Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Active Directory Authentication

Created: 18 Dec 2012 • Updated: 19 Dec 2012 | 9 comments
Will V's picture
This issue has been solved. See solution.

Hello All!

I'm having trouble getting SCSP to accept authentication from Active Directory.  I have successfully added a Directory Server.  The ONLY configuration that would work was to enter an IP address for the Host field and uncheck the Use enrypted communications box.  All other combinations failed.

 

Next an Active Directory User was created...

 

The user exists in the AD and has a sufficiently complex password (in this case Symc4now!) to satisfy the requirements of CSP.

Login like so....

... and get this.

 

The server.xml file has been edited to allow unenrypted communications and the service has been stopped and restarted.

 

Any ideas?

 

Comments 9 CommentsJump to latest comment

Conventus Tyrrell's picture

Will V,

You should change the server.xml file back to what it was before. Those configuration settings control how the "Symantec Critical System Protection Server" service connects to the SQL database, etc. The check box in the authentification configuration screen has nothing to do with anything in the server.xml file.

Once you have done that, try again to connect to the management console... you will need to restart the "SCSP Server" service after modifying the server.xml file. If you continue to get error messages, please verify that you are able to authenticate with a local account. Let us know how it goes.

Chris Tyrrell

Compliance Practice Lead

Conventus Corp. 

Will V's picture

Chris,

Thanks for your reply.  The sever.xml file I'm referring to is located in <InstallPath>/server/tomcat/conf.  This file configures communication settings for the server/agent and server/console combinations.  I'm sure it has little to do with the database.

The part edited is really just un-commenting a section to enable non-encrypted communications.  SYMC puts the proper settings in there, but comments them out for easy config changes.

That being said, it makes no difference in logging on to the server as long as the user is aware of using (or NOT using) encrypted communications and makes the necessary changes to the server at time of login by clicking this icon...

 

Last item; if by "local account' you mean a user defined in the management server, then yes, there is no issue there.  I can access the console using any defined user.

Thanks for your reply,  I appreciate the feedback.  It DOES make me double check my steps.

 

Will

 

Please mark posts as the solution if they solve your problem!

Will V's picture

HI Ashish,

Yes, I saw that post earlier.  This is a different problem.  I can log on using a user defined in the management server, so the installation is complete.  I just can't log on using an Active Directory user.

 

Thanks for your reply.  I appreciate the help.

 

Will

 

Please mark posts as the solution if they solve your problem!

Ashish-Sharma's picture

Hi,

If you are not received solution,you can contact symantec techinal support.

Thanks In Advance

Ashish Sharma

 

 

Conventus Tyrrell's picture

Will,

I took another look at the server.xml file and see the section you are talking about. That is linked to the transmission of data between the mgmt server and the console. This would have nothing to do with the authentication process. I have configuref this for many clients (utilizing both encrypted and unencrypted communication to the AD server) and have never had to deal with the server.xml file to make it work.

If you are getting a successful test at the time of configuration, then everything should work. Silly question, I'm sure, but did you assign the user to a CSP role when you configured it? More silliness, but assuming you also verified the account is not locked out or disabled...

Final suggestion, but does your domain have you tried identifying the domain in any other way (ex. symantec\testuser vs. symantec.local\testuser)? Kind of grasping at straws here because I haven't seen this anywhere else.

Chris

Will V's picture

Chris,

First of all, I don't think any of your questions or suggestions are silly.

I did assign the user a role.  I've been caught by that before so I always double check.

The account is active and unlocked in the Active Directory.  I think that's what you're talking about.  Is there a way to do that in the CSP server?

I have only used the domain\username combo.  I'm following what the SYMC docs say.  I'll try the other ways you suggest soon.

I'm starting to think the problem is NOT with CSP, but with the Active Directory.  Looking into that too.

Thanks for the feedback and suggestions

 

Will

 

Please mark posts as the solution if they solve your problem!

Will V's picture

Chris,

Turns out SSL was NOT enabled for the AD.  Added that and I can configure a new directory server using encryption.

Now AD logins are flowing smooth as silk.

 

Will

 

Please mark posts as the solution if they solve your problem!

SOLUTION
Conventus Tyrrell's picture

Glad you got it figured out!

Chris