Troubleshooting problems with the CCS 12.6.x console on a remote server

Products

Control Compliance Suite Standards Server Control Compliance Suite

Issue/Introduction

Control Compliance Suite (CCS)

When installing and running the CCS thick console remotely, there are some necessary requirements that need to be implemented before a remote console will work correctly.

Environment

Release: CCS 12.6.x

Component: CCS Remote Console

Cause

The following requirements need to be checked and implemented for the Remote Console to work correctly.

NOTE: When using the CCS Web Console to download and install the CCS thick console, only use the MS Edge browser. Other browsers, like Chrome or Mozilla Firefox do not work when downloading and installing the CCS thick console.

Symantec Application Server Service, Symantec Directory Support Service, and the Symantec Encryption Management Service must run as the CCS Service Account on the CCS Application Server.
Set Service Principal Names (SPN) for the CCS Service Account.
Add delegation to the CCS Service Account
Verify the user has the necessary permissions in CCS.
If the remote server is in a different domain, there needs to be a 2-way trust with the domain where the Application server is located.

Resolution

Please see the corresponding information below to resolve your issue.

NOTE: When using the CCS Web Console to download and install the CCS thick console, only use the Internet Explorer browser or MS Edge browser. Other browsers, like Chrome or Mozilla Firefox do not work when download and installing the CCS thick console and will have errors.

1) Verify that the Symantec Application Server Service, Symantec Directory Support Service, and Symantec Encryption Management Service on the Application Server are running as the CCS Service account.

2) Set Service Principal Names (SPN) for the CCS Service Account.

The official documentation can be found in our CCS Online Documentation: Configuring Service Principal Names

Information on how to setup SPNs for the CCS Service Account:

Set up an SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account in whose context the application pool executes. SPN can be set up from the Application Server or the DC. You must associate an SPN to a single user account.
Execute the following commands to set up an SPN:

SetSpn -A Symantec.CSM.AppServer/appserver_machine.hostname DomainName/ccs_service_account

SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqdn DomainName/ccs_service_account

SetSpn -A Symantec.CSM.DSS/dss_machine.hostname DomainName/ccs_service_account

SetSpn -A Symantec.CSM.DSS/dss_machine.fqdn DomainName/ccs_service_account

Legend for the commands above:

appserver_machine.hostname: The NetBios name of the computer where the Application Server is installed.

DomainName/ccs_service_account: The domain name of Application Server service account.

dss_machine.hostname: The NetBios name of the computer where the Directory Service is installed. (Directory Service is installed on the Application Server)

dss_machine.fqdn: The fully qualified domain name of the Directory Service computer.  (Directory Service is installed on the Application Server)

3) Add Constrained Delegation to the CCS Service Account

Make sure your CCS Service account is set for delegation as per the example below (NOTE: The delegation tab will not be visible if the SPNs have not been set for the CCS Service user account).

See the steps below to set controlled delegation for specific services.

How to turn on Constrained Delegation using the Active Directory Users and Computers utility:

With a domain admin account, launch the AD Users and Computers utility and navigate to the CCS Service Account user, right-click and select Properties. Select the Delegation tab.
Note: The delegation tab will not appear if the account SPN has not been set up.
Select the radial button for "Trust this user for delegation to specified services only".
Choose the sub-radial button "Use any authentication protocol".
Click the Add button at the bottom of the dialogue box, and on the Add Services screen, use the Users and Computers button to enter the hostname of the Application Server machine. Find and select the LDAP service (port 3890 by default) listed on that machine. Click OK.
Again while on the Delegation tab, click the Add button, enter the CCS Service user account and then find and select the Symantec.CSM.DSS SPN entry for the Directory Server's host machine. Click Ok.
Again while on the Delegation tab, check the box to "Expand" the view. This should display two entries for LDAP (one hostname and one FQDN entry) and two similar entries for the DSS SPN ....for a total of four entries.
See the example below:

Once all four entries are listed for the services, SAVE the change.
Stop the CCS Application Server services in order as per the KB below (starting at the CCS services at the top and stopping them as you go down). Then restart the Application Server services in the correct order (starting at the CCS Services at the bottom and working up).
The correct order to stop and start the services for the CCS Application Server

4) Verify the user has the necessary permissions in CCS by logging in to a local console.

Make sure the user has permission in CCS. Test this by having that user log on to a CCS Console locally to verify they have the correct CCS role/permissions that you would like them to have.

5) If the remote server is in a different domain, there needs to be a 2-way trust with the domain that the Application server is located.

Verify that there is a two-way trust between the domain where the Application server is located and the domain where the remote server is installed.

If a 2-way trust is not possible then at a minimum a 1-way forest level trust is required for Kerberos to work correctly. See the link below under Additional Information.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/dd560679%28v=ws.10%29?redirectedfrom=MSDN