Endpoint Encryption clients fail to check in if the credentials of the Client Authentication Account change
search cancel

Endpoint Encryption clients fail to check in if the credentials of the Client Authentication Account change

book

Article ID: 152429

calendar_today

Updated On:

Products

Endpoint Encryption Drive Encryption Desktop Email Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Endpoint Encryption clients stop checking into the Endpoint Encryption Management Server and fail to update their status or download policy.

Environment

Symantec Endpoint Encryption 11.0 and above.

Cause

The credentials of the IIS Client Authentication Account have changed or expired.

You can check the username and domain name of the IIS Client Authentication Account by navigating to this registry location on the client:

HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Framework\Client Database

Check the values of the following registry keys:

  1. AccountName - the username of the IIS Client Authentication Account.
  2. AccountDomain - the Windows domain name of the IIS Client Authentication Account.

You will need to check whether the password has expired or has been changed using Active Directory.

Resolution

The Endpoint Encryption Installation Guide states that the IIS Client Authentication Account is a regular domain user account and does not require specific privileges.

While this account needs only to be a member of the Domain Users security group, it should be treated as a service account and its password should be set to never expire.

The account is used by the Endpoint Encryption clients to communicate with IIS in order to report in to the Endpoint Encryption Management Server. Changing it will mean that the clients can no longer check in with or be managed by the Endpoint Encryption Management Server. This is because the password of the Endpoint Encryption IIS Client Authentication Account is embedded in the Endpoint Encryption *.msi installation files.

During the Endpoint Encryption Client generation process, you must enter valid credentials for the Client Authentication Account. This will embed the credentials needed in order to authenticate to the Endpoint Encryption Management Server.

Symantec does not not recommend changing these credentials as this will cause client-server communications to fail.

If your organization's policies require that you change the Endpoint Encryption IIS Client Authentication Account password periodically, please be aware that you will need to generate updated *.msi installation files and reinstall the application to the existing endpoints.

Workaround:
If the IIS password has been changed, or it is a password that is no longer known, Anonymous Authentication can be enabled in IIS in order to allow deployed SEE Clients to communicate with the SEE Management Server.  Once the SEE Clients are communicating, it is possible to then issue the "Change Web Access server command" on the SEE Management Server and once the clients receive this update will start to communicate using the new password.

Once all the SEE Clients are communicating with the new password, you can then disable Anonymous Authentication and re-enable Windows Authentication and then check that all clients continue to check in.

New Feature: Beginning with SEE 11.4, a new authentication type called OAuth was introduced which uses tokens embedded in the client for authentication with the server. This new feature avoids using credentials to authenticate entirely and can be used to avoid SEE IIS Authentication password issues. More information about this feature and how to configure it is the article "OAuth Communications with Symantec Endpoint Encryption 11.4 and above".

Additional Information

Etrack: 4240950