The user was unable to install the CCS console on a remote client computer using the installation files on the CCS application server. When the installation files where copied from the CCS application server to the remote client the installation completed successfully, however any attempt to login to CCS using the remote console fails with the below error message being displayed.
MESSAGE: "ConfigFileManager.DownloadConfigThroughBridge : System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'net.tcp://secccsapprd:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' for target 'net.tcp://secccsapprd:1431/CCS/Services/Applications/Console/IAppsInfraBridge/WindowsSecurity' failed. See inner exception for more details. ---> System.ComponentModel.Win32Exception: Security Support Provider Interface (SSPI) authentication failed. The server may not be running in an account with identity 'Symantec.CSM.AppServer/SECCCSAPPRD'. If the server is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the server. If the server is running in a user account, specify the account's UserPrincipalName as the identity in the EndpointAddress for the server.
This issue is generally caused by the existence of duplicate SPN entries or incorrectly configured SPN entries. Reviewing the SymConsole logs will likely reveal errors similar to the one detailed above.
Check for duplicate SPN entries either by using the setspn -X command or by using the CCSSPNUTIL.exe utility which is found in the "C:\Program Files\Symantec\CCS\Reporting and Analytics\Application Server" directory. Any duplicate entries should be removed. Only one SPN configured per Directory service user and Application service user should exist.
Imported Document ID: TECH147726
Subscribing will provide email updates when this Article is updated. Login is required.