Symantec Endpoint Encryption has web portal capability to be able to access recovery keys, reporting and other useful information. The method of login for default configurations is through Windows authentication via the Server Roles.
Another method that allows authentication in a more automatic way is via "One-Click". This will allow you to click a button to login and automatically log you in where you have already had authentication happen with other means. This article will describe the steps to do this.
These settings are optional and are not configured by default.
The SEE Web Portal is readily available for you to use after you install Symantec Endpoint Encryption Management Server. For some basic overview of the web portal, see the following article:
240649 - Symantec Endpoint Encryption 11.4 Dashboard and Reports
The Symantec Endpoint Encryption Management Server Configuration Manager (SEEMS Configuration Manager) - Advanced Settings page lets you configure a custom URL for the Web Portal, but it is required that DNS is already configured and resolving properly, in addition to TLS certificates matching to be able to use this. To find out the default URL for your server, look at "Section 1 of 3" in the Dashboard KB above. SEE Client Configuration consideration should also be reviewed and could cause unforeseen challenges. Subsequently, choose to do this only if the default URL is not sufficient.
The general syntax of the web-based Help Desk Recovery console URL is represented as follows:
https://SEEMS-FQDN-HERE:PORT-HERE/webconsole
If you want to configure the already customized web-based Help Desk Recovery console URL, use the Help Desk Recovery Configuration page.
While configuring the URL, ensure to follow the syntax that is described in the beginning of this topic. Symantec Endpoint Encryption uses the configured URL and updates the hyperlink displayed on the SEE Help Desk snap-in page. However, configuring the URL does not configure DNS settings for the custom host name provided in the URL. So, before you configure the URL ensure to configure the DNS setting appropriately and confirm that the URL is valid.
By default, the customization is disabled and the settings mentioned on Web Server Configuration page will be used by the Help Desk snap-in to update the hyperlink.
When you customize and deploy web-based Help Desk Recovery console on to your enterprise network, ensure that you follow these guidelines:
All Ports and URLs Match: The Web service used by clients for communication with Symantec Endpoint Encryption Management Server and web-based Help Desk Recovery console share the same port. So, the port number specified on the Web Server Configuration page and the Help Desk Recovery Configuration page must match. Be sure to use this (load balancer) URL when you generate the client installers.
TLS Certification Information: If you want to use TLS, then share the TLS certificate between the web service used by clients for communication with Symantec Endpoint Encryption Management Server and web-based Help Desk Recovery console. So, the hostname given in the web service URL (used by clients to communicate with the server) and the host name given in the custom URL for web-based Help Desk Recovery must be the same.
Load Balancers: If your infrastructure uses a load balancer to distribute client requests across a number of servers, then ensure that the URL that you customize in the Help Desk Recovery Configuration page must match the URL of the load balancer for the web-based Help Desk Recovery console.
Ultimately, it is easier to simply keep using the default URL that was configured initially for the SEE Management Server. This customized URL is not specific to the One-Click, but is on the same page, so for convenience, we list information on this topic here.
For the One-Click Configuration, consider the following:
One-Click Login authentication - Uses Kerberos Authentication instead of the standard Windows Authentication that is available by default.
Once configured, a predefined ticket that contains user credentials removes the need for sign-in credentials.
Kerberos authentication Prerequisite setup tasks:
Item 1: Kerberos is a network authentication protocol that uses tickets to allow nodes communicating over a non-secure network to prove their identity to one another securely. For a help-desk administrator authenticating from their client browser to the Symantec Endpoint Encryption web-based Help Desk Recovery console, using Kerberos means using a single-click login,
rather than a form-based (user/password) login.
Item 2: To enable Kerberos authentication, you must configure multiple settings using the Symantec Endpoint Encryption Management Server Configuration Manager (SEEMS Configuration Manager).
Note: Although you can set some of the server and database fields in the Symantec Endpoint Encryption Suite Installation Wizard, to access all configuration pages necessary for Kerberos, after Symantec Endpoint Encryption is installed, you will need to launch the SEEMS Configuration Manager application. In this example you can see the "About" page of the SEEMS Configuration Manager listed here:
Item 3: Command Line will be used to enable some of the required parameters needed for One-Click Sign In.
Item 4: In the SEEMS Configuration Manager, you will define the mode in which SEE Management Server authenticates to the database.
The Database can use either "Windows Authentication" or "SQL Authentication". SQL Auth uses Web Application Pool identity.
For Windows authentication: Define a Windows domain account. If the deployment uses multiple servers with a load balancer, use the same account across all servers.
For SQL Server authentication: Selecting SQL Server authentication causes the Web application pool identity field to appear. For the Web application pool identity field
• If you are using a single server, let the field default to your Network Service account.
• If you are using multiple servers with a load balancer, change the field to a Windows domain account. Use the same account across all servers.
