Symantec Email Submission Client Console (SESC) error message "You either have insufficient permissions to access this application or your user credentials are not refreshed." when Windows group SIDs cannot be mapped to name

Article Id: 155906

Status: Published

Updated On: 27-04-2015 11:59

Legacy Id: TECH181333

Products:

Mail Security for Microsoft Exchange , Messaging Gateway

Issue/Introduction:

When attempting to open the SESC console the following error message is displayed and the console is not opened:

You either have insufficient permissions to access this application or your user credentials are not refreshed.
Try logging off and logging in again to reload the user credentials.

Conditions

Computer is unable to resolve some Windows SIDs to names.

1. On the SESC computer open a powershell command prompt.
2. Paste the following code into the powershell window and hit Enter to run it:

$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $windowsIdentity.Groups
foreach ($group in $groups)
{
   try
   {
    $group.Translate([System.Security.Principal.NTAccount])
   }
   catch
   {
        Write-Host "Error trying to translate SID: "
        $group | fl
        $_.Exception.Message
   }

}

The output looks like this when some of the SIDS fail to resolve to group names:

Value
-----
SESC\None
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\REMOTE INTERACTIVE LOGON
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
NT AUTHORITY\This Organization
LOCAL
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+     $group.Translate <<<< ([System.Security.Principal.NTAccount])
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+     $group.Translate <<<< ([System.Security.Principal.NTAccount])
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+     $group.Translate <<<< ([System.Security.Principal.NTAccount])
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

In the example above all the local group names are resolved. However none of the domain group names are resolved.

Cause:

The SESC console obtains the set of groups the user is part of. The group information consists of Windows SIDS. SECS then attempts to convert each SID into a group name. If the conversion fails the error message is shown.

Resolution:

This issue must be resolved within Active Directory.

Here are some ideas:

If only some of the groups cannot be resolved then remove the Windows ID from that group.
If every domain group cannot be resolved try removing the computer from the domain and re-adding it.

Fixing the root cause may require use of ADSI edit to fix the broken SID, or delete the broken SID. Because this process can have substantial impact on domain operations Symantec recommends contacting Microsoft for assistance with this process, as we cannot guarantee the outcome of making changes in the domain.

Technical Information

The list of SIDs includes any groups within groups. For example, if the user is a member of "Domain Admins" and the "Domain Admins" group has been added to the "Schema Admins" group, the "Schema Admins" SID shows up in this list of SIDs associated with this user account as if the user was directly a member of "Schema Admins". The user is not necessarily directly a member of the group with the broken SID to NT name translation.

Applies To

SESC 1.X

powershell.jpg

Download