Password fails to change when using AexConfig.exe

book

Article ID: 159241

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

When changing the service account for Symantec Management platform 7, you see the following:

  • When you attempt to open the NS Console:

    Symantec Management Server Error

    An error has occurred that prevents the Symantec Management Console displaying correctly.

    If this page is shown in place of a page or web part in the Symantec Management Console, navigate back to the page using the menu or tree and continue working. If the problem persists, see your local network administrator.

    If this page is shown in place of the Symantec Management Console, one of the following could be the cause:

    • The "Altiris Service" service is not running. Start this service on the server and reload the console.
    • The account used for either the "Altiris Service" or the Notification Server webs is incorrect, disabled or the password for the account has expired. On the Notification Server computer, run " C:\Program Files\Altiris\Notification Server\bin\AeXConfig.exe /svcid user:(user name) password:(password)] ", substituting the correct installation path if a non-default location was used, to provide a new account.
    • The name of the Notification Server computer has been renamed. The following steps will need to be taken to correct this:
      • If SQL Server is installed on the same machine as the Notification Server:
      • Open the file [NS INSTALL DIRECTORY]\Notification Server\Config\CoreSettings.config, search for the word 'key=DBUser'. Replace the 'value' attribute of the found XML element from the previous server name to the new server name.
      • If account used for either the "Altiris Service" or the Notification Server webs is a local user (i.e. Not a domain user), you will need to update the account to the new name. You can do so by following the 2nd bullet points on this page.
      • Open Registry Editor, browse to the registry key "HKLM\SOFTWARE\Altiris\express\Notification Server\". Find and replace any value that contains the old server name with the new name.
      • Re-push the agent out to all previously managed machines. (#)
      • Run the Windows schedule named "NS.Package Refresh" to re-validate site/package server packages. To get to the Windows schedules, go to 'Start' > 'Control Panel' > 'Scheduled Tasks'.
      • If you have hierarchy set up, you will need to remove and re-add the renamed server to the hierarchy. To do so, go to the "Hierarchy Management" page under the menu "Settings" > "Notification Server" > "Hierarchy".

    In both cases, the Symantec Management Server log and the Windows Event log may contain useful information. The Symantec Management Server log can be accessed on the server by running "Start" menu > "All Programs" > "Altiris" > "Diagnostics" > "Altiris Log Viewer".

    (#) If the NS hosted computer has yet been renamed, a better alternative would be to point all NS clients to the new server name first. You can do this by going to the menu "Settings" > "Agents/Plug-ins" > "Targeted Agent Settings". For each policy in the list, select the "Advanced" tab and specifies the new server name under the "Alternative URL for accessing NS" section. By doing this, all the clients will work automatically once the NS server has been renamed

  • In the Application Event logs, you may see messages like these:

    Event Type: Warning
    Event Source: ASP.NET 2.0.50727.0
    Event Category: Web Event

    Event ID: 1310
    Date:  3/18/2010
    Time:  10:15:42 AM
    User:  N/A
    Computer: SEVERNAME 
    Description:
    Event code: 3008
    Event message: A configuration error has occurred.
    Event time: 3/18/2010 10:15:42 AM
    Event time (UTC): 3/18/2010 2:15:42 PM
    Event ID: 7d81fb38b0924ef5b79c38aeeaace18f
    Event sequence: 1
    Event occurrence: 1
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/1/Root/Altiris/NS/Agent-416-129133953422500000
        Trust level: Full
        Application Virtual Path: /Altiris/NS/Agent
        Application Path: C:\Program Files\Altiris\Notification Server\Agent\

        Machine name: SEVERNAME
     
    Process information:
        Process ID: 5792
        Process name: w3wp.exe
        Account name: SEVERNAME\IWAM_SERVERNAME  
     
    Exception information:
        Exception type: ConfigurationErrorsException
        Exception message: An error occurred executing the configuration section handler for system.web/identity.
     
