After upgrading Endpoint Protection Manager to 14.3 RU1+ ""Unexpected error 0x1001000" error is received at login, along with "Ssl client verification not successful so not getting the client certificate" in reporting.log

book

Article ID: 220844

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Unable to log into the SEPM , with ""Unexpected error 0x1001000" displayed.
Additionally, reporting.log located at "%Program Files%\Symantec\Symantec Endpoint Protection Manager\Apache\Logs" will show the following: 

2021-06-25 13:31:32 ERROR:fatal error at login: \rEXCEPTION block1: Error message: <b>Source:</b> Microsoft OLE DB Provider for ODBC Drivers<br/><b>Description:</b> [Microsoft][ODBC Driver 13 for SQL Server]SSL Provider: The target principal name is incorrect.
\rError code: -2147352567\rFile and line: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Php\Include\Common\ado.php(95)\r
2021-06-25 13:31:33 ERROR:could not find valid username in session
2021-06-25 13:31:33 ERROR*:request verification failed - file=homepage.php, referer=*
2021-06-25 13:31:33 INFO:Ssl client verification not successful so not getting the client certificate
2021-06-25 13:31:34 INFO:Ssl client verification not successful so not getting the client certificate
2021-06-25 19:30:43 INFO:Login start
2021-06-25 19:30:43 ERROR:warning: error at login. will retry once. error message : <b>Source:</b> Microsoft OLE DB Provider for ODBC Drivers<br/><b>Description:</b> [Microsoft][ODBC Driver 13 for SQL Server]SSL Provider: The target principal name is incorrect.

Cause

The issue is with a broken communication link between the web server (meaning php running on Apache) and the database. In this case the certificate presented by the database cannot be trusted due to the Target Principal name being invalid. 
In an embedded SQL Express database, SEPM is configured to connect to the database with the host name. If, for example, the certificate used by the database has only the IP address in the CN, then it will not be able to verify the certificate. 

Environment

SEPM with an embedded database, likely with a custom SSL certificate. Either configured with only IP addresses, or customized to work within a dmz. 

Resolution

  • Verify the certificate being used for SQL communication. 
    1. Open SQL Server Configuration Manager.
    2. In the console pane, expand SQL Server Network Configuration.
    3. Right-click Protocols for <instance Name>
    4. Select "Properties".
    5. Check the certificate configured, confirming that the "Subject Alternative Names" under the "Details" list the server name. 
      Example: 
      DNS Name=myserver.broadcom.com
      DNS Name=myserver
      IP Address=10.1.20.1
      DNS Name=10.1.20.1
    6. Verify that the certificate is trusted and valid.
  • If the certificate is invalid or not trusted, and multiple certificates are listes, Select a certificate from the Certificate drop-down menu.


  • If there are no other available certificates,
    1. Generate a new certificate, either from a Root Certificate Authority, or generate a new self signed certificate. (There are multiple options and methods to do this. Please verify with your organization's security policies for the prefered method in your environment)
    2. Add the newly generated certificate to the MMC under "Certificates - Local Computer\Personal"
    3. Open SQL Server Configuration Manager.
    4. In the console pane, expand SQL Server Network Configuration.
    5. Right-click Protocols for <instance Name>
    6. Select "Properties".
    7. Select the newly created certificate in the drop down.