Error: "Login to [computer] failed. Check the username and password and try again."

Situation

When remotely installing Endpoint Protection, you see the error: "Error: Login to [computer] failed. Check the username and password and try again."

Cause

There are a number of different problems that can cause the logon attempt to fail. Try each of the solutions below in order to identify the problem.

Solution

• Solutions for Windows
• Solutions for Macs - Remote push installation is supported for Macs as of Symantec Endpoint Protection 12.1.5.

---

Solutions for Windows

Note: The Symantec Diagnostic Tool (SymDiag) can automatically detect many of the common problems that cause this error message to appear, and guide you to specific information on how to fix them.
For more information on these settings, see http://support.microsoft.com/kb/147706

• Incorrect user name or password
  • This problem can happen if the user name or password that you entered is incorrect. Enter the correct user name and password to solve the problem.
    
• Simple file sharing is enabled or the "Sharing and security model for local accounts" policy is set to Guest Only
  • This problem can occur if Simple File Sharing (or the Sharing Wizard) is enabled on the target computer, or if the client has the "Sharing and security model for local accounts" policy set to Guest Only, the manager is not able to authenticate as Administrator. To solve the problem, see Is the "Sharing and security model for local accounts" policy set to Guest Only?.
    

• The Administrator account on the target computer does not have a password
  • If the Administrator account on the target does not have a password set, authentication will fail. To solve this problem, see Does the Administrator account have a password?.
    

• Port 445 is blocked
  • If the Microsoft Windows Firewall is not configured to allow File and Printer Sharing (port 445), authentication will fail. To solve this problem, see Is the Microsoft Windows Firewall blocking port 445?.
    

• The Remote Registry Service is set to disabled on the client computer
  • If the Remote Registry Service is stopped and set to Disabled on the client computer, the manager cannot scan the client registry because the service cannot be started. To solve this problem, make sure that the Remote Registry Service is set either to Manual or Automatic.
    • Refer to the SEPM tomcat logs for more information: C:\Program Files\Symantec\Symantec Endpoint ProtectionManager\Tomcat\Logs\scm-server-0.log
      Example of remote registry failure condition from scm-server-0.log:
      THREAD 91 WARNING: SearchUnagentedHost>> parseNstOutputLine: NST log line -> [WARNING: Failed to open a connection to the RemoteRegistry service on 192.168.1.230. because "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it."]
      
  • To check the Remote Registry Service
    1. Click Start > Settings > Control Panel.
    2. Double-click Administrative Tools.
    3. Double-click Services.
    4. Double-click Remote Registry.
    5. Make sure that the Startup Type is set to either Manual or Automatic.
    6. Click OK.
• The LAN Manager authentication levels on the manager and clients are not compatible
  • If the LAN Manager Authentication Levels on the manager and clients are incompatible, they will not be able to communicate. Normally, they will be the same because the policy will be set by the Group Policy Management in Active Directory. In the case that the machines in the network are not using this and the connections fail, check the options on the computers involved.
  • To check the LAN Manager options on Windows 2003 Server, Windows XP, or Windows Vista
    1. Click Start > Settings > Control Panel.
    2. Double-click Administrative Tools.
    3. Double-click Local Security Policy
    4. Go to Local Policies > Security Options.
    5. Right-click Network Security: LAN Manager authentication level, and click Properties.
    6. Ensure that the client and manager have the same settings.

Solutions for Macs

• User name does not have administrative privilege
  • ​If the Mac client computer is part of an Active Directory domain, you should use domain administrator account credentials for a remote push installation. Otherwise, have the administrator credentials available for each Mac to which you deploy.
• Remote Login is disabled
  • ​Click System Preferences > Sharing > Remote Login and either allow access for all users, or only for specific users, such as Administrators.
• Stealth mode is enabled
  • ​If you use the Mac firewall, disable stealth mode. With stealth mode enabled, the remote push installation cannot discover the client through Search Network.
    
    To disable stealth mode on the Mac, see the following Apple knowledge base article that applies to your version of the Mac operating system.
    • OS X Mountain Lion: Prevent others from discovering your computer (10.8)
    • OS X Mavericks: Prevent others from discovering your Mac (10.9)
    • OS X Yosemite: Prevent others from discovering your Mac (10.10)
• TCP port 22 is blocked
  • Ensure that the firewall does not block the port that Secure Shell (SSH) uses, which is by default TCP port 22. This port allows the required communication for remote login.
• Known_hosts file is using public key formats other than SSH-RSA
  • ​See Client Deployment Wizard may fail when using known hosts file to verify remote Mac computers