search cancel

Failed to create NS Client component. Error number: 46. Error description: Permission denied

book

Article ID: 151811

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The Symantec Management Agent (aka Altiris Agent) is unable to download a package because it is failing to receive the package snapshot file.  The logs show:

PackageDownload Download Snapshot failed: Failed to create NS Client component. Error number: 46. Error description: Permission denied (70)

PackageDelivery Error while downloading package: Failed to create NS Client component. Error number: 46. Error description: Permission denied (70)

Error 1:
Download Snapshot failed: Failed to create NS Client component. Error
number: 46. Error description: Permission denied (70)
----------------------------------------------------------------------------
Date: 12/11/2019 2:40:41 PM, Tick Count: 1966091312 (22.18:08:11.3120000), Size: 371 B
Process: AeXNSAgent.exe (9408), Thread ID: 8444, Module:
AeXPackageDelivery.dll
Priority: 1, Source: PackageDownload

Error 2:
Error while downloading package: Failed to create NS Client component. Error number: 46.
Error description: Permission denied
----------------------------------------------------------------------------
Date: 12/11/2019 2:40:41 PM, Tick Count: 1966091312 (22.18:08:11.3120000), Size: 373 B
Process: AeXNSAgent.exe (9408), Thread ID: 8444, Module:
AeXPackageDelivery.dll
Priority: 1, Source: PackageDelivery

Error 3:
Error while downloading package: No server found
----------------------------------------------------------------------------
Date: 12/11/2019 2:40:41 PM, Tick Count: 1966091312 (22.18:08:11.3120000), Size: 296 B
Process: AeXNSAgent.exe (9408), Thread ID: 8444, Module:
AeXPackageDelivery.dll
Priority: 1, Source: PackageDelivery

Environment

ITMS 7.x, 8.x

Cause

In many cases the Altiris Agent is attempting to download the package from a package server.

Situation 1:

We have seen issues when a package server agent is running on Windows XP SP2, or even Windows 2003 Server SP1. The COM permissions for the anonymous user account have been reduced causing the agent to fail because it cannot activate the Altiris.AeXNSClient object.

Situation 2: 

Individual Package Servers are affected, not the whole network.  With EnableDACLManagement Disabled ( set to "0" - see TECH204095) the Settings on the Altiris Agent folder are still being modified to have needed permissions removed.  For Computer\Users the Read & Execute permissions are being set to "This Folder only".
The problem arises when someone removes the Read & Execute permissions to "Altiris Agent" folder on the Package Server. Then IIS just can't access the Agent COM object in order to provide the snapshot.xml to the caller.

Situation 3: 

In this particular situation, a new package server was been setup. The client machine on that package server was trying to download the package from the NS itself. The NS had the Package Service installed. 
The call to GetPackageInfo.aspx is always done to the NS:
https://NSserver.domain.com:443/altiris/NS/Agent/GetPackageInfo.aspx?...

Right after that, the call to the snapshot is done:
https://NSserver.domain.com/Altiris/PS/getpackagesnapshot.asp?...

This call to the snapshot is a pure package server call (asp page and PS share path are in use) it is done also to the NS machine, so the Notification Server has a separate Package Server installed on the same machine.
This is not a quite supported scenario (package server on an NS), and even a performance degrading approach since the package server on NS will duplicate all packages, consuming double disk space, it will also consume processing resources, decreasing the NS speed.

As for the described problem: The attempt to receive the snapshot is done to package server owned ASP page which tries to create a COM object of SMA, in order to get the package details and return the snapshot. This is done through VBScript in "GetPackageSnapshot.asp" script and this attempt failed. 

the actual fail is on the "NS" side and the new package server is playing as a "client" in this game. The error is actually on the NS from its package server portion since the package service was installed. 
You can reproduce this issue easily by removing IUSR from DCOM, but since DCOM is set by PS automatically, we suspect there could be something else in play, like global policies or some other security tools. Better to compare & check all permissions in DCOM for the "Altiris Agent" record.

Resolution

Situation 1:

Verify where the Altiris Agent is attempting to download the package from. In most cases, the Altiris Agent is attempting to download from a package server.  On the source location (i.e. Package Server), verify that the Internet Guest Account (IUSR _<server name>) has the proper COM permissions. This account must have Launch and Activate permissions.

  1. Navigate to: Start > Settings > Control Panel > Administrative Tools > Component Services.
  2. Within Component Services, expand Component Services > Computers > My Computer.
  3. Right-click on My Computer and go to Properties.
  4. Select the Com Security tab and in the "Launch and Activation Permissions" section click the "Edit Default" button.
  5. On the Internet Guest Account (IUSR _<server name>), set all to "Allow."
  6. If the iusr_<servername> account is not listed, click 'add' in the above window, enter the user name. Be sure to check 'allow' for all launch and activation permissions.
  7. In some instances you will also need to modify the security permission on the following folder: Program Files\Altiris\Altiris Agent\Package Server Agent. To give the Network Service user modify rights. 

 

Situation 2:

Check the Advanced Security permissions on the ..\Program Files\Altiris\Altiris Agent Folder.  Computer\Users should be Read and Execute and apply to "This folder, subfolders and files."  If it is only "This folder only" change to included subfolders and files, and then repermission all subfolders by checking "Replace all child object permission entries .... " and then select OK.

NOTE: To fix current problem on multiple package servers,

  1. please download attached "Grant permission for BUILTIN_Users on _Altiris Agent_ folder.xml" to this KB.
  2. Open SMP Console -> Manage -> Jobs and Tasks -> mouse right click -> import -> choose downloaded .xml
  3. now run this client task on affected managed client computers to grant permission for "Altiris Agent" folder

Script task contains this cmd line:

for /f "tokens=2,*" %%a in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent" /V InstallDir ^|findstr /ri "REG_SZ"') do icacls "%%b" /grant *S-1-5-32-545:(RX)

 

Situation 3:

 

The safest way to fix this issue if the NS has the package service installed is to remove the Package service from the Notification Server machine, in that case, stand-alone PS-es will receive the NS codebase and download directly from Notification Server.

If for some reason you can't remove the package service on the NS, consider the following:

  1. Check DCOM permissions in "MMC" console (Component Services>Computers>My Computer>DCOM Config>Altiris Agent)
  2. IUSR user is used by IIS to launch COM objects and it should have the DCOM permission set (on the PS which is on NS). By default, those permissions are set by Package Server but most probably on this PS-on-NS machine, they were somehow changed or failed to be set.
  3. Also, other permissions could be compared with normally working PS to see what else is failed to set-up.

 

Attachments

Grant_permission_for_BUILTIN_Users_on__Altiris_Agent__folder.zip get_app