You have not exceeded your allocated number of clients as specified by your license. However, newly deployed Symantec Endpoint Protection 12.1 clients now display a recurring error in their logs: "Cannot assign a client authentication token." Why are clients generating this error? Should any action be taken?
The error can take multiple forms. Some examples are:
- Cannot assign a client authentication token. This client is over the maximum allocation of client authentication tokens.
- Cannot assign a client authentication token. There was a general communication failure.
- Cannot assign a client authentication token. The returned error code was 86.
- Reputation check timed out during unproven file evaluation, likely due to network delays.
When the Symantec Endpoint Protection Manager (SEPM) counts the number of deployed licenses, it allocates a license to every client that is online, or that is not currently online, but exists as a client in the SEPM database.
The typical configuration of the SEPM is that the SEPM will "remember" what clients have attached to it for up to 60 days after they stop checking in before they are deleted and the license is scavenged and made available for redeployment.
When a newly deployed client first checks in, it will receive its license from the SEPM, and then connect to Symantec servers "in the cloud" to request its Client Authentication Token (CAT). Symantec Endpoint Protection 12.1 associates the CAT with the client ID value (the "Hardware ID") that individually identifies a specific client. If a client receives a new Hardware ID, it will be treated as a new client, and thus must receive a new CAT.
The Symantec cloud-based servers do not currently implement any level of license re-use or scavenging of licenses from decommissioned clients.
This means that although the SEPM may correctly report no "over-deployment" of the license, the cloud-based systems hosted by Symantec will still register an over-deployment, and will not provision the new client with a CAT.
The only functionality that is lost when a SEP 12.1 client fails to receive a CAT is the ability to make submissions of new files to Symantec's reputation databases. (Symantec's reputation-based solutions will not honor submissions that do not come from a customer with a valid license.) The client can still perform reputation checks, receive new content and will continue to work normally.
As the information in the reputation servers is fed by over 150 million users worldwide, the error message seen on a number of individual computers in an environment should simply be ignored. It is essentially cosmetic.
Insight reputation-based protection was added in Symantec Endpoint Protection 12.1 (SEP 12.1). This article does not apply to SEP 11 clients or to other products such as Symantec Endpoint Protection.cloud.