Symantec Email Submission Client Console (SESC) error message "You either have insufficient permissions to access this application or your user credentials are not refreshed." when Windows group SIDs cannot be mapped to name

book

Article ID: 155906

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange Messaging Gateway

Issue/Introduction

When attempting to open the SESC console the following error message is displayed and the console is not opened:

You either have insufficient permissions to access this application or your user credentials are not refreshed.
Try logging off and logging in again to reload the user credentials.

Conditions

  • Computer is unable to resolve some Windows SIDs to names.

1. On the SESC computer open a powershell command prompt.
2. Paste the following code into the powershell window and hit Enter to run it:

$windowsIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $windowsIdentity.Groups
foreach ($group in $groups)
{
   try
   {
    $group.Translate([System.Security.Principal.NTAccount])
    }
    catch
    {
        Write-Host "Error trying to translate SID: "
        $group | fl
        $_.Exception.Message
    }
    
}

The output looks like this when some of the SIDS fail to resolve to group names:

Value                                                                          
-----                                                                          
SESC\None                                                                      
Everyone                                                                       
BUILTIN\Administrators                                                         
BUILTIN\Users                                                                  
NT AUTHORITY\REMOTE INTERACTIVE LOGON                                          
NT AUTHORITY\INTERACTIVE                                                       
NT AUTHORITY\Authenticated Users                                               
NT AUTHORITY\This Organization                                                 
LOCAL                                                                          
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+     $group.Translate <<<< ([System.Security.Principal.NTAccount])
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
 
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+     $group.Translate <<<< ([System.Security.Principal.NTAccount])
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException
 
Exception calling "Translate" with "1" argument(s): "Some or all identity refer
ences could not be translated."
At C:\Temp\test.ps1:6 char:18
+     $group.Translate <<<< ([System.Security.Principal.NTAccount])
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

In the example above all the local group names are resolved.  However none of the domain group names are resolved.

 

Cause

The SESC console obtains the set of groups the user is part of.  The group information consists of Windows SIDS.  SECS then attempts to convert each SID into a group name.  If the conversion fails the error message is shown.

Resolution

This issue must be resolved within Active Directory.

 Here are some ideas:

  • If only some of the groups cannot be resolved then remove the Windows ID from that group.
  • If every domain group cannot be resolved try removing the computer from the domain and re-adding it.


Fixing the root cause may require use of ADSI edit to fix the broken SID, or delete the broken SID. Because this process can have substantial impact on domain operations Symantec recommends contacting Microsoft for assistance with this process, as we cannot guarantee the outcome of making changes in the domain.

Technical Information

The list of SIDs includes any groups within groups.  For example, if the user is a member of "Domain Admins" and the "Domain Admins" group has been added to the "Schema Admins" group, the "Schema Admins" SID shows up in this list of SIDs associated with this user account as if the user was directly a member of "Schema Admins". The user is not necessarily directly a member of the group with the broken SID to NT name translation.

 

Applies To

 
  • SESC 1.X

Attachments

powershell.jpg get_app