Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

You cannot use the SA account

Created: 02 Apr 2013 • Updated: 02 Apr 2013 | 12 comments
This issue has been solved. See solution.

Hello there,

Im trying to add another SEPM to an existing site, when running the management configuration wizzard, i fill in the database parameters im allready using on other SEPM's for our SEPM database.

However im getting the following error:

You cannot use the SA account as the database username. Choose another name.

Anyone knows what im doing wrong? Im always connecting as SA to my SEPM database.

Thanks!

LEVD 

Operating Systems:

Comments 12 CommentsJump to latest comment

Rafeeq's picture

we never use the SA account due to security concerns. I have never seen such window. 

Please post a screen shot will be helpful to check if its thrown from SEPM or windows. Whats your sql version?

K33's picture

Details for the User accounts

  • The User is an SQL user account (sem5) that will be created by the SEPM installation on the SQL server. This account is a limited rights account that is only used by SEPM to access the database to perform queries, read data and store content in the SEPM database. It has no privileges outside of the SEPM database.
  • The DBA user is the SQL SA account and is used by the installation to create the SEPM User account (sem5). If the SA account cannot be used, use an existing SA equivalent account, or create an equivalent account just for the installation process and then delete it once the database installation is complete. This is the only time SEPM will need the SA account on the SQL server. If creating an account for this installation, that account must be able to create databases, tables and database users.
  • If the sem5 user is created ahead of time, the installation will fail because the user it is trying to create already exists. The installation must create this user to be successful.

http://www.symantec.com/docs/TECH104999

Rafeeq's picture

I think you are getting confused with user name field here.

Database user name

sem5

Name of the database user account that is created. The user account has a standard role with read and write access. The name can be a combination of alphanumeric values and the special characters ~#%_+=|:./. The special characters '!@'$^&*()-{}[]"\<;>,? are not allowed. The following names are also not allowed: sysadmin, server admin, setupadmin, securityadmin, processadmin, dbcreator, diskadmin, bulkadmin.

So ideally this name should not be SA

http://www.symantec.com/business/support/index?page=content&id=HOWTO81038

levd's picture

Well i cannot continue.

Its a simple dialog box ERROR: You cannot use the SA account as the database username. Choose another name. Its an error from SEPM configuration wizzard.

SMLatCST's picture

#EDIT#

Misread the error!

During the initial install of SEPM (on 12.1) it will create a separate SQL account called sem5 which has only the SQL rights it needs.  Do you still have the credentials for this account?

levd's picture

Hi,

No i dont have the password for this user anymore, i know it exists because i can see it in the management studio.

Strange thing is when i look in my existing SEPM's and look at the database server the database is called SEM5 and the database user is SA.

Now im trying to add another SEPM server and it cant connect by user SA ? isnt that strange..?

LEVD

SMLatCST's picture

Yeah, it does seem odd.  As the sem5 account is not being used, you could just change its password via the SQL management studio.

Alternatively, if you want to avoid messign with this account, you could follow one of the below articles to create a further custom SQL account for the new SEPMs (I assume the original SEPM was installed on an old version that didn't check for the SA account).

http://www.symantec.com/docs/TECH192646
http://www.symantec.com/docs/TECH104988

levd's picture

Hello SMLatCST,

I made another user in SQL and it now works.
However i have one question: De database server in all my SEPMS now show database user: thenewusericreated.

Do i need to change the other SEPMS so the also connect by this user to the database? and how do i do this? They still look online, but the connected by SA and now the user is change to the new user.

Thanks!

LEVD

SMLatCST's picture

Hi LEVD,

I'm glad to hear it's now working for you.  Just to clarify, does the new SQL account appear as the database user when you log into the console of each  and every SEPM, or just when you log into the console of the new one?

I'd be quite impressed if SEP managed to auto-update the SQL account used by the other SEPMs, as this would be an improvement to security.  As the earlier posts have discussed, it is more secure to use a custom account that is locked to only the SEP database, than to use the SA account.

If, however, you find that the new account is not used by all the SEPM (after logging into each SEPM in-turn), you can run the Management Server Configuration Wizard to change it.

SOLUTION
levd's picture

Hi SMLatCST,

Well on all of my SEPM's: Admin --> servers --> local site --> select database server, the database user is now the new one.
The other SEPMs however still work and clearly not use SA anymore...? 

I just followed the url you gave me, created a new SQL user because SA didnt work anymore. Used this on my new SEPM to connect to the database, i added a new server to my existing site, i guess it changed it for all servers..

LEVD

SMLatCST's picture

Like I said, I'm surprised that it managed to change the credentials used by the other SEPMs.  It is however, a good thing as the SA account has far more rights than is needed by SEP.  I can only guess at how it accomplished this change, but I'd guess that the db account details are stored in the DB as well.

I'd suggest monitoring the SEPM's for a little while to ensure all is working and fine (as it seems to be), and leave them using the new, locked-down sql account.  What you do with the SA account now that it is not being used for SEP is up to you, but I'd suggest reviewing it's usage.

Oh, as you're all working now, it'd be appreciated if you could see your way to marking any posts you've found useful with the ol' "Thumbs Up" or as the Solution wink

Let us know if you encounter any issues.

levd's picture

SMTatCST,

Marked as solution, thanks!

LEVD