Control Compliance Suite Thick Console Launch Process

book

Article ID: 180841

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

 

Resolution

 

CCS Console installation
The CCS console installation is done using the ClickOnce technology.
This article explains the following concepts:
ClickOnce allows you to do the following:
·         Publish Windows-based applications to a Web server or network file share for simplified installation
  • Create self-updating Windows-based applications that can be installed and run with minimal user interaction.
Issues ClickOnce overcomes
ClickOnce overcomes the following issues:
  1. Application Updates – auto updates
  2. Low Impact on end users computer – self contained application
  3. Security Permissions – non administrative installs
ClickOnce vs MSI

Feature
ClickOnce
Windows Installer
Post-installation rollback
Web Updates
Yes
No
Security permissions granted
Grants only permissions necessary for the application (more safe)
Grants Full Trust by default (less safe)
Installation-time user interface
Single prompt
Multipart Wizard
Binary file patching
No
Yes
Application installation location
ClickOnce application cache
Program Files folder

 
This following table gives the location of various CCS console components.

CCS console component
Location
CCS Console package location
 
 
CCS Console Install location
The console is installed in the Click Once Application cache. 
Note: Search for the latest “syma..tion_” folder as it contains the installed CCS ClickOnce console.
Windows 2003
C:\Documents and Settings\<USER>\Local Settings\Apps\2.0\
Windows 2008
C:\Users\<USER>\AppData\Local\Apps\2.0\
Published package location on the application server computer
C:\Program Files\Symantec\CCS\Reporting and Analytics\WebPortal\Console
CCS Console logs
 
Windows 2003
%allusersprofile%\Application Data\Symantec.CSM\Logs\SymConsole
Windows 2008
%allusersprofile%\Symantec.CSM\Logs\SymConsole
CCS Console configuration file
The SymConsole.exe.config is present in the installation folder.

 
The backend activities that take place after you launch the shortcut are as follows:
  1. ClickOnce accesses the install location, fetches the latest binaries, and then launches the SymConsole.
Here, the role of ClickOnce is only restricted to fetching the latest binaries.
  1. SymConsole requests Application server to fetch the configuration data.
    • AppServer fetches configuration details from ADAM and returns the same to the console.
    • Console fetches the Appserver details from the configuration file.
  1. Console connects to the application server using Kerberos Authentication.
The Active Directory Kerberos Authentication Success factors depend on the following criteria.
    • Console/client machine date/time skew should be within five minutes of the application server machine.
    • APS service account should be enabled for delegation.
    • APS and DSS service account SPN’s should be set.
Note: If Kerberos authentication fails the console does not launch.
  1. The post authentication steps as follows:
    • Fetch application manifests for each module such as assets, standards, ESM, entitlements.
    • Check features and Check Core license.
    • Download custom MOS schemas into the console folder.
    • Load assemblies
    • Get Authorization Tokens for all tasks that the user should have access to.
This step shows the workspaces that a user has access to and the level of access.
For example, if the user has access to the standards module CCS fetches the following tokens:
·         CSM_Standards_EvaluationResultDetails_View
·         CSM_Standards_Read
·         CSM_Standards_Evaluate
·         CSM_Standards_DataCollection
 
This section includes the following topics:
Kerberos errors can be due to one of the following reasons:
    • Clock Skew
    • SPN not set or Duplicate SPN’s
    • Launching console from a domain whose trust type is external, non-trusted domain, or from a workgroup.
To troubleshoot the error, do the following:
  1. Enable event log on the SymConsole machine
Add the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value: LogLevel
Value Type: REG_DWORD
a.       Value Data: 0x1
  1. Clock Skew
The difference between client timestamp in the authenticator or KRB_AS_REQ and the server is greater than the Maximum tolerance for computer clock synchronization setting in the domain policy.
Confirmation
Clock skew can be easily diagnosed by reviewing data in Event Viewer. For more information, see:
·         0x25: KRB_AP_ERR_SKEW: Clock Skew too great - Associated Windows error code - STATUS_TIME_DIFFERENCE_AT_DC
Resolution
For information about how to use an external time source to synchronize all the computers in a domain, see “How to Configure an Authoritative Time Server in Windows 2000” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23042.
  1. SPN not set
If an SPN is not set for a service, then the clients have no way of locating that service. Thus, common results of not setting an SPN are (in the event viewer logs)
KDC_ERR_C_PRINCIPAL_UNKNOWN
Associated internal Windows error code
·         STATUS_NO_SUCH_USER
Or
 KDC_ERR_S_PRINCIPAL_UNKNOWN errors.
Associated internal Windows error codes
·         STATUS_NO_TRUST_SAM_ACCOUNT
·         STATUS_OBJECT_NAME_NOT_FOUND
·         STATUS_KDC_UNABLE_TO_REFER
Resolution
For setting SPN, kindly refer to the CCS Planning and Deployment guide. You can use the CCSSPNUtil.exe utility to automate the creation of the required SPNs for the Control Compliance Suite to work correctly in the distributed setup mode. The utility is available in the <install directory>/Symantec/CCS/Reporting and Analytics/Application Server directory of the product.
 
For duplicate SPN’s the following error is returned
KDCEVENT_NAME_NOT_UNIQUE
For resolving duplicate SPN related issues refer to http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx or Symantec CCS SPN Knowledge Base article.
  1. Launching console from a domain whose trust type is external, non-trusted domain, or from a workgroup
Due to Kerberos limitation, Symantec does not support these scenarios for SymConsole.