    Request information:
        Request URL: http://Servername/Altiris/NS/Agent/PostEvent.aspx
        Request path: /Altiris/NS/Agent/PostEvent.aspx

        User host address: x.x.x.x 
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: SEVERNAME\IWAM_SERVERNAME 
     
    Thread information:
        Thread ID: 1
        Thread account name: SEVERNAME\IWAM_SERVERNAME 
        Is impersonating: False
        Stack trace:    at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
       at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
       at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)


    or


    Event Type: Warning
    Event Source: ASP.NET 2.0.50727.0
    Event Category: Web Event
    Event ID: 1310
    Date:  3/18/2010
    Time:  10:15:37 AM
    User:  N/A
    Computer: SEVERNAME 
    Description:
    Event code: 3008
    Event message: A configuration error has occurred.
    Event time: 3/18/2010 10:15:37 AM
    Event time (UTC): 3/18/2010 2:15:37 PM
    Event ID: be845d7cc4f74fdb963824c5225c314f
    Event sequence: 1
    Event occurrence: 1
    Event detail code: 0
     
    Application information:
        Application domain: /LM/W3SVC/1/Root/Altiris/TaskManagement/CTAgent-415-129133953375156250
        Trust level: Full
        Application Virtual Path: /Altiris/TaskManagement/CTAgent
        Application Path: C:\Program Files\Altiris\TaskManagement\CTAgentWeb\

        Machine name: SERVERNAME 
    Process information:
        Process ID: 5792
        Process name: w3wp.exe
        Account name: SERVERNAMEACCOUNTNAME
     
    Exception information:
        Exception type: ConfigurationErrorsException
        Exception message: An error occurred executing the configuration section handler for system.web/identity.
     
    Request information:
        Request URL: http://ServerName/Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=a4384efe-641f-4c49-9716-c496270e0c5c
        Request path: /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx

        User host address: x.x.x.x 
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: SEVERNAME\IWAM_SERVERNAME  
     
    Thread information:
        Thread ID: 6
        Thread account name: SEVERNAME\IWAM_SERVERNAME  
        Is impersonating: False
        Stack trace:    at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
       at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
       at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
     
  • When accessing the URL Listed in one of the Application Event messages, you see this in the NS Console:

    Configuration Error
    Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

    Parser Error Message: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.
    '
    Source Error:

    Line 51:     The following line makes this site run under the NS service account credentials.
    Line 52:  -->
    Line 53:   <identity impersonate="true" userName="registry:HKLM\Software\Altiris\eXpress\Notification Server\AppIdentity,user" password="registry:HKLM\Software\Altiris\eXpress\Notification Server\AppIdentity,pwd"/>
    Line 54:   <!--  AUTHORIZATION
    Line 55:           This section sets the authorization policies of the application. You can allow or deny access
     
    Source File: C:\Program Files\Altiris\TaskManagement\Web\web.config    Line: 53

    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082

     
  • In the NS Log Viewer, you see these errors:

    Process: AeXConfig (2596)
    Thread ID: 1
    Module: AeXConfig.exe
    Source: Altiris.NS.AeXConfig.MainImpl
    Description: First web service call failed, possibly due to out-of-date Altiris app identity details in the registry. Trying to set the details manually...
    ( Exception Details: System.InvalidOperationException: Client found response content type of 'text/html; charset=utf-8', but expected 'text/xml'.
    The request failed with the error message:
    --
    <html>
        <head>
            <title>Configuration Error</title>
            <style>
             body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
             p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
             b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
             H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
             H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
             pre {font-family:"Lucida Console";font-size: .9em}
             .marker {font-weight: bold; color: black;text-decoration: none;}
             .version {color: gray;}
             .error {margin-bottom: 10px;}
             .expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
            </style>
        </head>
        <body bgcolor="white">
                <span><H1>Server Error in '/Altiris/NS' Application.<hr width=100% size=1 color=silver></H1>
                <h2> <i>Configuration Error</i> </h2></span>
                <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">
                <b> Description: </b>An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
                <br><br>
                <b> Parser Error Message: </b>Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.<br>'<br><br>
                <b>Source Error:</b> <br><br>
                <table width=100% bgcolor="#ffffcc">
                   <tr>
                      <td>
                          <code><pre>
    Line 137:    -->
    Line 138:    <authentication mode="Windows" />
    <font color=red>Line 139:    <identity impersonate="true" userName="registry:HKLM\Software\Altiris\eXpress\Notification Server\AppIdentity,user" password="registry:HKLM\Software\Altiris\eXpress\Notification Server\AppIdentity,pwd" />
    </font>Line 140:    <authorization>
    Line 141:      <deny users="?" /></pre></code>
                      </td>
                   </tr>
                </table>
                <br>
                <b> Source File: </b> C:\Program Files\Altiris\Notification Server\web.config<b>    Line: </b> 139
                <br><br>
                <hr width=100% size=1 color=silver>
                <b>Version Information:</b> Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082
                </font>
        </body>
    </html>
    <!--
    [ConfigurationErrorsException]: Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.
    ' (C:\Program Files\Altiris\Notification Server\web.config line 139)
       at System.Web.Configuration.IdentitySection.InitializeToken()
       at System.Web.Configuration.IdentitySection.get_ImpersonateToken()
       at System.Web.Configuration.IdentitySection.ValidateCredentials()
       at System.Web.Configuration.IdentitySection.GetRuntimeObject()
       at System.Configuration.RuntimeConfigurationRecord.GetRuntimeObjectWithRestrictedPermissions(ConfigurationSection section)
       at System.Configuration.RuntimeConfigurationRecord.GetRuntimeObject(Object result)
    [ConfigurationErrorsException]: An error occurred executing the configuration section handler for system.web/identity.
       at System.Web.HttpRuntime.FirstRequestInit(HttpContext context)
       at System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context)
       at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)
    -->
    --.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Altiris.NS.Installation.InstallationWebServiceProxy.ConfigureServices(String username, String encryptedUserPassword)
       at Altiris.NS.AeXConfig.MainImpl(String[] args) )
    ( Exception logged from:
       at Altiris.Diagnostics.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception)
       at Altiris.Diagnostics.Logging.EventLog.ReportException(String strMessage, String category, Exception exception)
       at Altiris.NS.Logging.EventLog.ReportException(String strMessage, Exception exception)
       at Altiris.NS.AeXConfig.MainImpl(String[] args)
       at Altiris.NS.AeXConfig.Main(String[] args)
     )
    ( Extra Details:  Type=System.InvalidOperationException Src=System.Web.Services )


