Grant Additional Administrators Access to Endpoint Encryption Manager Server Console
search cancel

Grant Additional Administrators Access to Endpoint Encryption Manager Server Console

book

Article ID: 174725

calendar_today

Updated On:

Products

Drive Encryption Desktop Email Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

Symantec Endpoint Encryption provides Administrators with seamless integration and access based on "Server Roles".  Server roles provide granularity in access so that only the needed permissions are provided to administrators.  For example, some Administrators may need only the Helpdesk Role, while other administrators need the entire suite of permissions.

(Below "example" is the domain)

In order for these administrators to be granted this access, their accounts need to have the proper SQL permissions to the SEE Management Server Database.  

This article will go over providing the needed permissions for these administrators.



To install the SEEMS Console on additional computers, review the following article:

179347 - HOW TO: Install Symantec Endpoint Encryption Management Server (SEE Management Server)

Resolution

This article includes three sections for configuring and troubleshooting the SEE Management Console install on Workstations:

 

 

 

Synopsys 1: Insufficient Database Permissions for individual users

In attempting to grant access to other administrators to the SEEMS Console, the admins may not be allowed access to the console snap-in, or may receive an error such as the following or something similar:

The SEE Management Server console was unable to access the computer records in the SEE database. The EXECUTE permission was denied on the object 'GetRSEncryptionFormat', database 'SEEMSdb', schema 'dbo'.

 

Other errors may occur during the process of installing the SEE Management Server Console on workstations such as when the database account is being used for "SQL Server Authentication":

"Login failed for user 'domain\user'. Please re-enter the login credentials for SEEMS database.  Then click 'Next".

Upon checking the verbose MSIEXEC install logs, the following error is displayed:
GINFO: Login failed for this user. Please check password.-2147217843 - Login failed for user 'example\test'.

Upon checking the SQL logging, the following error occurs:

Login failed for user 'example\test'. Reason: Attempting to use an NT account name with SQL Server Authentication. [CLIENT: 192.168.1.100]

 

 

There are two methods to allow other users to use the SEEM Console. Both methods allow for users or groups to be added:

Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles
Method 2: Add Users or Groups to SQL Server Management Studio

Note: SQL permissions must be provided to individual users and those individuals can then be used for the database accounts configured for the SEE Management Server.
In other words, SQL users will not be granted DB access if they are part of only a security group that was provided DB access--the user itself must be provided DB access.


 

Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles

 

  1. On the Symantec Endpoint Encryption Management Server (SEEMS), click the start button.
  2. Navigate to Symantec Endpoint Encryption in the list of programs.
  3. Expand Symantec Endpoint Encryption and open SEEMS Configuration Manager.
    • ​Note: The exact steps to find the program may vary by Windows Server version.
  4. Ensure you are on the Database tab and note the User name used to authenticate.
  5. Click the start button again and look for Microsoft SQL Server or Microsoft SQL Server Tools.
    • There may be multiple folders here with different years listed, search through all of them.
  6. Look for SQL Server Management Studio and open it.
    • Depending on the version of this tool, there may be a year listed in the middle or end of the program name.
  7. Connect to the server using an account with proper credentials to modify user roles for the SEEMS database (such as a sysadmin).
  8. Once authenticated, in the left pane expand Security and Logins and find the user noted in Step 4--in this test, the user is "test".
  9. Right click on the user and select Properties.

  10. Select User Mapping in the left pane and select the SEEMS database name in the main pane.
  11. Ensure this user has the following roles checked: db_datareaderdb_datawriterdb_ownerpublic​.
  12. ​​​Note: The db_owner role should not be given to most users. This role is only added to this user so that this user can manage the Server Roles and grant access for other users in the SEEMS Configuration Manager in steps 12-21.

  13. Return to the SEEMS Configuration Manager and choose the Server Roles tab on the left side.
  14. If Manage Server Roles is turned off, turn it on.


     
  15. Click Add User or Add Group depending on your use case.
  16. Search for your user or group in the user interface.
  17. Click the checkbox next to each user or group you want to give SEEMS privileges to.


     
  18. Select Next until you reach step 3 in the wizard, "Map Admin Roles".
  19. Depending on the level of access you would like to give other admins, check the box.  For full Server access, check Server to grant access to the SEEMS Console for this user or group.
    If you want only reporting to be available for the groups, select only Reports.  This is a granular approach for access.


     
  20. Click Next and then Finish.
  21. Click OK on the dialog box that pops up. 
    1. Note: You are not finished with this process until you click Save.
  22. Next, check the box next to Allow Symantec Endpoint Encryption to manage database access permissions for AD users.



  23. Finally, press Save on the Server Roles page.
  24. Now your users or groups should have access to the SEEMS console when they login.

