Upgrade Wizard fails with Warning: Null, when upgrading to Symantec Endpoint Protection Manager (SEPM) to 14.3 RU5 or RU6

You may also see the error "The Symantec Endpoint Protection Manager reporting account does not connect to the Microsoft SQL Server database.  You must recreate or modify the reporting account in SQL Server Management Studio"

A review of the upgrade-0.log reveals the following error.

2022-07-12 17:09:32.721 THREAD 93 WARNING: DatabaseUtilities> hasUserAlterAnyLoginPermission>> Account permission verification done! hasRequiredPermission: true
2022-07-12 17:09:32.721 THREAD 93 INFO: DbUtil> addReporterUser>> hasPermissionAlterAnyLogin: true
2022-07-12 17:09:32.721 THREAD 93 INFO: DbUtil> addReporterUser>> Checking and adding report login!
2022-07-12 17:09:32.721 THREAD 93 INFO: doesDbLoginExist >> loginUsername: REPORTER_sem5SEM5
2022-07-12 17:09:32.721 THREAD 93 INFO: doesDbLoginExist >> Result: true
2022-07-12 17:09:32.721 THREAD 93 INFO: alterReporterLogin >> dbName: sem5, reporterUserName: REPORTER_sem5SEM5
2022-07-12 17:09:32.737 THREAD 93 INFO: Altered login default database: ALTER LOGIN [%s] with DEFAULT_DATABASE = [%s]
2022-07-12 17:09:32.777 THREAD 93 INFO: Reset password successfully!
2022-07-12 17:09:32.777 THREAD 93 INFO: DbUtil> addReporterUser>> Report login was altered successfully!
2022-07-12 17:09:32.777 THREAD 93 INFO: DbUtil> addReporterUser>> Checking and adding report user!
2022-07-12 17:09:32.777 THREAD 93 INFO: doesDbUserExist >> loginUsername: REPORTER_sem5SEM5
2022-07-12 17:09:32.779 THREAD 93 INFO: doesDbUserExist >> Result: true
2022-07-12 17:09:32.779 THREAD 93 INFO: DbUtil> addReporterUser>> adding REPOTER role to report user!
2022-07-12 17:09:32.783 THREAD 93 FINE:  calling close on connection.
2022-07-12 17:09:32.784 THREAD 93 FINE: Return connection to pool.
2022-07-12 17:09:32.784 THREAD 93 INFO: DbUtil> testReportingUserConnection>> Initializing datasource...
2022-07-12 17:09:32.784 THREAD 93 INFO: Skip using Cursors for MS JDBC to leverage Adaptive buffering
2022-07-12 17:09:32.785 THREAD 93 INFO: DbUtil> testReportingUserConnection>> Reporting user: REPORTER_sem5SEM5, URL: jdbc:sqlserver://SQLServername:1433;instanceName=sepm;databaseName=sem5;integratedSecurity=true;encrypt=true;trustServerCertificate=true
2022-07-12 17:09:32.785 THREAD 93 INFO: getDatabaseConnectionWithNTLMv2Retry, jdbcURL: jdbc:sqlserver://<Sqlservername>:1433;instanceName=<instanceName>;databaseName=sem5;integratedSecurity=true;encrypt=true;trustServerCertificate=true, user: REPORTER_sem5SEM5
2022-07-12 17:09:32.809 THREAD 93 SEVERE: exception retrieving connection
2022-07-12 17:09:32.810 THREAD 93 SEVERE: exception retrieving connection
2022-07-12 17:09:32.810 THREAD 93 FINE: connection is null.
2022-07-12 17:09:32.810 THREAD 93 WARNING: Login failed for user <Domain\username>. ClientConnectionId:533dd50b-7188-4d91-9d1b-ca0fd78f9f63
2022-07-12 17:09:32.810 THREAD 93 FINE: connection is null.

You may also see one of the following error messages:

 2022-08-08 14:31:28.931 THREAD 97 WARNING: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. 

2022-12-06 11:34:01.233 THREAD 96 WARNING: Login failed for user 'REPORTER_sem5xxxxxxxx'. ClientConnectionId:5e2f208b-d58f-4533-a15f-57e8b219d442

Release : 14.3 RU5 and RU6

Component :SEPM

Remote SQL server

During the upgrade to 14.3 RU5 or RU6, the connection for the reporter account that the SEPM uses to connect to the SQL server attempts to connect using windows authentication which fails.

1. The reporter account is a SQL-only account. The user account that is logged on to the SEPM's OS does not have access to the SEPM DB on the SQL server.
2. The User Mapping from the SQL Login to the database is corrupt
3. Server Authentication need to be set to SQL Server and Windows Authentication mode

Three possible resolutions depending on the cause

1. SQL-only account:

1. In SQL Server Management Studio, edit the Security Settings for the SEPM database (typically "sem5").
2. Add the user account for the admin performing the SEPM install to the database users for the SEPM DB.  It does not need dbo privileges, but must be able to connect to the DB.
3. On the SEPM, navigate to <SEPM-install-directory>\bin and run upgrade.bat to proceed with the upgrade.

2. Corrupt user mapping

1. Verify that a backup of the database exists before making the following changes.
2. In SQL Server Management Studio, edit the Security Settings for the SEPM database (typically "sem5").
3. Delete the user shown in your error log (in this example REPORTER_sem5SEM5) from the following location. <SQL Server Name>\Databases\<SEPM database>\Security\Users
4. Edit the login and add the mapping to the SEPM Database. <SQL Server Name>\Security\Logins
   1. Double-click the account that was deleted in step 3
   2. Select "User Mapping"
   3. Check the "Map" box next to the <SEPM database> 
   4. Make sure the "Default Schema" is "dbo" and the "Database role membership for: master" is "public" 

Note: The user account most likely be REPORTER_sem5<user>

3. Server Authentication need to be set to SQL Server and Windows Authentication mode

1. Run SQL Server Management Studio
2. Right click on the SQL server instance.
3. Click on Properties.
4. Click on Security on the left pane.
5. Check SQL Server and Windows Authentication mode under Server authentication section.
6. Click OK.

Additional scenario(s) where this error can occur:

1. During password maintenance of the SEM5 user account, you encounter this error when attempting to run the Symantec SEPM configuration wizard at 97 or 99%.  This can occur when the SEM5 user rights and or the Reporter rights have been altered for security reasons and the configuration wizard is unable to correct these changes in the first pass. 

Possible resolution:
Re-run the SEPM configuration wizard.  During the first run for the SEPM configuration wizard when the error occur you will be sent back to the credentials prompt portion of the wizard.  Go ahead and retry the next button to run the job again. It has been seen that the SEPM configuration wizard can correct this rights error,  but may take more than one run to complete as the job cannot be done in a single operation.

CRE-10852