KB Article | Forcepoint Support

Problem Description

The TRITON Settings Database Service fails to start, or starts and then stops immediately. The error reported is:
 
"Could not start the Websense TRITON Settings Database. The service did not start due to a logon failure."
 
The Policy Database Service fails to start, or starts and then stops immediately. The error reported is:
 
"Could not start the Websense Policy Database. The service did not start due to a logon failure."

User-added image

The TRITON Settings Database Service runs using a local postgres_eip user, which is created during installation.
 
The Policy Database Service runs using a local WebsenseDBUser user, which is created during installation.
 
All other services with a similar error will show a created domain service account with Domain\websenseuser or websenseuser@domain.com.
 
These user accounts must have the Log on as a service permission within the Windows Local Security Policy in order for the services to start.
 
The Allow logon locally and Log on as a service permissions are automatically granted to the postgres_eip and WebsenseDBUser accounts during installation. However, if this permission is overwritten by local or group policy, it will be stripped when the policy is applied (typically at login or reboot.) It is also possibly, though rare, to lose these rights during a Windows Update on the server.

Resolution

postgres_eip

The postgres_eip user is used for the TRITON Settings Database service. If this service is down, Forcepoint Security Manager (formerly TRITON Manager) will not load. Postgres_eip is created during the Infrastructure install.

To re-create the postgres_eip user:

Note By default, Windows 2008 R2 does not allow local accounts to have Log on as a service or Log on locally permissions. On other platforms, this right may be restricted by the Local Security Policy or Group Policy Object (GPO).
  1. Click Start, under Search Programs and Files type Run, type secpol.msc.
  2. Under Security Settings, click the right arrow to expand Local Policies.
  3. Click User Rights Assignment.
  4. Under Policy, scroll down and right click Log on as a service, and click Properties.
  5. Verify the postgres_eip user is listed in the Local Security Settings tab.
  6. Click OK.
  7. Scroll up and right click Allow log on locally and click Properties.
  8. Verify the postgres_eip user is listed in the Local Security Settings tab.
  9. Click OK.
Note If the postgres_eip user is not listed, scroll down and right click Deny log on as a service and click Properties to ensure it is not listed.
  1. If the rights are restricted by GPO, it is recommended to create a new GPO applicable to the Websense Server. Add the "Log on as a service" and "Allow Log on locally" rights for the postgres_eip account and prevent inheritance from overriding the values. Then run "gpupdate /force" on the Websense server to apply the new GPO.
  2. For GPO, postgres_eip must be a member of Users, NOT Administrators.
Note Adding postgres_eip as Administrators will lead to a possible system security compromise where the server will prevent the services from starting as they are trying to run PostgreSQL with elevated permissions. This is why it is marked to ensure they are not Administrators in their respective GPO sections.

To set a password:
  1. Click Start, click Programs, click Administrative Tools, and then click Computer Management.
  2. In the navigation pane, under System Tools, click the right arrow to expand Local Users and Groups, and then click Users.
  3. Right click postgres_eip and click Set Password.
  4. Click Proceed.
  5. Type and confirm the new password and then click OK.
  6. Close the Computer Management dialog box.
  7. Click Start, click Programs, click Administrative Tools, and then click Services.
  8. Scroll down and right click Websense Policy Database and click Properties.
  9. Click the Log On tab and type the new postgres_eip password.
  10. Click OK.
  11. Right click Websense TRITON Settings Database and click Start.
  12. When the service has started, close the Services dialog box.
To manually remove Postmaster.pid and clear Apache .p12 files:

