Endpoint Encryption

I have a laptop with the management agent installed and when I click on check in, I get the error: unable to connect to server.

The url http://servername:80/GECommincationWS.asmx is up and I am able to connect to it via brower.  Logging has been setup to level 5 and I get the following within the EACommunicatorSrv00.log:

[01/28/15 11:30:15][ERROR][1356][0x578][EAFRCliDBWrapper][SYSTEM][CEARegException: Error#14, CCommunicationData::LoadFromReg - iEAClientDB->getDWORDData for communicationMinutes failed.][EAFRCliDBWrapper.cpp:689]

[01/28/15 11:30:15][ERROR][1356][0x578][EAFRCliADSIComm][SYSTEM][GECommunication ERROR Exception in m_CDBWrapper->LoadRegClass(hCommData) - message CEARegException: Error#14, CCommunicationData::LoadFromReg - iEAClientDB->getDWORDData for communicationMinutes failed.][EAFRCliADSIComm.cpp:848]

[01/28/15 11:30:15][ERROR][1356][0x578][EAFRCliADSIComm][SYSTEM][ADSICommunicationThreadProc - LoadCommunicationData failed.][EADLL.cpp:262]

Please let me know what I can do to troubleshoot

Stepht12, good afternoon, I would like to provide assistance for you on this issue and would like to ask, what is the exact product and version you are reporting this issue with? Thank you

Product: symantec endpoint encryption

Server version:

SEE management agent 11.0.0 MP1

client: Windows 7 64 bit

version 11.0.0 (Build 7726)

Stepht12, good afternoon, what is the server OS and version you are using? Thank you

Stepht12, good afternoon, here are a couple of more suggestions for you to use as needed, to help expedite a resolution for you:

1. Please restart the IIS service on your server and attempt the client communication again. Is this successful?
2. On the server, open services, please verify the "log on" option for the IIS service, this is information that correct? If changes are made and applied, after restarting the service does the client check and successfully?
3. Another good method of troubleshooting this issue, is to create a new client package on the server, when you enter your IIS credentials and authenticate, please let me know if this process is successful and if not, what happens/which boxes are highlighted in red?
4. Do you have multiple websites listed in IIS? If so, are they running under the same port? If so, we can reconfigure as needed, just let me know. If you would like, for quick verification, you can temporarily disable the conflicting website by right clicking its entry and selecting disable, then try the client communication again and then re enable the default website as required.

Stepht12, good afternoon and thank you for the update. Is this the first time you are experiencing this issue, perhaps after a new installation or is this an existing issue in your environment, the reason I ask is that the troubleshooting steps for a recent installation issue may differ a little. However, I will include steps for both to help get you started, in an effort to help expedite a resolution to your issue.

New Installation:

1. please verify that the prerequisite requirements for this product installation, specifically IIS, have been met. In case needed, please refer to the attached PDF and beginning on page 25 you will find the "Symantec Endpoint Encryption prerequisites” to help get you started. What we see many times for issues like this would be a missing prerequisite, here are quick steps in case needed for verification:

1.  For server 2012 (please let me know if you are using 2008 as the steps will differ) In the Web Server Role (IIS) page, click Next.
2.  In the Role Services page, expand Web Server > Security and select Basic Authentication.
3.  In the Role Services page, expand Web Server > Application Development and check the following:
4. .NET Extensibility 4.5
5. ASP .NET 4.5
6. ISAPI Extensions
7. ISAPI Filters

4.     In the Role Services page, expand Management Tools and check the following:

• IIS Management Console
• IIS 6 Management Compatibility (check all four entries)
• IIS Management Scripts and Tools

Existing installation

1. Provided your environment was up and running for some time without issue, your reported issue sounds similar to what may be seen with a recent change to IIS or with the associated SEE IIS provisioned user account. Please verify the provisioned user account for SEE IIS is ok, not locked or otherwise.

At your convenience, can you provide an update and we can continue as needed. Thank you

Attachment(s)

symcEE_11.0.0_InstallGuide_en.pdf   517 KB 1 version

Hello,

 Yes, I restarted IIS and created a new package.  When I enter in the credentials, it goes to the next process of where to place the package.  I have no other websites running besides the sem and IIS starts up successfully.  I can get to the url fine

Also this is a new installation with windows 2008R2 server

any update to this issue?

From the log you posted originally, it looks like there are exceptions when attempting to read registry data.  You may need to check those permissions, and/or uninstall and reinstall the software.  At this point it's not clear if the values exist or are simply failing to be read.  I have seen both cases act very similarly.

Stepht12, good morning, here is a new “troubleshooting” step for you to take, try to create a new SEE client package and at the last step try inserting your computers IP address in place of the “servername” field, just delete the current entry and put your IP address right in there and test results. Here is what the outcome will look like:

Your current setting: http://servername:80/GECommincationWS.asmx

Try new setting: http://192.168.200.32:80/GECommincationWS.asmx (using an example IP address)

Let us know your results when you get a chance.

Thank you and have a good day

I tried and still get the same error.  One question I do have, Does the drive encryption agent need to know any credentials to connect?  I see you need to create a client administrator, but does the agent need to have any passwords configured to connect?

