Certain rights are required by the database user when Symantec Endpoint Protection Manager (SEPM) is configured to use SQL Windows Authentication.
SEPM tab contents may be blank or not display correctly
One or more of the following errors may be seen in a SEPM's system activity log:
Unable to fetch changed data from remote site [REMOTESITENAME]: Failed to load data: SQLState = S1000, NativeError = 0Error = [Microsoft][SQL Server Native Client 10.0]Unable to open BCP host data-file
Unable to fetch changed data from remote site [REMOTESITENAME]: Failed to load data: Return code: 1385
Event ID 4625 in Windows Security event log: An account failed to log on.... The user has not been granted the requested logon type at this machine.
From the install_log.out
java.sql.SQLException: [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'GRANITE\sepm'.
OdbcUtil> testODBCInUsrCntxt>> ODBC Test Connection failed. retValue = 1058, normal output of process:
CreateProcessAsUser failed with error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
These errors will occur if the account used by the SEPM for SQL Windows Authentication does not have certain minimum required user rights and file/folder privileges.
Additionally the ODBC connection created by SEPM is set to use the credentials of the user with which the SEPM is launched and requires the uses of "Secondary Logon" service to run in the context of the specified Windows Authentication user credentials.
When using SQL Windows Authentication, SEPM requires the following rights assigned to the SQL Server database user:
SeNetworkLogonRight "Access this computer from the network" Required for:
Core Manager connections through jTDS, used for all central SEPM business logic.
Launching the PHP process in user context for ODBC connections, used for the Reporting subsystem.
Credential verification during the Management Server Configuration Wizard (MSCW)
SeInteractiveLogonRight "Allow log on locally" Required for:
Launching the Microsoft BCP tool in user context, used for bulk data import/export during replication & database backup/restore.
Launching the SEPM connection verification & configuration tool ODBCUtil.exe in user context, used during the MSCW.
Credential verification & database removal during uninstallation.
With Windows Authentication, the database user also requires file permissions to some SEPM directories, so that the processes running in user context can access necessary files. Paths are relative to the SEPM installation directory:
List, Read, Execute permissions: .\bin For the verification & configuration tools during MSCW & uninstallation .\php For the Reporting subsystem
Read, Write permissions: .\data For the BCP tool data import/export
Additionally, it is required to have Secondary Logon service running/manual to use SEPM with Windows Authentication for SQL DB. There are two scenarios under which we need Secondary Logon Service:
The configuration wizard's ODBCUtil.
Tasks that download data from Symantec, when configured to use a proxy with NTLM authentication, which is: LiveUpdate, threat con, top threat list & version checks. (This scenario is under the precondition that we use a proxy with NTLM Authentication, if not, there is no effect.)
Most other SEPM components won't be affected with this service because they launch their user-context processes (as required for Windows Authentication) using lower-level API calls than the Secondary Logon service implements.
If your environment requires that this service be disabled, you may disable the service, after the SEPM is fully installed and configured and is not using a proxy with NTLM authentication. The SEPM will function normally with Secondary Logon disabled. You will have to enable it whenever running the SEPM Configuration Wizard, upgrading the SEPM, or where NTLM proxy authentication is used.
ID: 3902646; 3980690
SEPM replication fails if SQL Windows authentication account does not have "log on locally" right.
Subscribing will provide email updates when this Article is updated. Login is required.