Note If TRITON services stopped unexpectedly or fail to start after checking or adding Log on as a Service, then you may have to manually remove the postmaster.pid file. This file should automatically be removed when TRITON services stop.
  1. Navigate to the \Program Files (x86)\Websense\EIP Infra\pgsql\data directory.
  2. If postmaster.pid is listed, right click and click Rename. Rename the file to postmaster.pid.old.
  3. Click Start, click Programs, click Administrative Tools, and then click Services.
  4. Right click Websense TRITON Settings Database and click Start.
  5. The postmaster.pid file should be re-created and the service should start successfully.
  6. If the file was not created, then restart the server. This should release a lock on the file.
  7. If the file still does not appear, then a GPO may not be allowing permissions for file creation.
    1. Ensure that file scanning is not occurring in the Websense directory structure from any antivirus software.
Once the service is running properly, you may need to restart the Forcepoint Security Manager services in the correct order for the Manager to function:
  1. Stop the following services in order:
    1. Websense TRITON Web Security
    2. Websense TRITON Web Server
    3. Websense TRITON Unified Security Center
    4. Websense TRITON Settings Database
  2. Rename, move or delete the .p12 files located in \Websense\Web Security\tomcat\bin
  3. Start the following services in order:
    1. Websense TRITON Settings Database
    2. Websense TRITON Unified Security Center
    3. Websense TRITON Web Server
    4. Websense TRITON Web Security
To recreate the postgres_eip user.

Note For this step, you may need your SQL password for either SA or whichever account is being used for SQL.
  1. Open the TRITON Setup installer.
  2. Click Modify for TRITON Infrastructure
  3. Click Repair.
    1. If Repair does not resolve the issue, click Modify. Don't actually make any changes, just press okay until it's finished. You may be asked for your SQL credentials if the field is not auto-populated.

WebsenseDBUser

Note The WebsenseDBUser user is used for the Policy Database service. If this service is down, there are many dependent services that will also fail to start, such as Policy Server. WebsenseDBUser is created during the TRITON install.

Follow the instructions below to re-create the WebsenseDBUser:

To set a password:
  1. Click Start, click Programs, click Administrative Tools, and then click Computer Management.
  2. In the navigation pane, under System Tools, click the right arrow to expand Local Users and Groups, and then click Users.
  3. Right click WebsenseDBUser and click Set Password.
  4. Click Proceed.
  5. Type and confirm the new password and then click OK.
  6. Close the Computer Management dialog box.
  7. Click Start, click Programs, click Administrative Tools, and then click Services.
  8. Scroll down and right click Websense Policy Database and click Properties.
  9. Click the Log On tab and type the new WebsenseDBUser password.
  10. Click OK.
  11. Right click Websense TRITON Settings Database and click Start.
  12. When the service has started, close the Services dialog box.
Set Log On as a Service:

Note By default, Windows 2008 R2 does not allow local accounts to have "Log on as a service" or "Log on locally" rights. On other platforms, this right may be restricted by the Local Security Policy or Group Policy.
  1. Click Start, under Search Programs and Files type Run, type secpol.msc.
  2. Under Security Settings, click the right arrow to expand Local Policies.
  3. Click User Rights Assignment.
  4. Under Policy, scroll down and right click Log on as a service, and click Properties.
  5. Verify the WebsenseDBUser user is listed in the Local Security Settings tab.
  6. Click OK.
  7. Scroll up and right click Allow log on locally and click Properties.
  8. Verify the WebsenseDBUser user is listed in the Local Security Settings tab.
  9. Click OK.
Note If the WebsenseDBUser is not listed, scroll down and right click Deny log on as a service and click Properties to ensure it is not listed.
  1. If the rights are restricted by GPO it is recommended to create a new GPO applicable to the Websense Server. Add the Log on as a service and Allow Log on locally rights for the WebsenseDBUser account and prevent inheritance from overriding the values. Then run gpupdate /force on the Websense server to apply the new GPO.
  2. For GPO, WebsenseDBUser must be a member of Users, NOT Administrators.
Note Adding postgres_eip as Administrators will lead to a possible system security compromise where the server will prevent the services from starting as they are trying to run PostgreSQL with elevated permissions. This is why it is marked to ensure they are not Administrators in their respective GPO sections.

