Why am I not able to upload a SEPM certificate using my AD authenticated user in Symantec EDR?

book

Article ID: 223015

calendar_today

Updated On:

Products

Advanced Threat Protection Platform

Issue/Introduction

You are unable to create or update a secure SEPM controller connection in Symantec EDR using an Active Directory (AD) user and the SEPM certificate.

You encounter the Error: IOException occurred when trying to save the keystore error.

Cause

  • The SEPM group connector has 'Include inherited sub-groups automatically' enabled and SEPM group cache is invalidated already.
    • You are attempting to update an existing connection to use an AD authenticated user.
  • The SEPM group cache is invalidated even when you have not fully configured the SEPM controller connection.
    • You may be attempting to create the connection with an AD authenticated user as a 'new' connection and you are unable to do so.

Environment

Release: 4.6.x

Resolution

Implement one of the following workarounds.

Workaround 1:

  1. Please create the SEPM connection with a local user while using the SEPM certificate.

Workaround 2:

  1. Please create the SEPM connection with a local user that is not AD authenticated.
    1. You may choose to use the SEPM certificate now or you may choose not to use it.  You will have the opportunity to update the connection with the AD user account and include the certificate later.  This is only a temporary circumstance for testing purposes before the certificate is used as recommended for normal use.
  2. On the SEDR web user interface go to Settings > Global > Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder > click on the three dots and open SEPM Group Inclusions.
  3. Click 'Refresh SEPM Groups'


    NOTE: This could take time to refresh.  There should be no error.

  4. Click save once the groups are refreshed.

    NOTE: This may also take a similar amount of time to save.  There should be no error while saving the SEPM group inclusions after refreshing the SEPM groups.

  5. Update the SEPM Controller Connection with the AD user's information and credentials. 
    1. Include the SEPM certificate if you have not already done so.

Attachments