Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Can't login in SEP Console...

Created: 12 Sep 2013 • Updated: 16 Sep 2013 | 23 comments
This issue has been solved. See solution.

Problem:

I can't login in to the console anymore. not with our AD account and not with our 'local' admin account.

We tried to reset the admin account but we didn't get any mail. If I look add mailconf.properties i see this:

adminMailReciptants= "Around 10 adresses here"
mailAdmin= *Empty*
 

Technical specs:

 
  • SEPM 12.1 RU2
  • Windows 2008 x64
  • We use AD connection for our adminaccounts
  • We use a external sql DB

What I have tried/checked:

  • I checked the log file for connection errors, (Only found one where connection was rejected but this was to download definitions not sure its the same problem)
  • Checked if none of our service accounts was locked --> No locked account
  • Checked the connection to our DB --> there is a connection.
  • Checked if use a 'fake' virus of we still get mail --> We still get mail when a computer is infected.
  • Checked if the domain controllers are up --> they are up. (SEP use a specific DC)
  • Restarted the services --> Same problem
  • If we tried 5 time our account will be locked.
  • I tried to reset the password of the admin account --> I don't get any mails, i don't think the mail is send.
  • I did the Management Server Configuration Wizard.

What i haven't tried yet:

  • Full reboot of the server. (I'm not allowed to do this myself, i have to ask someone from the 'server team' to do this.)
  • Check in exchange if the mail (to reset admin password) is sended.

What i want (if possible).

I'm looking for a way to get back in to the console, but I prefer to not use disaster recovery.

Operating Systems:

Comments 23 CommentsJump to latest comment

.Brian's picture

Did you add the email address you want the reset notification sent to in the mailconf file?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Glenn Jacobs's picture

Oh Let me try this, why didn't i think about that cheeky

Glenn Jacobs's picture

Do i have to restart the services? cause i don't get any mail (or i didn't wait long enough)

.Brian's picture

Try restarting the service after saving your changes.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Glenn Jacobs's picture

After i restarting teh services the file get overwritten with the 'older' config. So I suppos this is just a dumpfile to give us information and not a config file

Mithun Sanghavi's picture

Hello,

Check this Article:

How to Reset Symantec Endpoint Protection Manager Console password in SEP 12.1

https://www-secure.symantec.com/connect/articles/how-reset-symantec-endpoint-protection-manager-console-password-sep-121

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Glenn Jacobs's picture

Already tried that. (except logging a case for the resetpass.bat)

 

I have the folowing in de mailconfig.properties:

adminMailReciptants= "Around 10 adresses here"
mailAdmin= *Empty*
 
 
Is there a way to add the administrator mail adress to admin account if its empty? (I think this is the problem i have with recovering the password)
Mithun Sanghavi's picture

Hello,

Do not use the built-in SEPM "admin" account when setting up Active Directory Authentication, doing so can prevent logon access to SEPM with "Authentication Failure" error. Lockout issues can occur when changing the Active Directory account, upgrading Active Directory, changing Active Directory mode, and when removing SEPM(s) as a replication partner.

SEPM Active Directory Authentication is only supported for Admin accounts that have been created in SEPM by clicking "Add Administrator."

NOTE: The SEPM user name is taken from SEPM database while the password is taken from Active Directory for the account you specified in Account Name.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

If SEPM is synch with AD account then you can't login with 'local' admin

You can't directly change the email address in mailconf.properties. Even thought you could saved new address it won't work.

You need to change after login to the console then it should reflect in mailconf.properties.

Was there any change in IP address/hostname or any other changes on SEPM installed server.

Try with AD server IP address instead of hostname/FQDN or vice versa.

As you mentioned at adminMailReciptants around 10 address are there. Try to login with those accounts if possible. 

The AD Sync logs are useful for identifying issues during AD Synchronization. 

File Location: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\Logs\ADSITask-0.log

Search for the keyword “Error Code” and the next few lines for the reason. Search the KB for the error code! 

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Glenn Jacobs's picture

None of those accounts works.They just get the error that there loginname or password is wrong. But thats not the case cause we use those accounts for alot of other things...

Is there a way to change AD config without logging in?

Chetan Savade's picture

Hi,

There is no way to chagne AD config without loggin in.

Total how many clients are there?

