Symantec Endpoint Encryption provides Administrators with seamless integration and access based on "Server Roles". Server roles provide granularity in access so that only the needed permissions are provided to administrators. For example, some Administrators may need only the Helpdesk Role, while other administrators need the entire suite of permissions.
(Below "example" is the domain)
In order for these administrators to be granted this access, their accounts need to have the proper SQL permissions to the SEE Management Server Database.
This article will go over providing the needed permissions for these administrators.
To install the SEEMS Console on additional computers, review the following article:
179347 - HOW TO: Install Symantec Endpoint Encryption Management Server (SEE Management Server)
This article includes three sections for configuring and troubleshooting the SEE Management Console install on Workstations:
Synopsys 1: Insufficient Database Permissions for individual users
In attempting to grant access to other administrators to the SEEMS Console, the admins may not be allowed access to the console snap-in, or may receive an error such as the following or something similar:
The SEE Management Server console was unable to access the computer records in the SEE database. The EXECUTE permission was denied on the object 'GetRSEncryptionFormat', database 'SEEMSdb', schema 'dbo'.
Other errors may occur during the process of installing the SEE Management Server Console on workstations such as when the database account is being used for "SQL Server Authentication":
"Login failed for user 'domain\user'. Please re-enter the login credentials for SEEMS database. Then click 'Next".
Upon checking the verbose MSIEXEC install logs, the following error is displayed:
GINFO: Login failed for this user. Please check password.-2147217843 - Login failed for user 'example\test'.
Upon checking the SQL logging, the following error occurs:
Login failed for user 'example\test'. Reason: Attempting to use an NT account name with SQL Server Authentication. [CLIENT: 192.168.1.100]
There are two methods to allow other users to use the SEEM Console. Both methods allow for users or groups to be added:
Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles
Method 2: Add Users or Groups to SQL Server Management Studio
Note: SQL permissions must be provided to individual users and those individuals can then be used for the database accounts configured for the SEE Management Server.
In other words, SQL users will not be granted DB access if they are part of only a security group that was provided DB access--the user itself must be provided DB access.
#### Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles ####
Important Note: The "Allow Symantec Endpoint Encryption to manage database access permissions for AD users" requires the "SYSADMIN" permissions for the database user because these permissions are needed in order to grant the needed permissions for other users to the SEE Database. First validate that the user configured for "Database" in the SEEMS Configuration Manager" has Sysadmin permissions before checking this box.
#### Method 2: Add Users or Groups to SQL Server Management Studio ####
This will now grant access to the user or group to access the SEEMS console.
Troubleshooting other errors described above with SQL server configuration
Scenario 1: During the installation of the SEE Management Console on a workstation, the first screen that appears is for configuring the database account.
Answer: There are two options available for this and each have specific functions:
Windows Authentication - With this option selected, the user should be an actual user located in the Active Directory.
SQL Server Authentication - With this option selected, the user should be an SQL user, which is *not* in the Active Directory. If SQL Server Authentication is configured during the setup, and a Windows\AD account is selected, the error will occur that the password is incorrect. This is because SQL does not allow regular Windows\AD accounts to be used for SQL Authentication.
There is a setting in SQL, which allows for "Mixed" modes for authentication, however, this will not allow access to the server in this scenario and an SQL account must be used:
Check Security software, such as McAfee Host Based Security System (HBSS), which have been known to block the installer.
Scenario 2: Saving the SEEMS Configuration Manager Server Roles will not succeed stating "Invalid Data"
Answer: If you are trying to add/remove users on the SEEMS configuration page and it states it is unable to, review the list of users and see if all users/groups are still included in Active Directory.
If the user(s)/group(s) are not included in Active Directory, but are still included in the SEEMS Configuration Manager, remove the invalid/missing users in the SEEMS Configuration Manager, and first save.
Once the invalid users/groups are removed, then add or remove additional groups. This issue will be resolved in SEE 11.4 MP1 (EPG-23239/EPG-25305).
See also the following article for additional information:
Scenario 3: Unable to add users to Server Roles if Machine Names have a name similar to a Username
In this scenario, you may have a username of "SR388". The machine name may have the name of "SR388-IV". In this scenario, the username and machine names are similarly named.
This makes it difficult to know if the object is a user or a machine. Machines cannot be added to Server Roles, only users.
A fix is currently being worked on and will be provided in the next major release of the software.
If you are running into this issue, reach out to Symantec Encryption Support to be added to the list.
A workaround to this is to search the user with the First name and Last name instead of logon name that is similarly named to the machine name.
EPG-23236, EPG-24341, EPG-23770, EPG-23620, EPG-26441