Testing directory server authentication for an administrator account

You can check that an Active Directory or LDAP server authenticates the user name and password for an administrator account that you create. The check evaluates whether you added the user name and password correctly, and whether or not the account name exists on the directory server.
You use the same user name and password for an administrator account in
Symantec Endpoint Protection Manager
as you do in the directory server. When the administrator logs on to the management server, the directory server authenticates the administrator's user name and password. The management server uses the directory server configuration that you added to search for the account on the directory server.
You can also check whether an Active Directory or LDAP server authenticates an administrator account with no user name and password. An account with no user name or password is anonymous access. You should create an administrator account with anonymous access so that the administrators are never locked out if the password changes on the directory server.
In Windows 2003 Active Directory server, anonymous authentication is disabled by default. Therefore, when you add a directory server without a user name to an administrator account and click
Check Account
, an
Account Authentication Failed
error message appears. To work around this issue, create two directory server entries, one for testing, and one for anonymous access. The administrator can still log on to the management server using a valid user name and password.
Step 1: Add multiple directory server connections
To make testing easier for anonymous access, add at least two directory server entries. Use one entry to test the authentication, and the second entry to test anonymous access. These entries all use the same directory server with different configurations.
By default, most users reside in CN=Users unless moved to different organizational unit. Users in the LDAP directory server are created under CN=Users, DC=<
sampledomain
>, DC=local. To find out where a user resides in LDAP, use ADSIEdit.
Use the following information to set up the directory servers for this example:
  • CN=John Smith
  • OU=test
  • DC=<
    sampledomain
    >
  • DC=local
The example uses the default Active Directory LDAP (389) but can also use Secure LDAP (636).
To add multiple directory server connections
  1. To add the directory server connections to check Active Directory and LDAP server authentication, on the console, click
    Admin
    >
    Servers
    , select the default server, and click
    Edit the server properties
    .
  2. On the
    Directory Servers
    tab, click
    Add
    .
  3. On the
    General
    tab, add the following directory server configurations, and then click
    OK
    .
    Directory 1
    • Name:
      <
      sampledomain
      > Active Directory
    • Server Type:
      Active Directory
    • Server IP Address or Name:
      server01.<
      sampledomain
      >.local
    • User Name:
      <
      sampledomain
      >\administrator
    • Password:
      <
      directory server password
      >
    Directory 2
    • Name:
        <
      sampledomain
      > LDAP with User Name
    • Server Type:
      LDAP
    • Server IP Address or Name:
        server01.<
      sampledomain
      >.local
    • LDAP Port:
      389
    • LDAP BaseDN:
      DC=<
      sampledomain
      >, DC=local
    • User Name:
      <
      sampledomain
      >\administrator
    • Password:
      <
      directory server password
      >
    Directory 3
    • Name:
        <
      sampledomain
      > LDAP without User Name
    • Server Type:
      LDAP
    • Server IP Address or Name:
        server01.<
      sampledomain
      >.local
    • LDAP Port:
      389
    • LDAP BaseDN:
      <empty>
      Leave this field empty when you use anonymous access.
    • User Name:
      <empty>
    • Password:
      <empty>
      After you click
      OK
      , a warning appears. But the directory server is valid.
      When you try to add a BaseDN without a user name and password, the warning appears.
Step 2: Add multiple administrator accounts
You add multiple system administrator accounts. The account for anonymous access does not have a user name or password.
To add multiple administrator accounts
  1. To add the administrator accounts using the directory server entries, on the console, click
    Admin
    >
    Administrators
    , and on the
    General
    tab, add the administrator accounts in the previous step. See:
  2. After you add each administrator account and click the
    Check Account
    option, you see a message. In some cases, the message appears to invalidate the account information. The administrator can still log on to
    Symantec Endpoint Protection Manager
    , however.
  3. On the
    General
    tab, enter the following information:
    Administrator 1
    • Name:
        <
      sampledomain
      > LDAP without User Name
    • Server Type:
      LDAP
    • Server IP Address or Name:
        server01.<
      sampledomain
      >.local
    • LDAP Port:
      389
    • LDAP BaseDN:
      <empty>
      Leave this field empty when you use anonymous access.
    • User Name:
      <empty>
    • Password:
      <empty>
      After you click
      OK
      , a warning appears. But the directory server is valid.
      When you try to add a BaseDN without a user name and password, the warning appears.
    Administrator 2
    • User Name:
      john
    • Full Name:
      John Smith
    • Email Address:
      [email protected]<
      sampledomain
      >.local
    • On the
      Access Rights
      tab, click
      System Administrator
      .
    • On the
      Authentication
      tab, click
      Directory Authentication
      .
      In the
      Directory Server
      drop-down list, select <
      sampledomain
      > LDAP with User Name.
      In the
      Account Name
      field, type
      john
      .
      Click
      Check Account
      .
      The system administrator
      john
      cannot log on into
      Symantec Endpoint Protection Manager
      with directory authentication
    Administrator 3
    • User Name:
      john
    • Full Name:
      John Smith
    • Email Address:
      [email protected]<
      sampledomain
      >.local
    • On the
      Access Rights
      tab, click
      System Administrator
      .
    • On the
      Authentication
      tab, click
      Directory Authentication
      .
      In the
      Directory Server
      drop-down list, select <
      sampledomain
      > LDAP with User Name.
      In the
      Account Name
      field, type
      John Smith
      .
      Click
      Check Account
      .
      The system administrator
      john
      can log on into
      Symantec Endpoint Protection Manager
      with directory authentication.
    Administrator 4
    • User Name:
      john
    • Full Name:
      John Smith
    • Email Address:
      [email protected]<
      sampledomain
      >.local
    • On the
      Access Rights
      tab, click
      System Administrator
      .
    • On the
      Authentication
      tab, click
      Directory Authentication
      .
      In the
      Directory Server
      drop-down list, select <
      sampledomain
      > LDAP without User Name.
      In the
      Account Name
      field, type
      John Smith
      .
      Click
      Check Account
      .
      The account authentication fails, but the system administrator
      John Smith
      can log on to
      Symantec Endpoint Protection Manager
      .
More information