Personally I think you will have to reinstall the SEPM.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Glenn Jacobs's picture

In the log i have the following:

 

2013-09-12 17:28:10.048 THREAD 34 INFO: LdapUtils>> connect: Connecting...
2013-09-12 17:28:10.048 THREAD 34 INFO: LdapUtils>> connect: Done!
2013-09-12 17:28:10.048 THREAD 34 INFO: LdapUtils>> connect: Connecting...
2013-09-12 17:28:10.048 THREAD 34 INFO: LdapUtils>> connect: Done!
2013-09-12 17:28:10.204 THREAD 34 INFO: ADSITask: No DirectoryServer for group name=Computers, group id=068302600A00850701C9B73485F9811C, domain name=xxxxxx, domain id=04C92FC26F043317016BF0E688BC55B4
2013-09-12 17:28:10.204 THREAD 34 INFO: ADSITask: No DirectoryServer for group name=Computers, group id=F37EE2820A00850700CD18B1EBEABB12, domain name=xxxxxx, domain id=04C92FC26F043317016BF0E688BC55B4
2013-09-12 17:28:10.204 THREAD 34 INFO: ADSITask: No DirectoryServer for group name=Computers, group id=82DB962C0A0085070038942B75B20304, domain name=xxxxxx, domain id=04C92FC26F043317016BF0E688BC55B4
2013-09-12 17:28:10.219 THREAD 34 INFO: LdapUtils>> connect: Connecting...
2013-09-12 17:28:10.219 THREAD 34 INFO: LdapUtils>> connect: Done!
2013-09-12 17:28:10.219 THREAD 34 INFO: LdapUtils>> connect: Connecting...
2013-09-12 17:28:10.219 THREAD 34 INFO: LdapUtils>> connect: Done!
2013-09-12 17:28:10.219 THREAD 34 INFO: LdapUtils>> connect: Connecting...
2013-09-12 17:28:10.219 THREAD 34 INFO: LdapUtils>> connect: Done!
 
 
There are no errors in this log...
Chetan Savade's picture

Forgot to add this one, You can't use 'Forgot password' link in this case because you can use this method to reset a password only for the administrator accounts that authenticate by using Symantec Management Server authentication.

This method does not work for any administrator accounts that authenticate by using either RSA SecurID authentication or directory authentication.

Refer the note mentioned in this article: http://www.symantec.com/docs/HOWTO55059

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Rafeeq's picture

What the error message you get when you try to login?

Access Denied or Failed to connect to the server?

Glenn Jacobs's picture

The error i get when I try to login:

 

"The administrator's user name or password is incorrect. Type a valid user name or password."

Glenn Jacobs's picture

What i haven't tried yet:

  • Full reboot of the server. (I'm not allowed to do this myself, i have to ask someone from the 'server team' to do this.)
  • Check in exchange if the mail (to reset admin password) is sended.

Rebooted yesterday and our exchange admistrator don't see any mails coming from our SEPM.

--> Problem still exist.

Rafeeq's picture

Run the resetpass.bat you need to call support to get the tool or create webcase to get the login details emailed

How to create a new case in MySymantec

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-

Regional Support Telephone Numbers:

  • United States: 800-342-0652 (407-357-7600 from outside the United States)
  • Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
  • United Kingdom: +44 (0) 870 606 6000

Additional contact numbers: http://www.symantec.com/business/support/contact_t...

SOLUTION
Glenn Jacobs's picture

Does the rest pass change the method to login: So disable login with AD?

Chetan Savade's picture

Reset pass is no help in this case.

Could you please attach ADSITask-0.log adn ADSITask-1.log to this thread.

You can make file attachments, option is available at the bottom.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Glenn Jacobs's picture

I contacten symantec, and they gave me the resetpass.bat file. And this solved my problem.

I'm verry happy aboyut this cause this saved me from doing  a disastery recovery on next week monday...

Chetan Savade's picture

Good to know issue has resolved, However I do wonder how resetpass.bat could help.

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Glenn Jacobs's picture

I'm not sure about it, but i have 1 local admin account where i didn't have the correct password for it so i just runned the resetpass.bat and I could login. But still can't login with ad account on that specific DC, but i think the problem is on teh DC server (There were alot of changes on the server last week so i suppose someting went wrong.) 

I just choosed another DC and problem is solved.