Troubleshooting problems with the Control Compliance Suite 12.x Remote Console

book

Article ID: 194790

calendar_today

Updated On:

Products

Control Compliance Suite Standards Server Control Compliance Suite Control Compliance Suite Windows Control Compliance Suite Unix

Issue/Introduction

When installing and running the CCS thick console remotely, there are some necessary requirements that need to be implemented before a remote console will work correctly.

Cause

The following requirements need to be checked and implemented for the Remote Console to work correctly.

  1. Symantec Application Server Service, Symantec Directory Support Service, and the Symantec Encryption Management Service need to be running as the CCS Service Account.
  2. Set Service Principal Names (SPN) for the CCS Service Account.
  3. Add delegation to the CCS Service Account
  4. Verify user has necessary permissions in CCS. 
  5. Check Local Computer policy permission 'Network security: LAN Manager authentication level' and set it to 'Send NTLMv2 response only. Refuse LM & NTLM'
  6. If remote server is in a different domain, there needs to be a 2-way trust with the domain that the Application server is located.

Environment

Release : CCS 12.x

Component : CCS Remote Console

Resolution

Please see the corresponding information below to resolve your issue.

1) Verify that the Symantec Application Server Service, Symantec Directory Support Service, and the Symantec Encryption Management Service is running with your CCS Service account. 

In the example below the CCS Service account is 'ebsvc' (your CCS Service Account will have its own unique user name)


 

2) Set Service Principal Names (SPN) for the CCS Service Account. 

The official documentation can be found in our CCS Online Documenation: Configuring SPNs in CCS 12.x  

Information on how to setup SPNs for the CCS Service Account:

Set up an SPN with the NetBIOS name and the fully qualified domain name (FQDN) of the domain user account in whose context the application pool executes. SPN can be set up from the Application Server or the DC. You must associate an SPN to a single user account.
Execute the following commands to set up an SPN:

SetSpn -A Symantec.CSM.AppServer/appserver_machine.hostname DomainName/ccs_service_account

SetSpn -A Symantec.CSM.AppServer/appserver_machine.fqdn DomainName/ccs_service_account

SetSpn -A Symantec.CSM.DSS/dss_machine.hostname DomainName/ccs_service_account

SetSpn -A Symantec.CSM.DSS/dss_machine.fqdn DomainName/ccs_service_account
Legend for the commands above:
  • appserver_machine.hostname: The NetBios name of the computer where the Application Server is installed.
  • DomainName/ccs_service_account: The domain name of Application Server service account.
  • dss_machine.hostname: The NetBios name of the computer where the Directory Service is installed. (Directory Service is installed on the Application Server)
  • dss_machine.fqdn: The fully qualified domain name of the Directory Service computer.  (Directory Service is installed on the Application Server)

 

3) Add delegation to the CCS Service Account

Make sure your CCS Service account is set for delegation as per the example below (NOTE: The delegation tab will not be visible if the SPNs have not be set for that user account).  The name for my CCS Service Account in the example below is 'ebsvc'.  Your CCS Service user will have a unique name.


 

4) Verify user has necessary permissions in CCS by logging in to a local console.

Make sure the user has permissions in CCS.  Test this by having that user log on a CCS Console locally to verify they have the correct CCS role/permissions that you would like them to have.


 

5) Check Local Computer policy permission 'Network security: LAN Manager authentication level' and set it to 'Send NTLMv2 response only. Refuse LM & NTLM'

  • Use “Start->Run” and type in “gpedit.msc” in the “Run” dialog box. A “Group Policy” window will open.
  • Click down to “Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
  • Find the policy “Network Security: LAN Manager authentication level”.
  • Right click on this policy and choose “Properties”.
  • Choose “Send NTLMv2 response only/refuse LM & NTLM”.
  • Click OK and confirm the setting change.
  • Close the “Group Policy” window.

 

6) If remote server is in a different domain, there needs to be a 2-way trust with the domain that the Application server is located.

Verify that there is a two-way trust between the domain where the Application server is located and the domain where the remote server is installed.


 

Attachments