Multiple Active Directory (AD) users or groups may require access to the Symantec Endpoint Encryption Management Server (SEE MS) Console, but sharing high-level Administrator credentials is not desired. This article will review the methods to allow any user or group to use the SEE MS for tasks such as viewing reports by granting access to these users or groups.
Note: To install the SEEMS Console on additional computers, review the following article:
179347 - HOW TO: Install Symantec Endpoint Encryption Management Server (SEE Management Server)
This article includes three sections for configuring and troubleshooting the SEE Management Console install on Workstations:
In attempting to grant access to other administrators to the SEEMS Console, the admins may not be allowed access to the console snap-in, or may receive an error such as the following:
The SEE Management Server console was unable to access the computer records in the SEE database. The EXECUTE permission was denied on the object 'GetRSEncryptionFormat', database 'SEEMSdb', schema 'dbo'.
Other errors may occur during the process of installing the SEE Management Server Console on workstations such as when the database account is being used for "SQL Server Authentication":
"Login failed for user 'domain\user'. Please re-enter the login credentials for SEEMS database. Then click 'Next".
Upon checking the verbose MSIEXEC install logs, the following error is displayed:
GINFO: Login failed for this user. Please check password.-2147217843 - Login failed for user 'pgp\test'.
Upon checking the SQL logging, the following error occurs:
Login failed for user 'PGP\test'. Reason: Attempting to use an NT account name with SQL Server Authentication. [CLIENT: 192.168.1.100]
There are two methods to allow other users to use the SEEM Console. Both methods allow for users or groups to be added:
Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles
Method 2: Add Users or Groups to SQL Server Management Studio
Note: SQL permissions must be provided to individual users and those individuals can then be used for the database accounts configured for the SEE Management Server.
In other words, SQL users will not be granted DB access if they are part of only a security group that was provided DB access--the user itself must be provided DB access.
#### Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles ####
Important Note: The "Allow Symantec Endpoint Encryption to manage database access permissions for AD users" requires the "SYSADMIN" permissions for the database user because these permissions are needed in order to grant the needed permissions for other users to the SEE Database. First validate that the user configured for "Database" in the SEEMS Configuration Manager" has Sysadmin permissions before checking this box.
#### Method 2: Add Users or Groups to SQL Server Management Studio ####
This will now grant access to the user or group to access the SEEMS console.
Troubleshooting other errors described above with SQL server configuration
Scenario 1: During the installation of the SEE Management Console on a workstation, the first screen that appears is for configuring the database account.
Answer: There are two options available for this and each have specific functions:
Windows Authentication - With this option selected, the user should be an actual user located in the Active Directory.
SQL Server Authentication - With this option selected, the user should be an SQL user, which is *not* in the Active Directory. If SQL Server Authentication is configured during the setup, and a Windows\AD account is selected, the error will occur that the password is incorrect. This is because SQL does not allow regular Windows\AD accounts to be used for SQL Authentication.
There is a setting in SQL, which allows for "Mixed" modes for authentication, however, this will not allow access to the server in this scenario and an SQL account must be used:
Check Security software, such as McAfee Host Based Security System (HBSS), which have been known to block the installer.
Scenario 2: Saving the SEEMS Configuration Manager Server Roles will not succeed stating "Invalid Data"
Answer: If you are trying to add/remove users on the SEEMS configuration page and it states it is unable to, review the list of users and see if all users/groups are still included in Active Directory.
If the user(s)/group(s) are not included in Active Directory, but are still included in the SEEMS Configuration Manager, remove the invalid/missing users in the SEEMS Configuration Manager, and first save.
Once the invalid users/groups are removed, then add or remove additional groups. This issue will be resolved in SEE 11.4 MP1 (EPG-23239/EPG-25305).
See also the following article for additional information:
EPG-23236, EPG-24341, EPG-23770, EPG-23620, EPG-26441