    Or,


    Process: AeXConfig (2596)
    Thread ID: 1
    Module: AeXConfig.exe
    Source: Altiris.NS.AeXConfig.MainImpl
    Description:
    ( Exception Details: System.Net.WebException: The request failed with HTTP status 503: Service Unavailable.
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Altiris.NS.Installation.InstallationWebServiceProxy.ConfigureServices(String username, String encryptedUserPassword)
       at Altiris.NS.AeXConfig.MainImpl(String[] args) )
    ( Exception logged from:
       at Altiris.Diagnostics.Logging.EventLog.ReportException(Int32 severity, String strMessage, String category, Exception exception)
       at Altiris.Diagnostics.Logging.EventLog.ReportException(String strMessage, String category, Exception exception)
       at Altiris.NS.Logging.EventLog.ReportException(String strMessage, Exception exception)
       at Altiris.NS.AeXConfig.MainImpl(String[] args)
       at Altiris.NS.AeXConfig.Main(String[] args)
     )
    ( Extra Details:  Type=System.Net.WebException Src=System.Web.Services )
     
  • In the HttpErr logs you see messages like this:

    2010-03-18 14:44:43 x.x.x.x 1983 x.x.x.x 80 HTTP/1.1 POST /Altiris/NS/Agent/PostEvent.aspx 503 1 ConnLimit DefaultAppPool
    2010-03-18 14:44:44
     x.x.x.x 3352 x.x.x.x 80 HTTP/1.1 GET /Altiris/TaskManagement/CTAgent/GetClientTaskServers.aspx?resourceGuid=7be752b1-7477-460a-bf69-4764695dfca7 503 1 ConnLimit DefaultAppPool
    2010-03-18 14:44:44 x.x.x.x 2042 x.x.x.x 80 HTTP/1.1 POST /Altiris/ClientTaskServer/Register.aspx?resourceGuid=470b66e7-bcb2-45f7-bef8-513ca1249533 503 1 ConnLimit DefaultAppPool

Cause

In this case, there were 2 causes to this:

1) DefaultAppPool was set to IWAM_MachineName account rather than the NetworkService account
2) Default WebSite had a connection limit in place (In this case, it was set to allow only "5" Concurrent connections.

Resolution

To resolve this issue:

1) Open up the IIS Manager
2) Right-click on DefaultAppPool and select "Properties"
3) Click on the "Identity" tab
    ...Ensure that it is set to "Predefined: Network Service"
4) Click "OK"
5) Right-click on the Default Web Site and select "Properties"
6) Click on the "Performance" Tab
    ...Ensure that "Web site connections" is set to Unlimited
7) Do an IISRESET from the command line

At this point, you should be able to change the password by running AexConfig.exe /svcid user:<Domain\Username> password:<Password>
    ...Watch the logs for errors (Just in case).


Applies To

Notification Server 7.0 (Initially noticed on SP2)

 

Environment where Service Account passwords are changed on a regular basis.