Security issues in Console Jobs/Tasks

book

Article ID: 159240

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Some users appear to be accessing the console with the Application Identity service account: they are able to edit jobs and tasks despite their account not having permissions to do so, and when they schedule jobs the application identity shows in the started by column. This appears to only happen on the jobs/tasks pane: users do not have access to more areas of the console, nor are they able to edit other objects like filters or policies.

"Unable to retrieve ItemAction. Guid:{5ab243ee-443c-4034-a3e8-1d6f0c46ee2a} Exception:Altiris.NS.Exceptions.AeXUnauthorizedAccessException: The current user does not have required permission 'read' to load item '5ab243ee-443c-4034-a3e8-1d6f0c46ee2a'.

   at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
   at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItem[T](Guid itemGuid)
   at Altiris.Resource.ResourceItem.GetItemActionsForResourceItem(Guid resourceTypeGuid)
**CEDUrlStart** :http://entced.symantec.com/entt?product=SMP&version=7.1.8400.0&language=en&module=pJtGZTBkUFAvFVI8VYOzkkOXsRYT+R0lcx6IfgGzzwG4ZXL0j7PEovqAR1U08g/G&error=-1681233315&build=**CEDUrlEnd**",
"Altiris.Resource.ResourceItem.GetItemActionsForResourceItem","w3wp.exe","471","Errors"
 
"The owner of Item '3aed9524-0f5c-4d79-acff-3edce6d0aa93' is invalid, it does not map to a valid trustee.","Altiris.NS.Security.SecurityHierarchyManager.GetEntitySecurityDescriptor","w3wp","3"

Cause

 http://<Notification Server>/Altiris/TaskManagement/ had "Anonymous Authentication" enabled within IIS.

Environment

ITMS (IT Management Suite) 7.x and 8.x.

Resolution

 Disable "Anonymous Authentication" at http://<Notification Server>/Altiris/TaskManagement/ within IIS.