Unable to apply or update Symantec Endpoint Encryption Device Control 8.2.x User Based Policy on client machine

Article:TECH196290  |  Created: 2012-09-07  |  Updated: 2013-09-12  |  Article URL http://www.symantec.com/docs/TECH196290
Article Type
Technical Solution


Environment

Issue



Unable to apply or update SEE Device Control 8.2.x User Based Policy on client machine.


Error



Errors found in the Logs : -

IIS Logs

2012-08-16 08:37:01.655675] [Error] [PolicyWebServiceLogic] [IIS APPPOOL\SymantecEndpointEncryptionDeviceControlAppPoolWS] - Failed to handle User policy request by client

computer1.contoso.local (Domain\UserWithSmartCard) (RetryLater):
Safend.Utils.Exceptions.DB.DBException - String or binary data would be truncated.
The statement has been terminated.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject

stateObj)
   at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
   at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
   at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
   at Safend.Backend.Server.DB.MsSql.MsSqlDBProvider._ExecuteNonQuery(IDbCommand comman
 

# SQL Profiler Logs

ent id="13" name="SQL:BatchStarting">

  <Column id="1" name="TextData">Select Top 10001 [Type], [PK], [Name], [DN], (N'') As [Description], (N'') As [SID] From [containers] Where ( ( ( ( [Type] = N'Organization' ) OR ( [Type] = N'Domain' ) ) OR ( [Type] = N'OU' ) ) AND ( [containers].[Name] LIKE '%userwork%' ) ) Union All Select Top 10001 (N'Group') As [Type], [groups].[PK], [groups].[Name], [containers].[DN], [Description], (N'') As [SID] From [containers], [groups] Where ( ( [groups].[Name] LIKE '%userwork%' ) AND ( [containers].[PK] = [groups].[DN] ) ) Union All Select Top 10001 (N'User') As [Type], [users].[PK], [users].[Name], [containers].[DN], (N'') As [Description], [users].[SID] From [containers], [users] Where ( ( [users].[Name] LIKE '%userwork%' ) AND ( [containers].[PK] = [users].[DN] ) ) Union All Select Top 10001 (N'Computer') As [Type], [computers].[PK], [computers].[Name], [containers].[DN], (N'') As [Description], (N'') As [SID] From [containers], [computers] Where ( ( [computers].[Name] LIKE '%userwork%' ) AND ( [containers].[PK] = [computers].[DN] ) )</Column>
  <Column id="9" name="ClientProcessID">5496</Column>
  <Column id="11" name="LoginName">rafsa</Column>
  <Column id="35" name="DatabaseName">SymantecEndpointEncryptionDeviceControl</Column>
  <Column id="10" name="ApplicationName">.Net SqlClient Data Provider</Column>
  <Column id="12" name="SPID">131</Column>
  <Column id="14" name="StartTime">2012-08-22T11:32:53.357+02:00</Column>
  </Event>
- <Event id="12" name="SQL:BatchCompleted">
  <Column id="11" name="LoginName">rafsa</Column>
  <Column id="15" name="EndTime">2012-08-22T11:32:53.683+02:00</Column>
  <Column id="31" name="Error">0</Column>
  <Column id="35" name="DatabaseName">SymantecEndpointEncryptionDeviceControl</Column>
  <Column id="12" name="SPID">131</Column>
  <Column id="16" name="Reads">82731</Column>
  <Column id="1" name="TextData">Select Top 10001 [Type], [PK], [Name], [DN], (N'') As [Description], (N'') As [SID] From [containers] Where ( ( ( ( [Type] = N'Organization' ) OR ( [Type] = N'Domain' ) ) OR ( [Type] = N'OU' ) ) AND ( [containers].[Name] LIKE '%userwork%' ) ) Union All Select Top 10001 (N'Group') As [Type], [groups].[PK], [groups].[Name], [containers].[DN], [Description], (N'') As [SID] From [containers], [groups] Where ( ( [groups].[Name] LIKE '%userwork%' ) AND ( [containers].[PK] = [groups].[DN] ) ) Union All Select Top 10001 (N'User') As [Type], [users].[PK], [users].[Name], [containers].[DN], (N'') As [Description], [users].[SID] From [containers], [users] Where ( ( [users].[Name] LIKE '%userwork%' ) AND ( [containers].[PK] = [users].[DN] ) ) Union All Select Top 10001 (N'Computer') As [Type], [computers].[PK], [computers].[Name], [containers].[DN], (N'') As [Description], (N'') As [SID] From [containers], [computers] Where ( ( [computers].[Name] LIKE '%userwork%' ) AND ( [containers].[PK] = [computers].[DN] ) )</Column>
  <Column id="9" name="ClientProcessID">5496</Column>
  <Column id="13" name="Duration">325195</Column>
  <Column id="17" name="Writes">0</Column>
  <Column id="10" name="ApplicationName">.Net SqlClient Data Provider</Column>
  <Column id="14" name="StartTime">2012-08-22T11:32:53.357+02:00</Column>
  <Column id="18" name="CPU">297</Column>

Cause



Total character count of Active Directory Groups that SEE Device Control user belongs to exceeds 1,000 character limit of SEE DC SQL database. This value is recorded in the SEE DC database whenever a user requests a new or updated policy from the server and if this character limit is exceeded then the user based policy will fail to apply or update. The character limit is calculated by adding the user's current AD groups numerically via CSV format (without spaces) and is normally not an issue as for example a Win 2008 Server has approximately 30-40 AD groups by default depending on the roles enabled. Any new groups added beyond the default will be assigned a higher numerical value so in rare cases when a customer has an AD environment where the users belong to a large number of custom made groups then the 1,000 character limit may be exceeded. The approximate number of groups needed to exceed this limit varies depending on whether the AD groups have a single, double or triple digit numerical value so the exact number will be between 250-278.


Solution



This issue was resolved in SEE Device Control 8.2.8 and later versions as the SQL database character limit was raised from 1,000 to 4,096 in DC 8.2.8. Upgrading the affected client machines to DC 8.2.8 or later should allow them to start receiving user based policies normally. Please see the attached Release Notes for Symantec Endpoint Encryption Device Control 8.2.8 for details.


Attachments

Symantec Endpoint Encryption Device Control 8.2.8 Release Notes
SEE-DC 8.2.8 Release Notes.pdf (59 kBytes)


Article URL http://www.symantec.com/docs/TECH196290


Terms of use for this information are found in Legal Notices