Important Note: The "Allow Symantec Endpoint Encryption to manage database access permissions for AD users" requires the "SYSADMIN" permissions for the database user because these permissions are needed in order to grant the needed permissions for other users to the SEE Database.  First validate that the user configured for "Database" in the SEEMS Configuration Manager" has Sysadmin permissions before checking this box.

 

^Back to Top

 

 

Method 2: Add Users or Groups to SQL Server Management Studio

 

  1. On the server hosting the SQL Server containing the SEEMS Database, click the start button and look for Microsoft SQL Server or Microsoft SQL Server Tools.
    • There may be multiple folders here with different years listed, search through all of them.
  2. Look for SQL Server Management Studio and open it.
    • Depending on the version of this tool, there may be a year listed in the middle or end of the program name.
  3. Connect to the server using an account with proper credentials to modify user roles for the SEEMS database (such as a sysadmin).
  4. Once authenticated, in the left pane expand Security, right click on Logins, and select New Login...


     
  5. Click the Search... button next to Login name.

  6. Enter the User or Group name you want to find in the text box and click Check Names.


     
  7. Once the correct User or Group is found, click OK.
  8. In the left pane, check User Mapping and check the checkbox next to the SEEMS database name in the main pane.
  9. In the bottom section, check the following roles: db_datareaderdb_datawriter, and public and click OK.

  10. Collapse the Security section in the left pane of SQL Server Management Studio.
  11. Expand Databases, right click on the database name, and select Properties.

  12. Select Permissions from the left pane.
  13. Click on the newly created user.
  14. Ensure the Connect permission has the Grant box checked.
  15. Find the Execute permission and click Grant.

  16. Click OK.

This will now grant access to the user or group to access the SEEMS console.
 

^Back to Top

 

 

 

 

Troubleshooting other errors described above with SQL server configuration

 

 

Scenario 1: During the installation of the SEE Management Console on a workstation, the first screen that appears is for configuring the database account. 


Answer:
There are two options available for this and each have specific functions:

Windows Authentication - With this option selected, the user should be an actual user located in the Active Directory.

SQL Server Authentication - With this option selected, the user should be an SQL user, which is *not* in the Active Directory.  If SQL Server Authentication is configured during the setup, and a Windows\AD account is selected, the error will occur that the password is incorrect.  This is because SQL does not allow regular Windows\AD accounts to be used for SQL Authentication.

There is a setting in SQL, which allows for "Mixed" modes for authentication, however, this will not allow access to the server in this scenario and an SQL account must be used:

Check Security software, such as McAfee Host Based Security System (HBSS), which have been known to block the installer.

 

Scenario 2: Saving the SEEMS Configuration Manager Server Roles will not succeed stating "Invalid Data"

Answer: If you are trying to add/remove users on the SEEMS configuration page and it states it is unable to, review the list of users and see if all users/groups are still included in Active Directory.

If the user(s)/group(s) are not included in Active Directory, but are still included in the SEEMS Configuration Manager, remove the invalid/missing users in the SEEMS Configuration Manager, and first save.
Once the invalid users/groups are removed, then add or remove additional groups.  This issue will be resolved in SEE 11.4 MP1 (EPG-23239/EPG-25305).

 

 

 

Scenario 3: Unable to add users to Server Roles if Machine Names have a name similar to a Username

In this scenario, you may have a username of "User1".  The machine name may have the name of "User1-IV".  In this scenario, the username and machine names are similarly named.

This makes it difficult to know if the object is a user or a machine.  Machines cannot be added to Server Roles, only users.  

Answer: 
A fix is currently being worked on and will be provided in the next major release of the software.
If you are running into this issue, reach out to Symantec Encryption Support to be added to the list. 

A workaround to this is to search the user with the First name and Last name instead of logon name that is similarly named to the machine name.

EPG-27428

 

Additional Information

EPG-23236, EPG-24341, EPG-23770, EPG-23620, EPG-26441

EPG-35329 -  Server Roles Management Improvements

227219 - Making Symantec Endpoint Encryption Management Server Public Facing

152737 - Minimum Database Permissions for Symantec Endpoint Encryption Administrators

161258 - User and System Accounts Required by Endpoint Encryption

178363 - How to: Set up Database Access Account Rights - Symantec Endpoint Encryption

179347 - HOW TO: Install Symantec Endpoint Encryption Management Server and the Manager on Standard Windows Operating System

174725 - Grant Additional Administrators Access to Endpoint Encryption Manager Server Console

220948 - Symantec Endpoint Encryption Management Server OR Symantec Endpoint Encryption Configuration Manager does not open properly

227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)