Enterprise Vault™ Compliance Accelerator Installation Guide
- Introducing Compliance Accelerator
- Preparing to install Compliance Accelerator
- Configuration options for Compliance Accelerator
- Supported versions of Enterprise Vault in Compliance Accelerator environments
- Prerequisites for Compliance Accelerator
- Configuring Outlook to enable the processing of items with many attachments or many recipients
- Setting the Windows and ASP.NET Temp folder permissions
- Security requirements for temporary folders
- Disabling networking facilities that can disrupt a Compliance Accelerator environment
- Disabling the Windows Search Service on the Compliance Accelerator server
- Ensuring that the Windows Server service is running on the Compliance Accelerator server
- Configuring the SQL Server Agent service
- Assigning SQL Server roles to the Vault Service account
- Installing and configuring the SQL full-text search indexing service
- Verifying that Enterprise Vault expands distribution lists
- Configuring Intelligent Review API Authentication and Authorization
- Installing Compliance Accelerator
- Installing the Compliance Accelerator server software
- Allowing Enterprise Vault to communicate with Compliance Accelerator through the Windows firewall
- Creating the configuration database and customer databases
- Uploading the Compliance Accelerator report templates
- Configuring a dedicated server for Intelligent Review processing (optional deployment configuration)
- Configuring Compliance Accelerator for use in a SQL Server Always On environment
- Installing Compliance Accelerator in a clustered environment
- Maximizing security in your Compliance Accelerator databases
- Installing the Compliance Accelerator client software
- Uninstalling Compliance Accelerator
- Installing the Compliance Accelerator server software
- Appendix A. Ports that Compliance Accelerator uses
- Appendix B. Troubleshooting
- Error messages appear in the event log when upgrading to Compliance Accelerator 14.5
- Enterprise Vault Accelerator Manager service not created
- Enterprise Vault Accelerator Manager service does not start
- "Access is denied" message is displayed when you try to create a customer database on a UAC-enabled computer
- Cannot create or upgrade Compliance Accelerator customer databases when Symantec Endpoint Protection is running
- Permissions error when uninstalling the Compliance Accelerator client from a UAC-enabled computer
- Uninstalling the Compliance Accelerator client from a shared location may prevent other users from starting the client
- Error messages when the Intelligent Review (IR) API authentication and authorization fails
- Appendix C. Installing and configuring the Enhanced Auditing feature
- Overview
- Prerequisites for the Enhanced Auditing feature
- Installing the Enhanced Auditing feature
- Post installation steps
- Upgrading the Enhanced Auditing setup
- Modifying the Enhanced Auditing setup
- Repairing the Enhanced Auditing setup
- Uninstalling the Enhanced Auditing setup
- Managing access from Veritas Surveillance
Error messages when the Intelligent Review (IR) API authentication and authorization fails
This is a Kerberos double hop error. This error appears if the Kerberos constrained trusted delegation is not set correctly between the Compliance Accelerator Server and the Compliance Accelerator Database Server.
To fix this error, perform the following steps:
Verify if the Compliance Accelerator Server is trusted for delegation.
Check if the installation setup/environment has Kerberos constrained trusted delegation is set properly. Verify the SQL Service Service Principal Names (SPNs) for correctness, duplication, and missing SPNs. Use the Kerberos Configuration Manager tool.
Verify if the Compliance Accelerator Server is using Fully Qualified Domain Name (FQDN) and not IP Addresses for connecting to the Compliance Accelerator Configuration and the customer databases. For configuration database, verify if the <install dir \Veritas Intelligent Review\IR.APIEndPoint \appsettings.json-> ConfigDBConnection key is using the FQDN and not IPAddress for connection string. For the customer database, verify if the configuration database->tblCustomer table for the 'Server' field for that customer is using FQDN and not IPAddress.
Verify if the SQL Server service account is a user, then that user is trusted for delegation, and various properties like the user is allowed for the delegation are set correctly.
Refer to the sample screen below.
To fix this issue, perform the following procedure:
- Create the correct SPNs. For example, If the SQL Service is running as a Vault Service account (VSA) user, create or check if proper SPNs exist for VSA.
- Create SPNs for the availability group listener as well as the actual SQL nodes.
- Enable the Compliance Accelerator Server to trust for delegation (only the listener). Refer to the sample image below.
Note:
Choose Add… while trusting for delegation and choose the SQL Service account (VSA) on which the SPNs are configured.
- Restart the Active Directory Domain service on the Domain Controller.
- Restart Internet Information Services (IIS) on the Compliance Accelerator Server.
- Call the Intelligent Review (IR) API directly or via Enterprise Vault. Refer to the sample image below.