To clear Web and Apache .p12 files
  1. Click Start, click Search Programs and Files and type cmd to open Command Prompt.
    1. You will need to open a command prompt as an Administrator.
  2. Navigate to the Websense\Web Security\ directory.
  3. Type websenseadmin stop
  4. Stop the following services in order:
    1. Websense TRITON Web Security (may already be off)
    2. Websense TRITON Web Server
    3. Websense TRITON Unified Security Center
    4. Websense TRITON Settings Database
  5. Rename or move the .p12 files located in \Websense\Web Security\bin
  6. Rename or move the .p12 files located in \Websense\Web Security\tomcat\bin
  7. In the command prompt, navigate to \Websense\Web Security\ if not still at this location
  8. Type websenseadmin start
  9. Start the following services in order:
    1. Websense TRITON Settings Database
    2. Websense TRITON Unified Security Center
    3. Websense TRITON Web Server
    4. Websense TRITON Web Security (may be already on, please restart this service)
Recreate the WebsenseDBUser
  1. Click Start, click Search Programs and Files and type lusrmgr.msc.
  2. Click Users folder, right click WebsenseDBUser and click delete.
  3. Recreate the WebsenseDBUser account
  4. Open a Command Prompt and navigate to Websense\Web Security\bin directory and type Pgsetup.exe -o.
  5. Start the Policy Database service manually after command prompt has finished.
  6. Once recreated, ensure Log On as a Service gets set for this account, then clear Web and Apache .p12 files.
Note If the Policy server on a windows machine is failing to start and is configured to connect to a Policy Broker on another server, check whether the server is running any Antivirus products. If so, make sure that the On-Access scanning has an exclusion set to never scan the Websense folder and its subfolders. You can test whether the Antivirus is causing a problem by disabling the On-Access scan and trying to start the service up.

If the service is in a starting state already, use Task manager to stop the PolicyServer.exe process and try starting the service up via services.msc.

Domain Service Account

If a domain service account (with or without AD admin rights) is listed as the user, such as DOMAIN\websenseadmin, the most likely culprit is Logon As a Service. The most common services using a domain service account include:
  • Websense DC Agent
  • Websense Logon Agent
  • Websense TRITON Unified Security Center
  • Websense TRITON Web Server
  • Websense User Service
Verify with the AD administrator to ensure the Service Account is not currently locked out.

Changing the password in AD for the DOMAIN\websenseuser account may help: Once the user account password has changed via Active Directory:
  1. Right click on the service.
  2. Click Properties
  3. Go to the Log On tab
  4. Type the new password
  5. Click OK
  6. Start the service
Logon as a Service
  1. Click Start, under Search Programs and Files type Run, type secpol.msc.
  2. Under Security Settings, click the right arrow to expand Local Policies.
  3. Click User Rights Assignment.
  4. Under Policy, scroll down and right click Log on as a service, and click Properties.
  5. Verify the postgres_eip user is listed in the Local Security Settings tab.
  6. Click OK.
  7. Scroll up and right click Allow log on locally and click Properties.
  8. Verify the Domain Service Account user is listed in the Local Security Settings tab.
  9. Click OK.
Note If the domain service account user is not listed, scroll down and right click Deny log on as a service and click Properties to ensure it is not listed.
  1. If the rights are restricted by GPO, it is recommended to create a new GPO applicable to the Websense Server. Add the "Log on as a service" and "Allow Log on locally" rights for the postgres_eip account and prevent inheritance from overriding the values. Then run "gpupdate /force" on the Websense server to apply the new GPO.
  2. For GPO, postgres_eip must be a member of Users, NOT Administrators.
Important If all of the above fails, make sure the server localhost is resolvable by IPv4 protocol. If the host file is configured to only resolve localhost to IPv6 and NOT IPv4, the service will not start

Article Feedback



Thank you for the feedback and comments.