Installation of remote CCS console fails / unable to login to CCS console.

book

Article ID: 153091

calendar_today

Updated On:

Products

Control Compliance Suite Windows

Issue/Introduction

The user has attempted to install the CCS console on a remote client machine using the installation files located on the CCS application server however this fails. After copying the installation files from the CCS application server to the local machine the installation then completes successfully, however the customer is then unable to login to the CCS console with the error "Error occurred while downloading application configuration file" being displayed.

 

2010-11-30 07:25:34.944,2010-11-30 15:25:34.944,IT_NB16,Error,PreLaunchActivityProvider,SymConsole,4364,,1,DownSymConsoleConfig,,0,0,Error occurred while downloading application configuration file
2010-11-30 07:25:34.975,2010-11-30 15:25:34.975,IT_NB16,Error,PreLaunchActivityProvider,SymConsole,4364,,1,HandleReturnMessage,,0,0,"System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'net.tcp://secccsapprd:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' for target 'net.tcp://secccsapprd:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'Symantec.CSM.AppServer/SECCCSAPPRD'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.

Cause

The customer should review the SymConsole log to ensure that the error is similar to the one listed above, if so, this issue is generally caused by either duplicate or incorrectly configured SPN entries.

Resolution

The customer should check for duplicate SPN entries either by running the "setspn -X" command on the domain controller if the DC is running Windows 2008 or by running the CCSSPNUTIL.EXE application which is found in the "c:\program files\symantec\ccs\reporting and analytics\application server" directory on the CCS application server.

As per the installation documentation for CCS the only SPN entries that should be configured are for the application service and directory service user accounts.

Eg.

Symantec.CSM.Appserver/ccsapp.oaklea.ts

Symantec.CSM.Appserver/ccsapp

Symantec.CSM.DSS/ccsdir.oaklea.ts

Symantec.CSM.DSS/ccsdir

If duplicates are found they should be removed, once this has been done the user should be able to login to the console and also perform remote installations of the client console.