search cancel

Authentication errors using AD sync'd user with SEPM API

book

Article ID: 174470

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

While setting up a method to interface with the Symantec Endpoint Protection Manager (SEPM) API you use an admin account which is set for AD Authentication. The API returns errors generating the access token.

Invalid response code 400 while generating oauth access token

EXCEPTION: Invalid Username or Password or the account is locked!

Sample log entry from the SEPM - semapisrv_log.2019-03-14.0.log:
2019-03-14 12:54:30,927 [http-apr-0.0.0.0-8446-exec-8] WARN  c.s.s.server.module.login.ldap.LdapUtils - LdapUtils>> connectWithSimpleLoginForAD: Error-> failed to retrieve RootDSE from url=LDAPS://<subdomain>.<domain>.com:636!
2019-03-14 12:54:30,927 [http-apr-0.0.0.0-8446-exec-8] ERROR c.s.s.server.module.login.ldap.LdapManager - LdapUtils>> login: Error during login...
javax.naming.CommunicationException: <subdomain>.<domain>.com:636

Cause

There can be multiple causes for this:

  1. The AD account with which the user was associated did not have the full UPN.
  2. The UPN for the user account was associated with another domain in the forest.
  3. The Symantec Endpoint Protection Manager API Service did not re-load the authentication settings.

Resolution

  1. Please ensure that the full UPN is used in the AD credentials defined for the chosen SEPM user.
  2. If there are multiple domains in the forest, try another domain in the UPN, such as the top-level domain.
  3. When any setting is changed for a user, or directory server within the SEPM, it may be necessary to restart the SEPM API service before attempting to authenticate again.