Determine if Protection Engine on Windows is attempting to authenticate to your storage device using an unexpected account


Article ID: 184591


Updated On:


Protection Engine for NAS


NetApp logs indicate an authentication rejection of the Symantec Protection Engine (SPE) domain computer account despite the Symantec Protection Engine service being configured to use your designated privileged user account for scanning.
SPE is not configured to use local system and the computer account is not a privileged user for the Vserver active scanner pools.
You need to determine if Protection Engine is creating this rejected request.

5/9/2019 09:34:30 <netapp device> ERROR Nblade.vscanBadUserPrivAccess: For Vserver "SPE-SCANNER", the attempt to connect to the privileged ONTAP_ADMIN$ share by the client "" is rejected because its logged-in user "DOMAIN\SPE-SCANNER$" is not configured in any of the Vserver active scanner pools.


Gather a packet capture/trace and Procmon log of the authentication attempt. You can download procmon from Microsoft's website.

Packet Capture/Trace Analysis (instructions based off Wireshark)

  1. You should be able to find the section you need by CRTL+F, selecting "string" from the drop down, typing in the scanner domain computer account name, and clicking "Find" to the right of the bar:
  2. You should see an authentication block similar to the following:
  3. Notice the response: Error: STATUS_BAD_NETWORK_NAME

Procmon Analysis

  1. Use 2 filters:
    1. Path contains ontap_admin$ then include (use part of the path mentioned in the NetApp log error)
    2. Process Name is Procmon64.exe then exclude
  2. Go to the time indicated in the NetApp log and also in the Wireshark analysis.
  3. You should see the processes trying to access the NetApp device, the result of the access attempt, and the user used in the attempt. Note that when a process uses "SYSTEM", network access will be made using the server domain computer account as described in Microsoft's documentation:
    1. In the above image, the user displayed for symcscan.exe is the designated account configured for scanning and not the domain computer account. Also notice that the result "BAD NETWORK NAME" is the same result we saw from the Wireshark analysis. This may not always be the case.

Following these steps, you should be able to determine if Protection Engine is making authentication requests using the server's domain computer account. If a program other than symcscan.exe is accessing the file using the "SYSTEM" user account, please contact the program's creator to determine why it is doing so.