SEC 5.5.1 launch error : The user "domain\account" is not assigned to any subestates.

Hello Mihai Sandu,

you can't launch the console at all? The local console on the management server? How did you create a "test" subestate?

Christian

Hello, 

When I launch the console it gives me  the subestates error message. Initially i was on a setup where I had a SQL server with only the DB component installed and another Admin server with the Console and Management server .

I have since then installed all 3 componenets on the database server just to test if it will work....same error message.

The "test" subestate was created from the sql manager adding a row to the dbo.subestates table that contained just the "default" subestate .

Mihai

Hello Mihai,

neither setup worked ... or? Do I understand correctly that you did an install with a remote database, you couldn't open then console. Then you installed all components on the database server - same results? And with this user you've also installed SEC?

I encountered this error after a migration ... can't remember what went wrong and how I corrected it. 

Christian

Hello, 

Setup worked with the same account ( which is domain account admin and also Sql db owner /admin etc) . It is after the setup, when launching the console that I get the error.

It's a long story. We were in version 5.4.1 and for some time everything was OK. Then all of a sudden we started getting this "user not assigned to subestates" error message. Not managing to solve it I have thought that upgrading to 5.5.1 could help...I was wron...even after the upgrade , when launching the console....I get the same error message.

Since then I have completely removed Sophos on both the Admin and SQL server ( even deleting the Sophos DB) .....reinstalled in 5.5.1...only the end up with the same error message in the end....which is a bit frustrating I must admit. 

I have run out of ideas or things to try. 

Mihai

Hello Mihai,

The simplest possible reason behind this transient error is often communication issues between SEC and the AD server. If you can check for any potential issues faced by SEC while communicating with the AD, this might help resolve this once and for all.

Thanks,

Vikas

Hello Mihai and Vikas,

as far as I understand it the issue is 1. not transient but permanent and 2. was observed on two different servers.

I assume that the error is logged in the DirectoryService.log (%ProgramData%\Sophos\ManagementServer\log\) but can't say if it contains any additional useful information. Hm ... you have perhaps some other user that can log in to the server, if not create one and make it a member of the Sophos Full Administrators group. Wonder if you get the same error. Or did you already try with another user?

Christian 

Hello, 

the logs in the %ProgramData%\Sophos\ManagementServer\log\ do not seem to contain any info related to our issue.

Performing a test with a newly created local user ( not domain) that i then added to the local admin group and Sophos Full Administrators grup on the server i have exeperienced a different error message:

" in order to be able to execute the SEC you must be a member of the Sophos Console Administrators group and have a DCOM access on the "servername" "

Making the account a member of the Console Admins doesn't change the error :)

Thanks, 

Mihai

Hello Mihai,

you must be a member of the Sophos Console Administrators group
sorry, forgot to mention the SCA group. DCOM membership should only be necessary for a Remote Console. Excuse me for mentioning the obvious: A logoff/logon is required after changing group membership. 
Anyway, the newly created user should either be able to open the console or encounter the no subestate error.

Christian

Hello, 

Last test shows that using the newly created local test user ...the console opens OK.

On the other hand I still have the same subestate errors for all the existing domain accounts  although the group membership on the Sophos machine is identical between the local and domain accounts ( moreover the domain accounts should have even more permissions as they are members of several domain and exchange admin groups) 

One thing that maybe it's important to mention is that some time ago the domain controllers of our domain have been replaced..so I dont know if that could impact the authentication of domain accounts on the Sophos machine ( i mean if anywhere in the registry for example there might be the name of an old DC that is no longer available referenced)

Bottom line is that we need to use the domain accounts and given that the permission look the same between those and the local test account that works....I don't know where to go next from here.

Thank you, 

Mihai

Hello Mihai,

so Vikas was more or less correct.

SEC shouldn't be aware of AD specifics like DCs. It uses Windows APIs and names (not SIDs) whenever possible. It seems to be some issue with the Sophos Full Administrators security group. You can log on with the domain account, you are also able to start the Console - i.e. you get as far as the no sub-estates that suggests that membership for the Sophos Console Administrators group is correctly seen. You can test this assumption by removing a domain account from this group (watch for inheritance) - you should then get the must be a member error.
Does net localgroup "sophos full administrators" output the expected members?

Christian