SEP client does not accept the EDR certificate, SEP clients are in "Authentication Pending"

book

Article ID: 171881

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Most or all of the SEP clients remain in a state of "Authentication Pending" during registration of Symantec Endpoint Protection (SEP) clients with Symantec Endpoint Detection and Response (EDR).

  • The Registration Statistics of the EDR UI show most or all SEP clients as "Authentication Pending".
  • When you navigate directly to EDR UI with the IP address, the certificate is not accepted by the browser. When you navigate to EDR UI with the FQDN, the certificate is accepted by the browser.

Cause

EDR certificate was created with the Fully Qualified Domain Name (FQDN) of the EDR management server, but the settings of EDR point the policy at the EDR management server use the IP address or short host name. When a SEP client attempts to register with EDR management server, this mismatch causes the TLS handshake to fail. This can leave one or more SEP clients in an "Authentication Pending" state.

Resolution

To correct the mismatch:

  1. Within EDR UI, navigate to Settings> Global
  2. In the section "Endpoint Detection, Response...", click on the three dots on the left side of the SEPM Controller connection.
  3. Click SEP Policies
  4. Change the name of the connection from the IP address or short host name of the EDR to the FQDN of the EDR.

 

 

Additional Information

This document is specific to the most common underlying cause for all SEP clients remaining in "Authentication Pending", mismatch of hostname/IP between EDR settings and the certificate.

If this document does not resolve the Authentication Symptom, please look at the workflow documentation for triaging Authentication Pending symptoms, here:

https://knowledge.broadcom.com/external/article?articleId=171884