Legacy versions of Symantec Endpoint Encryption Management Server ran into an issue trying to parse through Active Directory objects with SID History Attribute.

When this happens, this results in an error trying to login to the SEE Help Desk Web Portal:

"Service is temporarily unavailable. Contact your administrator"

Scenario 1: Roles Resolver Fixed

This issue was resolved in Symantec Endpoint Encryption Management Server 11.2.1 MP1 and above due to improvements made to the Symantec.Endpoint.Encryption.ServerRolesResolver driver that handles this operation

As per the SEE 11.2.1 MP1 Release Notes:
The Help Desk users that migrate from another domain or have the SID-history attribute can successfully log on to Help Desk Web Console through the group membership.
The group membership is specified through the server roles.

Scenario 2: Non-existent AD Users/Groups causes parsing to fail

Additionally to the scenario above, if you have any users or security groups that exist within the server roles, but no longer exist within Active Directory, you will not be able to save the configuration properly.
This is being reviewed by Symantec Encryption Engineering, but as a workaround, remove any users or groups that no longer exist in AD and then save.
This also goes for groups or users that were renamed.  You may need to remove the renamed group, save, then re-add the newly named group to save the configuration.

See also the troubleshooting section of the following article for more information:

237108 - SEE Management Server - Server Roles Unable to parse Active Directory objects with SID History Attribute

If you are having any issues similar to this, Symantec Encryption Support recommends upgrading to the latest versions and if this continue to be a problem, contact Symantec Support for further assistance. 

EPG-23239/EPG-23236

4208100

170183 - Endpoint Encryption Web-Based Help Desk error "Service is temporarily unavailable".