Steph12, good afternoon, regarding your question "does the drive encryption engine need to know any credentials to connect" answer: yes, Each client computer shares a single domain user account. It uses this account for basic authentication to IIS on the Symantec Endpoint Encryption Management Server. The IIS client authentication account is a regular domain user account and does not require specific privileges.

In case needed for troubleshooting,

1. you may want to verify this account in active directory to ensure it is not locked, if this account had a recent password change you will need to create a new set of client packages afterwards and deploy them to your endpoints to help ensure communication is successful. If by chance you are using older client files with outdated passwords for the IIS account, this will fail in communication.
2. You could create a new active directory IIS user account, then open the configuration manager for SEE and update this user information for IIS, then create new client files and test communication.

Please let us know how this works for you.

Hello Kyle,

   OK, when I go to the link via browser:  http://servername:80/GECommincationWS.asmx, I do get a username and password and I use the one that is used when creating the installation files for the client.  One item I do notice is when I install the client disk encryption and reboot, I do not get a login for the symantec disk encryption.  I read there's a preboot login?  For the client I am testing, it just goes straight to the windows login

It failed to register a user, and/or the client admin accounts, so it will boot straight into Windows.  This tracks with the registry entries either being missing, or the system being unable to read them.

Was the software installed as an administrator?  Are there other security products in use which might restrict access to the registry either during installation or during the use of the software?  Have you tried uninstalling and reinstalling?

Yes, the software is installed as administrator.  Does the symantec endpoint client framwork need to be installed?  If so, I can't seem to find the package/install to create it

The framework was renamed to the Management Agent in version 11.  It must be installed first, before the Drive Encryption piece.

Ok, I have the SEE management agent and SEE Drive Encryption agant installed, but still it just goes directly to windows login when rebooted.  I have re-installed numberous times.  Is there log files I can get to find out any errors?

stepht12, good afternoon, if you are not seeing the Pre Boot Authentication (PBA) screen, this is probably due to one of the following:

1. you need to restart the computer just one more time.

2. there may be an issue with the currently registered user, many ways to investigate, one easy method is to simply log into a new Windows OS user account on the computer, "answer any security questions if prompted”, reboot twice, test results.

stepht12, good afternoon, keep in mind with SEE 11 once the product is installed, computer then restarted, user is registered, on the next restart you "should" see the PBA screen, this is the expected outcome, please let me know if this is still an issue for you.

thank you

I am still seeing the same issues of not going to the PBA.  With the current registered user, do I need to register him within the management server?  Also, can I check the registry to make sure all the values are correct?

steph12, good afternoon, please try this step from above and let me know the results:

2. there may be an issue with the currently registered user, many ways to investigate, one easy method is to simply log into a new Windows OS user account on the computer, "answer any security questions if prompted”, reboot twice, test results.

I'm a bit skeptical that it has to do with anything but the registry.  Have you only tried this on the one system?  The user has to register with the server, but in the logs, you are seeing things like:
[01/28/15 11:30:15][ERROR][1356][0x578][EAFRCliADSIComm][SYSTEM][ADSICommunicationThreadProc - LoadCommunicationData failed.][EADLL.cpp:262]

The failure to load communication data would definitely prevent a user from registering, which would prevent the drive from adding a registered user, which would prevent the Bootguard from displaying.  I don't know that it bears any further troubleshooting other than trying to figure out what is wrong with the registry.

What security software or antivirus is in use?  Security software can prevent registry entries from populating during installation.  I will also continue to research in my lab and see if I can replicate what you are seeing.

One additional thing you may try is to manually add the user through the Command Prompt.  Run cmd as an administrator and do the following command:
eedAdminCli --register-user --disk <number> -u <username> -p <phrase> [--sso] [--domain <domain>] [--admin] --au <AdminUserName> --ap <AdminPassword>

An example might look like this:
eedAdminCli --register-user --disk 0 -u "Bob Jones" -p Bobsp@55w0rd --sso --domain Ankeny.local --au ClientAdmin --ap CAdminp@55

I have found that this works fairly well for cases where there is something off about the hardware (i.e. some hybrid drives), and if it does work, it should allow the drive to encrypt.  While I doubt this will fix the issue in its entirety, it should allow us to see if the issue might be hardware related.

We have trendmicro running, but I dont think it should impede in installing the software since I have installed other programs without any issues.  Let me try the CLI and I will let you know.  I will also uninstall the trendmicro client

When I run the command, it states manage console admin not registered

Operation regfister user failed:

Error code -12240: user not found

Maybe this will give more insight on what is wrong?

steph12, good morning, please try this step:

test: there may be an issue with the currently registered user, many ways to investigate, one easy method is to simply log into a new Windows OS user account on the computer, "answer any security questions if prompted”, reboot twice, test results.

Hello Kyle,

 Tried and rebooted 2x and the new user goes straight to the windows login prompt

Also when you say "registered user", is there a process within the management interface to register the user.  the current user I am using is just a windows domain user but has admin rights