SEDR UI reports "SEPM connection token refresh failed; verify SEPM login credentials"
search cancel

SEDR UI reports "SEPM connection token refresh failed; verify SEPM login credentials"

book

Article ID: 198868

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

The Symantec Endpoint Detection and Response (SEDR) User Interface (UI) reports "SEPM Connection token refresh failed; verify SEPM login credentials".  The issue may resolve itself, however will return within a couple of hours.

Another symptom was "Connection Error" in the recorder settings, under "Global Settings"

Central_Manager.log from the EDR device diagnostics contained an entry similar to the following:

2023-07-13 19:27:30,458 INFO RMI TCP Connection(190024)-127.0.0.1 (TokenRefreshManager.java:startRefreshTokenWithRetry:74) Starting refresh token with retry for server: 1
2023-07-13 19:27:30,460 INFO RMI TCP Connection(190024)-127.0.0.1 (SepmCommunicationMgrImpl.java:startRefreshToken:1178) Refreshing token for SEPM. Ip : 192.0.2.10 Domain :  Default
2023-07-13 19:27:30,518 INFO RMI TCP Connection(190024)-127.0.0.1 (SepmRestApi.java:updateConnectionStatus:501) Update Status for Server : 192.0.2.10 Domain : Default with status code: 400
2023-07-13 19:27:30,525 INFO RMI TCP Connection(190024)-127.0.0.1 (SepmAuthenticator.java:refreshToken:240) Got SEPM authentication token refresh response
2023-07-13 19:27:30,525 ERROR RMI TCP Connection(190024)-127.0.0.1 (SepmAuthenticator.java:refreshToken:243) Failed to refresh token, response: InboundJaxrsResponse{ClientResponse{method=GET, uri=https://192.0.2.10:8446/sepm/oauth/token?refresh_token=<TOKEN_VALUE>&grant_type=refresh_token&client_id=<CLIENT_ID_VALUE>, status=400, reason=}}

Environment

Release :

Component :

Cause

The token used to by SEDR to access the SEPM is not being refreshed properly.

Resolution

Option 1 - Remove and refresh the the SEPM token:

  1. Log in to SEPM Web Service Application Registration page using admin credentials and the URL: https://<IP_OF_SEPM>:8446/sepm
  2. Select the SEDR web service application (it will be labeled "Default/<SEPM_ADMIN_LISTED_IN_SEDR>:web")
  3. Click "Delete application"
  4. Refresh the SEPM credentials from within SEDR
    1. Login to the SEDR GUI
    2. Navigate to Settings -> Global -> Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder ->
    3. Click the three ellipses next to the SEPM Controller and select  SEPM Controller Connection
    4. Re-enter the SEPM admin password
    5. Click "Save"

Option 2 - Remove the SEPM connection and configure a new connection:

  1. IMPORTANT: Copy information on the inclusions, exceptions, and all other settings configured before proceeding.
  2. In EDR's web user interface go to Settings > Global > Endpoint Communication Channel, SEP Policies, and Endpoint Activity Recorder  click on the three dots and click "remove."
  3. Click add server to re-add the SEPM controller connection.
    1. For specific steps and considerations on re-configuring the SEPM connection as a new connection see the latest version of the EDR documentation by searching for
      Configuring the Endpoint Communications Channel (ECC) after going to the Tech Docs Portal and entering Endpoint Detection and Response.  There you will be able to perform your search and review the needed documentation.

 

Additional Information

If this symptom happens once every 60 days because the password for the SEPM account expired, changing the password reset interval within SEPM may be needed. See:

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/managing-groups-clients-and-administrators/managing-administrator-accounts-v17364367-d1e6/enabling-logon-passwords-to-never-expire-v109355090-d1e2062.html

Powered by Wolken Software