Unable to logon to the SEPM using Directory Authentication after the Authentication Server has be moved/modified.
|Article:TECH194300|||||Created: 2012-08-02|||||Updated: 2013-02-06|||||Article URL http://www.symantec.com/docs/TECH194300|
Directory Authentication has been setup to allow access the SEPM.
The Directory Server used to authenticate has been changed/moved but these details were not updated in the SEPM, now you can't login to the SEPM.
When trying to login to the SEPM you will receive "Authentication Failure" error
In the login-0.log file you will see "Authentication Failed" messages.
12-07-31 12:12:53.197 THREAD 51 WARNING: NativeCall>> testLdapServerConnection: Connection Error!
2012-07-31 12:12:53.197 THREAD 51 WARNING: NativeCall>> testLdapServerConnection: error code=19
2012-07-31 12:12:53.197 THREAD 51 WARNING: NativeCall>> testLdapServerConnection: error msg=LDAP Authentication Failed [path=LDAP://OLD DIRECTORY SERVER:389, user=USERNAME]
2012-07-31 12:12:53.197 THREAD 51 WARNING: DirectoryAuthenticator>> authenticate> Authentication failed for account: USERNAME for the directory path: LDAP://OLD DIRECTORY SERVER:389 where the dirHost: OLD DIRECTORY SERVER, serverPort: 389, Type: 0, is SSL?: false
2012-07-31 12:13:01.447 THREAD 51 WARNING: LdapUtils>> connect: Exception... Duration: 0.0s (0.0ms)
2012-07-31 12:13:01.447 THREAD 51 WARNING: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
When Directory Authentication is used to access the SEPM lockout issues occur if the Authentication server is moved or changed.
Scenario 1 - SEPM Active Directory Authentication was set up using a new admin account.
In this situation it will be possible to login to the SEPM again using the inbuilt Administrator account. If the login details are not known you may use the login.bat to reset the password to default settings (SEP12.1). You can then reconfigure the Directory Authentication settings again in the SEPM.
Scenario 2 - SEPM Active Directory Authentication was setup using the inbuilt admin account.
In this situation there is no supported way to gain access to the SEPM again. As the inbuilt admin account was used to setup Directory Authentication there is now no means to login to the SEPM except with this account. To allow successful login to the SEPM once again the Authentication Server would need to be configured again as to how it was setup when Directory Authentication was first created in the SEPM.
HOWEVER - There is another possible fix to this Scenario a CNAME - Record can be setup in DNS which will allow more than one domain name to resolve to the same IP address.
e.g. If the Directory Server was first added to the SEPM using its Hostname a CNAME can be setup to temporarily allow access to the NEW Directory Server using both the Old Directory Server Name and the New Directory Server Name (as long as the new Directory Server has the same account setup used previously).
PLEASE NOTE - It is always recommended to create a new admin account when setting up Directory Authentication and leave the default admin account in place.
Article URL http://www.symantec.com/docs/TECH194300