SymantecEndpointEncryptionAppPool stops when clients attempt to check in. Client check in fails. Clients receive error in EACommunicator logs "SubmitReport failed with error - The request failed with HTTP status 503: Service Unavailable." Restarting the app pool results in it stopping again once a client attempts to check in.
On client machine:
EACommunicatorSrv Log will contain error:
SubmitReport failed with error - The request failed with HTTP status 503: Service Unavailable
On Management Server:
Event Viewer > Windows Logs > System contains a Warning with a Source of WAS:
"The identity of application pool SymantecEndpointEncryptionAppPool is invalid. The user name or password that is specified for the identity may be incorrect, or the user may not have batch logon rights."
In some environments the Domain User account being used for SQL database access may not have "Log on as Batch" rights on the Symantec Endpoint Encryption Management Server. When using Windows Authentication for SQL database access, the account specified is also used as the Identity for the SymantecEndpointEncryptionAppPool within IIS. If this account does not have "Log on as batch job" rights, the app pool can be started with this user, however the scripts that need to be run at check-in time will not be allowed to run and the app pool will stop.
The "Log on as Batch" rights are assigned in the machines Local Security Policy. Depending on whether this is being controlled by Group Policy, the changes may be made on the local machine, or may need to be made in Group Policy.
To grant "Log on as batch job" rights on the local machine:
1. Click Start > Run > and type secpol.msc
2. Expand Local Policies > User Rights Assignment
3. Find and open "Log on as batch job"
4. If the "Add User or Group" button is available, use this to add the Domain User that is set as the Identity for the App Pool
Note: If the "Add User or Group" button is unavailable, then this policy is being controlled by Group Policy. If so, follow the directions below
5. Click Recycle for SymantecEndpointEncryptionAppPool in IIS > Application Pools
To grant "Log on as batch job" rights through Group Policy:
1. Locate the Group Policy that is controlling this setting.
2. Right click > Edit
3. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
4. Find and open "Log on as batch job"
5. Use the "Add User or Group" button to add the Domain User that is set as the identity for the App Pool
6. Click Recycle for the SymantecEndpointEncryptionAppPool in IIS > Application Pools
Subscribing will provide email updates when this Article is updated. Login is required.