Critical System Protection

 View Only

  • 1.  Active Directory Authentication

    Posted Dec 18, 2012 03:54 PM

    Hello All!

    I'm having trouble getting SCSP to accept authentication from Active Directory.  I have successfully added a Directory Server.  The ONLY configuration that would work was to enter an IP address for the Host field and uncheck the Use enrypted communications box.  All other combinations failed.

     

    Next an Active Directory User was created...

     

    The user exists in the AD and has a sufficiently complex password (in this case Symc4now!) to satisfy the requirements of CSP.

    Login like so....

    ... and get this.

     

    The server.xml file has been edited to allow unenrypted communications and the service has been stopped and restarted.

     

    Any ideas?

     



  • 2.  RE: Active Directory Authentication

    Posted Dec 18, 2012 04:49 PM

    Will V,

    You should change the server.xml file back to what it was before. Those configuration settings control how the "Symantec Critical System Protection Server" service connects to the SQL database, etc. The check box in the authentification configuration screen has nothing to do with anything in the server.xml file.

    Once you have done that, try again to connect to the management console... you will need to restart the "SCSP Server" service after modifying the server.xml file. If you continue to get error messages, please verify that you are able to authenticate with a local account. Let us know how it goes.

    Chris Tyrrell

    Compliance Practice Lead

    Conventus Corp. 



  • 3.  RE: Active Directory Authentication

    Posted Dec 18, 2012 10:23 PM

    Hi,

    Check Same Problem thread

    https://www-secure.symantec.com/connect/forums/symanteccriticalsystemprotectionserver



  • 4.  RE: Active Directory Authentication

    Posted Dec 19, 2012 09:19 AM

    HI Ashish,

    Yes, I saw that post earlier.  This is a different problem.  I can log on using a user defined in the management server, so the installation is complete.  I just can't log on using an Active Directory user.

     

    Thanks for your reply.  I appreciate the help.

     

    Will



  • 5.  RE: Active Directory Authentication

    Posted Dec 19, 2012 09:25 AM

    Hi,

    If you are not received solution,you can contact symantec techinal support.



  • 6.  RE: Active Directory Authentication

    Posted Dec 19, 2012 10:07 AM

    Chris,

    Thanks for your reply.  The sever.xml file I'm referring to is located in <InstallPath>/server/tomcat/conf.  This file configures communication settings for the server/agent and server/console combinations.  I'm sure it has little to do with the database.

    The part edited is really just un-commenting a section to enable non-encrypted communications.  SYMC puts the proper settings in there, but comments them out for easy config changes.

    That being said, it makes no difference in logging on to the server as long as the user is aware of using (or NOT using) encrypted communications and makes the necessary changes to the server at time of login by clicking this icon...

     

    Last item; if by "local account' you mean a user defined in the management server, then yes, there is no issue there.  I can access the console using any defined user.

    Thanks for your reply,  I appreciate the feedback.  It DOES make me double check my steps.

     

    Will



  • 7.  RE: Active Directory Authentication

    Posted Dec 19, 2012 01:59 PM

    Will,

    I took another look at the server.xml file and see the section you are talking about. That is linked to the transmission of data between the mgmt server and the console. This would have nothing to do with the authentication process. I have configuref this for many clients (utilizing both encrypted and unencrypted communication to the AD server) and have never had to deal with the server.xml file to make it work.

    If you are getting a successful test at the time of configuration, then everything should work. Silly question, I'm sure, but did you assign the user to a CSP role when you configured it? More silliness, but assuming you also verified the account is not locked out or disabled...

    Final suggestion, but does your domain have you tried identifying the domain in any other way (ex. symantec\testuser vs. symantec.local\testuser)? Kind of grasping at straws here because I haven't seen this anywhere else.

    Chris



  • 8.  RE: Active Directory Authentication

    Posted Dec 19, 2012 02:44 PM

    Chris,

    First of all, I don't think any of your questions or suggestions are silly.

    I did assign the user a role.  I've been caught by that before so I always double check.

    The account is active and unlocked in the Active Directory.  I think that's what you're talking about.  Is there a way to do that in the CSP server?

    I have only used the domain\username combo.  I'm following what the SYMC docs say.  I'll try the other ways you suggest soon.

    I'm starting to think the problem is NOT with CSP, but with the Active Directory.  Looking into that too.

    Thanks for the feedback and suggestions

     

    Will



  • 9.  RE: Active Directory Authentication
    Best Answer

    Posted Dec 19, 2012 03:42 PM

    Chris,

    Turns out SSL was NOT enabled for the AD.  Added that and I can configure a new directory server using encryption.

    Now AD logins are flowing smooth as silk.

     

    Will



  • 10.  RE: Active Directory Authentication

    Posted Dec 20, 2012 02:57 PM

    Glad you got it figured out!

    Chris