After upgrading Endpoint Protection Manager to 14.3 RU1+ ""Unexpected error 0x1001000" error is received at login, along with "Ssl client verification not successful so not getting the client certificate" in reporting.log
search cancel

After upgrading Endpoint Protection Manager to 14.3 RU1+ ""Unexpected error 0x1001000" error is received at login, along with "Ssl client verification not successful so not getting the client certificate" in reporting.log

book

Article ID: 220844

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Unable to log into the Symantec Endpoint Protection Manager [SEPM] , with "Unexpected error 0x1001000" displayed.


Additionally, Following Error are seen in the different logs:

"%Program Files%\Symantec\Symantec Endpoint Protection Manager\apache\logseporting.log" 

2025-05-15 10:07:05Z ERROR: fatal error at login: \nEXCEPTION block1: Error message: <b>Source:</b> Microsoft OLE DB Provider for ODBC Drivers<br/><b>Description:</b> [Microsoft][ODBC Driver 13 for SQL Server]SSL Provider: The target principal name is incorrect.
\nError code: -2147352567\nFile and line: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Php\Include\Common\ado.php(89)\n
2025-05-15 10:07:06Z ERROR: could not find valid username in session
2025-05-15 10:07:06Z ERROR: request authentication check failed, retryTimes: 1, will retry! - file: homepage.php
2025-05-15 10:07:07Z ERROR: could not find valid username in session
2025-05-15 10:07:07Z ERROR: request authentication check failed, retryTimes: 2, will retry! - file: homepage.php
2025-05-15 10:07:08Z ERROR: could not find valid username in session
2025-05-15 10:07:08Z ERROR: request authentication check failed, maxRetryTimes: 3 - file: homepage.php
2025-05-15 10:09:11Z ERROR: updateLicenseState failed: Response code is not 0, return xml=<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Response/>

2025-05-15 10:09:11Z INFO: Ssl client verification not successful so not getting the client certificate
2025-05-15 10:09:12Z ERROR: updateLicenseState failed: Response code is not 0, return xml=<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Response/>

2025-05-15 10:09:12Z INFO: Ssl client verification not successful so not getting the client certificate
2025-05-15 10:09:19Z INFO: Login start
2025-05-15 10:09:20Z WARNING: warning: error at login. will retry, retryTimes: 1. Error message: <b>Source:</b> Microsoft OLE DB Provider for ODBC Drivers<br/><b>Description:</b> [Microsoft][ODBC Driver 13 for SQL Server]SSL Provider: The target principal name is incorrect.

"%Program Files (x86)%\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\scm-server-0.log"

2025-05-20 15:08:28.288 THREAD 58 SEVERE: Unexpected parameter value. in: com.sygate.scm.server.task.ScheduledReportingTask
com.sygate.scm.server.util.ServerException: Unexpected parameter value.
    at com.sygate.scm.server.task.ScheduledReportingHelper.doIntegratedLogin(ScheduledReportingHelper.java:675)
    at com.sygate.scm.server.task.ScheduledReportingTask.execute(ScheduledReportingTask.java:464)
    at com.sygate.scm.server.task.MonitoredTimerTask.run(MonitoredTimerTask.java:56)
    at java.base/java.util.TimerThread.mainLoop(Timer.java:556)
    at java.base/java.util.TimerThread.run(Timer.java:506)

"%Program Files (x86)%\Symantec\Symantec Endpoint Protection Manager\tomcat\logs\Upgrade-0.log"
2025-05-15 16:06:30.635 THREAD 28 WARNING: tryGetSQLExpressDbaConnection: can not get exception for: sa due to: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". ClientConnectionId:32fda511-1adb-494b-aa45-82bee587912c
2025-05-15 16:06:30.635 THREAD 28 INFO: getDatabaseConnectionWithNTLMv2Retry, jdbcURL: jdbc:sqlserver://SEPM_Server_Name:2638;instanceName=SQLEXPRESSSYMC;integratedSecurity=false;encrypt=true;trustServerCertificate=false, user: DBA

Environment

SEPM with an embedded database, likely with a custom SSL certificate. Either configured with only IP addresses, or customized to work within a dmz. 

Cause

The issue is with a broken communication link between the web server (meaning php running on Apache) and the database. In this case the certificate presented by the database cannot be trusted due to the Target Principal name being invalid. 
In an embedded SQL Express database, SEPM is configured to connect to the database with the host name. If, for example, the certificate used by the database has only the IP address in the CN, then it will not be able to verify the certificate. 

Resolution

  • Verify the certificate being used for SQL communication. 
    1. Open SQL Server Configuration Manager.
    2. In the console pane, expand SQL Server Network Configuration.
    3. Right-click Protocols for <instance Name>
    4. Select "Properties".
    5. Check the certificate configured, confirming that the "Subject Alternative Names" under the "Details" list the server name. 
      Example: 
      DNS Name=myserver.mydomain.com
      DNS Name=myserver
      IP Address=x.x.x.x
      DNS Name=x.x.x.x
    6. Verify that the certificate is trusted and valid.
  • If the certificate is invalid or not trusted, and multiple certificates are listed, Select a certificate from the Certificate drop-down menu.

  • If there are no other available certificates,
    1. Generate a new certificate, either from a Root Certificate Authority, or generate a new self signed certificate. (There are multiple options and methods to do this. Please verify with your organization's security policies for the preferred method in your environment)
    2. Add the newly generated certificate to the MMC under "Certificates - Local Computer\Personal"
    3. Open SQL Server Configuration Manager.
    4. In the console pane, expand SQL Server Network Configuration.
    5. Right-click Protocols for <instance Name>
    6. Select "Properties".
    7. Select the newly created certificate in the drop down.  
  • If No certificates are in use/certificate has already expired for SQL communication

    Take a backup of "ROOT.XML" file present in "%Program Files (x86)%\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\Catalina\localhost"

    • Make the following changes in the "ROOT.XML"
      encrypt=true
      to
      encrypt=false

    • Set the ForceEncryption to No (https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-sql-server-encryption?view=sql-server-ver1)

      Restart the SEPM services