When attempting to login to the Symantec Endpoint Protection Manager (SEPM) using an administrator account that was created to make use of a directory server, the error: 'The Administrator's user name or password is incorrect' is displayed.
If the SEPM service is restarted, and the same account and credentials are used again, then the authentication is successful.
Displayed error message: The Administrator's user name or password is incorrect
The FINEST SEPM logging shows the following within the login-#.log:
2016-08-26 06:39:16.492 THREAD 119 FINE: Found the authentication directory server for admin <insert account name>
2016-08-26 06:39:16.492 THREAD 119 INFO: Trying to authenticate against Directory Server: abc.testdomain.com Port: 389 Type: 0 SSL: false Account: <insert account name>
2016-08-26 06:39:16.492 THREAD 119 FINE: LdapUtils>> login: logging into AD...
2016-08-26 06:39:16.492 THREAD 119 FINE: LdapRootDSE>> init_internal: Retrieving RootDSE in LDAP://abc.testdomain.com:389/, ssl=false...
2016-08-26 06:39:16.492 THREAD 119 FINE: LdapUtils>> connect: Setting the properties...
2016-08-26 06:39:16.492 THREAD 119 INFO: LdapUtils>> connect: Connecting...
2016-08-26 06:39:16.492 THREAD 119 INFO: LdapUtils>> connect: Done!
2016-08-26 06:39:16.492 THREAD 119 FINE: LdapRootDSE>> init_internal: Done with retrieving RootDSE in LDAP://abc.testdomain.com:389/, ssl=false!
2016-08-26 06:39:16.507 THREAD 119 FINE: LdapUtils>> connectWithSimpleLoginForAD: using domain=abc.testdomain.com to login because the user doesn't specify one...
2016-08-26 06:39:16.507 THREAD 119 FINE: LdapUtils>> connect: Setting the properties...
2016-08-26 06:39:16.507 THREAD 119 INFO: LdapUtils>> connect: Connecting...
2016-08-26 06:39:16.523 THREAD 119 WARNING: LdapUtils>> connect: Exception...Duration: 0.016s (16.0ms)
2016-08-26 06:39:16.523 THREAD 119 WARNING: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903CF, comment: AcceptSecurityContext error, data 52e, v2580 ]
Note: Symantec has not experienced cases where this issue occurs if the top-level domain is the configured directory server.
When making use of a directory server that is not the top-level domain, the SEPM administrator should specify the User Principal Name (UPN) otherwise known as the email address of the account user in the Account Name field when configuring the administrator account. This will avoid any issues with trying to retrieve the RootDSE of the user account from the sub-domain. The UPN will advise the Directory server to go to the top-level domain to validate the user and their credentials.