search cancel

Windows Security Update for Group Policy Breaks Group Policy

book

Article ID: 163451

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Microsoft released a recent update, KB3159398, and the update changes the way computer objects authenticate with Active Directory (AD). This was first noticed because of changes made to SQL permissions and how Windows authenticates to SQL Server within the Symantec Management Platform. In this particular instance; the Altiris services run as 'Local System', including the one that initiates the connection to the SQL database. Since it's 'Local System' it uses the computer account to access SQL. Log errors start showing up stating we're unable to authenticate to SQL; the way around it is to change one of the services so instead of local system it runs as the Altiris Service Account (AppID).

Originally found via http://windowsitpro.com/patch-tuesday/patch-tuesday-security-update-group-policy-breaks-group-policy

[5/5] SQL connection failed, current user=<Domain>\<User>$, total time=00:00:05.0480415
 
Login failed for user '<Domain>\<User>$'.
   [System.Data.SqlClient.SqlException @ .Net SqlClient Data Provider]
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)

   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.Open()
   at Altiris.NS.Utilities.DbUtils.TryCreateConnection(String costring, Int32 retries, Int32 delay, Int32 add)
 
SQL Exception details: code=18456, line=65536
 
Exception logged from: 
   at Altiris.NS.Utilities.DbUtils.TryCreateConnection(String, Int32, Int32, Int32)
   at Altiris.NS.Utilities.DbUtils.CreateConnection(String, String, String, String)
   at Altiris.NS.Utilities.DbUtils.CreateConnection(String)
   at Altiris.NS.ContextManagement.AdminDatabaseContext.OpenDbConnection()
   at Altiris.Database.DatabaseContext<T>.Initialize(Boolean, System.Data.IsolationLevel)
   at Altiris.Database.DatabaseContext<T>.CreateFirstContext(Altiris.Database.ContextTransactionMode, System.Nullable<System.Data.IsolationLevel>, Altiris.Database.DatabaseContextStack<T>, Boolean)
   at Altiris.Database.DatabaseContext<T>.GetContextImpl(Altiris.Database.ContextTransactionMode, System.Nullable<System.Data.IsolationLevel>, Boolean)
   at Altiris.Database.DatabaseContext<T>.GetContext(Altiris.Database.ContextTransactionMode, System.Nullable<System.Data.IsolationLevel>, Boolean)
   at Altiris.NS.DataAccessLayer.Implementation.Altiris_PluggableProtocols_NSAccessPPADAL.GetAlertModificationTime(String&)
   at Altiris.PluggableProtocols.NSAccess.DBDA.Handle_GetAlertModificationTime(Altiris.PluggableProtocols.Properties)
   at Altiris.PluggableProtocols.NSAccess.DBDA.GetData(Altiris.PluggableProtocols.Properties)

   at 
-----------------------------------------------------------------------------------------------------
Date: 7/13/2016 9:40:04 AM, Tick Count: 3334390 (00:55:34.3900000), Host Name: <Hostname>, Size: 4.08 KB
Process: AeXMetricProv (6808), Thread ID: 1, Module: Altiris.NS.dll
Priority: 1, Source: DbUtils.CreateConnection
File: C:\ProgramData\Symantec\SMP\Logs\a.log

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

There are two ways to workaround this issue:

  1. Uninstall the Microsoft Update KB3159398.
  2. Find the service (or IIS Application Pool) in question and view it's properites; select the "Log On" tab (or Identity property under Advanced Settings for an IIS App Pool) and specify the Altiris Service Account (AppID).