or disable secure connections to the directory server by unchecking the "secure connection" checkbox. But it is always recommended you use addresses for specific DCs or LDAP servers in SEPM config rather than just a domain name, and add backup servers under "Directory Replication Servers" tab. A domain name by itself may resolve to a choice that cannot be reached by SEPM. 

To disable Endpoint Identification:

1. Disable tamper protection on the client.
2. Browse to the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\semsrv\Parameters]
3. There should be 17 JVM Options (listed 0-16) in this key. You will add JVM Option 17.
    "JVM Option Number 17"="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
4. After adding JVM Option 17, increase the JVM Option count to 18. (18 decimal, 12 hexadecimal)
    "JVM Option Count"=dword:00000012
5. Restart the SEPM services.