Tip: It is critical to know the configuration of your working environment before making these changes. We highly recommend taking screenshots of any of the screens you use in your environment so you can revert back to the successful settings if needed.
Item 5: Note for Windows Domain Account: If you defined the Web application pool identity to be a Windows domain account, the AD administrator must run two “set” commands on Symantec Endpoint Encryption Management Server. If you are not using the Web application Pool identity with a Windows domain account, skip to step 3.
Note: Commands require Domain Admin privileges. This will configure the Service Principal Name (SPN) to the server resource name.
To run these two "set" commands for Kerberos authentication see below (Again, this is to be done only if Windows Authentication was chosen on the Database page for the SEE Management Server:
Tip: Work with your Active Directory team before attempting these steps to ensure they are allowed and will not cause any unforeseen challenges if enabled.
Step 1: Command 1: On the Symantec Endpoint Encryption Management Server, from an elevated command prompt, enter:
setspn -s HTTPS/<{{SEEMgmtServer}}> <Domain>\<KerberosUser>
Where <KerberosUser> is the Windows account name.
The SPN (Service Principal Name) command associates the Web application pool identity with the server resource name.
For example, if you open up IIS, and at the top, you see "WebExample" and your domain is "example.com", and the account is "admin-user1", then the following command should be used:
setspn -a HTTPS/webexample.example.com example\admin-user1
You should see something like the following returned if it was successful:
Registered ServicePrincipalNames for CN=admin-user1,CN=Users,DC=example,DC=com: https/webexample.example.com
Step 2: Command 2: From an elevated Windows PowerShell, enter:
Set-ADUser <KerberosUser> -TrustedForDelegation 1
For example, for this same scenario, the command should look similar to the following:
powershell.exe Set-ADUser admin-user1 -TrustedForDelegation 1
The command modifies an instance of the ADobject and updates Active Directory, allowing the Kerberos user to have trusted delegation for Kerberos authentication.
No output should be seen here.
Step 3: Custom SPN Configuration and IIS Configuration
On the Web Server tab of the SEEMS Configuration Manager, check the box "Custom SPN configuration"
Now Open up IIS so you can see your domain listed. For this example, we are using "WebExample" as the hostname, and "example" for the domain.
The user for this test is "admin-user1":
Next, scroll down and click on "WinLogin" as can be seen in the above screenshot.
Now double-click on "Authentication"
Next, right-click on Windows Authentication:
Next, click "Advanced Settings", and uncheck the box for "Enable Kernel-mode authentication" if this is checked.
Click OK, and then with Windows Authentication highlighted, look to the right side, and click on "Providers...":
Now you will make sure only "Negotiate" is selected. If you see "Negotiate: Kerberos", you can remove this then make sure Negotiate is at the top:
Next, click on the website, and click restart:
Next, click on the top-level IIS component, and click on restart:
When you check this box, you are indicating that the Service Principal Name has been customized (commands above were run successfully), changing the website settings.
After you save this website configuration, you must reset IIS.
Item 6: In the SEEMS Configuration Manager, click the plus sign next to Advanced Settings, then click on "Management Console", and check the box "Enable One-Click Sign In".
This will change the authentication method to use Kerberos for the SEE Management Server web console.
Item 7: Configure the supported client browsers to enable Kerberos authentication.
To enable One-Click Login (Kerberos authentication) for the web-based Help Desk Recovery console, you must modify the following browser settings as shown in
Windows: Internet Explorer, • Edge, • Google, and Chrome:
Item 1: Add a manual setting to keep the <Symantec Endpoint Encryption Management Server/Load Balancer URL> in the Local Intranet Zone.
You can use a GPO to configure Site Security Zone mappings. To edit the GPO, in the Active Directory snap-in:
1. Navigate to User Settings > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
2. Enable the "Site to Zone Assignment List" policy.
3. Set Value Name to "<Symantec Endpoint Encryption Management Server/Load balancer URL>" and Value to 1 (1 = Local Intranet).
Windows, Mac: Mozilla, Firefox:
1. Navigate to about:config
2. Search for “network.negotiate-auth.trusted-uris”.
3. Set the value to “<Symantec Endpoint Encryption Management Server/Load balancer URL>”.
Firefox has GPO policy configuration options to manage these settings.
Once you set up the ADMX files, edit the GPO by configuring the <Symantec Endpoint Encryption Management Server/Load balancer URL> at User Settings > Administrative Templates > Mozilla > Firefox > Authentication > SPNEGO.
macOS: Safari - This will work as is and no setting are needed to be configured manually.
Once all of the above steps are configured, when you go to your SEE Management Server Web Console, you'll now see the "One-Click Sign In" option is now available:
Click the "One-Click Sign In" button to be then authenticated via the Kerberos authentication method.