Grant Additional Administrators Access to Endpoint Encryption Manager Server Console

book

Article ID: 174725

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Multiple Active Directory (AD) users or groups may require access to the Symantec Endpoint Encryption Management Server (SEEMS) Console, but sharing high-level Administrator credentials is not desired.  This article will review how to allow any user or group to use the SEEMS for tasks such as viewing reports by granting access to these users or groups.

Note: To install the SEEMS Console on additional computers, refer to article HOWTO130014

This article includes three sections for configuring and troubleshooting the SEE Management Console install on Workstations:

Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles

Method 2: Add Users or Groups to SQL Server Management Studio

Click here for Troubleshooting other errors described above with SQL server configuration

In attempting to grant access to other administrators to the SEEMS Console, the admins may not be allowed access to the console snap-in, or may receive an error such as the following:

The SEE Management Server console was unable to access the computer records in the SEE database. The EXECUTE permission was denied on the object 'GetRSEncryptionFormat', database 'SEEMSdb', schema 'dbo'.

Other errors may occur during the process of installing the SEE Management Server Console on workstations such as when the database account is being used for "SQL Server Authentication":

"Login failed for user 'domain\user'. Please re-enter the login credentials for SEEMS database.  Then click 'Next".

Upon checking the verbose MSIEXEC install logs, the following error is displayed:
GINFO: Login failed for this user. Please check password.-2147217843 - Login failed for user 'pgp\test'.

Upon checking the SQL logging, the following error occurs:

Login failed for user 'PGP\test'. Reason: Attempting to use an NT account name with SQL Server Authentication. [CLIENT: 192.168.1.100]

Resolution

There are two methods to allow other users to use the SEEM Console. Both methods allow for users or groups to be added.  :

Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles
Method 2: Add Users or Groups to SQL Server Management Studio

Click here for Troubleshooting other errors described above with SQL server configuration

 

Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles

Method 2: Add Users or Groups to SQL Server Management Studio

Click here for Troubleshooting other errors described above with SQL server configuration

 

Method 1: Symantec Endpoint Encryption Configuration Manager - Server Roles

  1. On the Symantec Endpoint Encryption Management Server (SEEMS), click the start button.
  2. Navigate to Symantec Endpoint Encryption in the list of programs.
  3. Expand Symantec Endpoint Encryption and open SEEMS Configuration Manager.
    • ​Note: The exact steps to find the program may vary by Windows Server version.
  4. Ensure you are on the Database tab and note the User name used to authenticate.
  5. Click the start button again and look for Microsoft SQL Server or Microsoft SQL Server Tools.
    • There may be multiple folders here with different years listed, search through all of them.
  6. Look for SQL Server Management Studio and open it.
    • Depending on the version of this tool, there may be a year listed in the middle or end of the program name.
  7. Connect to the server using an account with proper credentials to modify user roles for the SEEMS database (such as a sysadmin).
  8. Once authenticated, in the left pane expand Security and Logins and find the user noted in Step 4--in this test, the user is "test".
  9. Right click on the user and select Properties.

  10. Select User Mapping in the left pane and select the SEEMS database name in the main pane.
  11. Ensure this user has the following roles checked: db_datareaderdb_datawriterdb_ownerpublic​.
  12. ​​​Note: The db_owner role should not be given to most users. This role is only added to this user so that this user can manage the Server Roles and grant access for other users in the SEEMS Configuration Manager in steps 12-21.

  13. Return to the SEEMS Configuration Manager and choose the Server Roles tab on the left side.
  14. If Manage Server Roles is turned off, turn it on.


     
  15. Click Add User or Add Group depending on your use case.
  16. Search for your user or group in the user interface.
  17. Click the checkbox next to each user or group you want to give SEEMS privileges to.


     
  18. Select Next until you reach step 3 in the wizard, "Map Admin Roles".
  19. Depending on the level of access you would like to give other admins, check the box.  For full Server access, check Server to grant access to the SEEMS Console for this user or group.
    If you want only reporting to be available for the groups, select only Reports.  This is a granular approach for access.


     
  20. Click Next and then Finish.
  21. Click OK on the dialog box that pops up. 
    1. Note: You are not finished with this process until you click Save.
  22. Next, check the box next to Allow Symantec Endpoint Encryption to manage database access permissions for AD users.
  23. Finally, press Save on the Server Roles page.

Now your users or groups should have access to the SEEMS console when they login.

 

 

^Back to Top

 

Method 2: Add Users or Groups to SQL Server Management Studio

  1. On the server hosting the SQL Server containing the SEEMS Database, click the start button and look for Microsoft SQL Server or Microsoft SQL Server Tools.
    • There may be multiple folders here with different years listed, search through all of them.
  2. Look for SQL Server Management Studio and open it.
    • Depending on the version of this tool, there may be a year listed in the middle or end of the program name.
  3. Connect to the server using an account with proper credentials to modify user roles for the SEEMS database (such as a sysadmin).
  4. Once authenticated, in the left pane expand Security, right click on Logins, and select New Login...


     
  5. Click the Search... button next to Login name.

  6. Enter the User or Group name you want to find in the text box and click Check Names.


     
  7. Once the correct User or Group is found, click OK.
  8. In the left pane, check User Mapping and check the checkbox next to the SEEMS database name in the main pane.
  9. In the bottom section, check the following roles: db_datareaderdb_datawriter, and public and click OK.

  10. Collapse the Security section in the left pane of SQL Server Management Studio.
  11. Expand Databases, right click on the database name, and select Properties.

  12. Select Permissions from the left pane.
  13. Click on the newly created user.
  14. Ensure the Connect permission has the Grant box checked.
  15. Find the Execute permission and click Grant.

  16. Click OK.

This will now grant access to the user or group to access the SEEMS console.
 

^Back to Top

 

 

 

Troubleshooting other errors described above with SQL server configuration

During the installation of the SEE Management Console on a workstation, the first screen that appears is for configuring the database account.  There are two options available for this and each have specific functions:

Windows Authentication - With this option selected, the user should be an actual user located in the Active Directory.

SQL Server Authentication - With this option selected, the user should be an SQL user, which is *not* in the Active Directory.  If SQL Server Authentication is configured during the setup, and a Windows\AD account is selected, the error will occur that the password is incorrect.  This is because SQL does not allow regular Windows\AD accounts to be used for SQL Authentication.

There is a setting in SQL, which allows for "Mixed" modes for authentication, however, this will not allow access to the server in this scenario and an SQL account must be used:

Check Security software, such as McAfee Host Based Security System (HBSS), which have been known to block the installer.

Attachments