Cannot establish trust relationship with load balanced Endpoint Encryption Management Server


Article ID: 193516


Updated On:


Endpoint Encryption


If you are using more than one Endpoint Encryption Management Server and you are using a load balancer to distribute the client traffic to the servers, you may find that when you try to run certain commands from Symantec Endpoint Encryption Manager, you receive an SSL/TLS error. For example, you may see the following error message when you  run the Change Web Access Command:

In the Event Viewer System log you may see a corresponding Schannel error with Event ID 36888:


Endpoint Encryption Manager is trying to connect to a server name that does not match the name of the TLS certificate.

In SEEMS Configuration Manager, in the Web Server section, the Web server name must match the name of the certificate specified in the Server Certificate field.


Release : 11.0 and above.

Component : Symantec Endpoint Encryption Management Server.


There are two ways to resolve this.

Option 1 - Modify local hosts file

In SEEMS Configuration Manager, ensure that the Web server name value matches the name of the Endpoint Encryption Management Server's TLS certificate.

For example, suppose that your clients connect to the DNS name which resolves to a load balancer that points to two Endpoint Encryption Management Servers with the names and If the TLS certificate has the name then you need to use the name as the Web server name in SEEMS Configuration Manager:

You will then need to create an entry in the C:\Windows\System32\drivers\etc\hosts file pointing to the IP address of the local Endpoint Encryption Management Server. This is so that each Encryption Management Server resolves the load balancer DNS name to itself. For example, if the local Endpoint Encryption Management Server has an IP address of the entry would look like this:

Option 2 - Use a certificate with additional Subject Alternative Names

If you wish to avoid adding an entry to the local hosts file you can use a TLS certificate that has additional SANs (Subject Alternative Names) for each of the Endpoint Encryption Management Servers. For example, the TLS certificate name is but also has SANs for and

If you obtain a TLS certificate with the correct SANs, SEEMS Configuration Manager can use the Web server name value that matches one of the SANs. For example,