After upgrading IT Management Suite (ITMS) from 8.7 to 8.7.3 (or 8.8 / 8.8.1), you may have experienced authentication issues and temporarily reverted from Agent Connectivity Credentials (ACC) to application credential authentication.

Due to security concerns about managing their authentication processes, you are planning to implement Token-Based Authentication. However, the following clarification questions were raised:

1. How does the ACC fallback mechanism behave when Token-Based Authentication is enabled?

2. What are the requirements or recommendations for Site Servers when using Token-Based Authentication?

3. What happens if ACC becomes locked again?

4. How does authentication behave when using UNC package locations?

ITMS 8.7.3, 8.8, 8.8.1

Symantec Management Platform (SMP)

Symantec Management Agent

Package Servers / Site Servers

Environments using:

• • UNC package locations

  • Software Library configured as UNC

  • Deployment Solution images hosted via UNC

Token-Based Authentication in ITMS 8.7.3 (see ITMS 8.7.3 Release Notes) replaces credential-based authentication between the Symantec Management Agent and the Notification Server (SMP Server) with certificate/token-based trust.

However:

• Tokens do NOT support UNC code bases

• When UNC paths are used for packages (including DS images or Software Library configured as UNC), ACC is required

• If ACC is configured as a fallback mechanism and becomes locked, authentication failures will reoccur

• There are no special additional requirements for Site Servers beyond supported ITMS 8.7.3 prerequisites

Therefore:

If ACC locking root cause is not resolved, enabling fallback will not prevent future lockouts.

1. ACC Fallback Behavior Misunderstood

When enabling Token-Based Authentication, administrators can select:

Keep Agent Connectivity Credentials (ACC) as fallback mechanism

This means:

• Token authentication is attempted first

• If token authentication fails, the agent attempts authentication using stored ACC credentials

• If ACC credentials are invalid or locked, the account will lock again

If the original cause of ACC lockout was not resolved (e.g., password mismatch, expired password, replication issue, multiple agents retrying), fallback will reproduce the same problem.

2. UNC Code Bases Require ACC

Token-based authentication does not support UNC code bases.

If a package location is defined as:

This includes:

• Software Library configured as UNC for SMP Server

• Deployment Solution (DS) images stored on UNC

• Any UNC-based package source

Behavior:

• Agent detects UNC code base

• Token authentication is bypassed

• ACC is used automatically (if enabled)

3. Site Server Requirements

There are no special additional configuration requirements for Site Servers specific to Token-Based Authentication beyond:

• Supported ITMS 8.7.3 (8.8, 8.8.1) infrastructure

• Proper .NET version required by 8.7.3 (or later)

• Proper communication with SMP Server

There is no separate hardening or prerequisite checklist specific only to token authentication for Site Servers.

With the information above, now consider the following:

Section 1 – Understanding ACC Fallback Behavior

How It Works

1. Agent attempts Token-Based Authentication.

2. If token validation fails:

   • Agent attempts ACC authentication (if fallback enabled).

3. If ACC credentials are invalid:

   • Account lockout may occur again.

When to Keep ACC Enabled

Section 2 – Verify If UNC Code Bases Are in Use

Step 1 – Check Package Locations

1. Open SMP Console

2. Navigate to:
   
   Manage > Software > Software Catalog

3. Review package locations

4. Identify paths starting with:

If present → UNC in use.

Step 2 – Check Software Library Settings

1. Go to:
   
   Settings > All Settings > Software > Software Library

2. Verify if UNC path is configured

Step 3 – Deployment Solution Images

If using DS:

1. Navigate to:
   
   Settings > Deployment > Image Management

2. Confirm image storage path

If UNC → ACC required.

Section 3 – Diagnosing ACC Lockouts

Check SMP Logs

Primary logs location:

Look for:

• a.log

Example lockout indicators:

Check Domain Controller Security Logs

Event ID to review:

If multiple failed attempts occur from SMP or Site Servers → investigate stored credentials.

Section 4 – Recommended Migration Approach

Phase 1 – Assessment

1. Identify all UNC package locations.

2. Confirm if DS images use UNC.

3. Review ACC lockout root cause.

Phase 2 – Root Cause Fix

Common causes:

Phase 3 – Controlled Token Rollout

1. Enable Token-Based Authentication.

2. Keep ACC fallback enabled initially.

3. Monitor:

   • NS logs

   • Domain Controller lockout events

4. Validate agent package downloads.

Phase 4 – Optional Hardening

If:

• No UNC paths exist

• All packages served over HTTP/HTTPS

• No DS UNC dependencies

Then:

• Disable ACC fallback

• Monitor authentication stability

Validation

Confirm successful operation:

Important Design Rule

If UNC is used anywhere in the package distribution model, ACC must remain configured.

Token authentication does not replace SMB authentication requirements.

Summary