search cancel

Failed to retrieve key: DbPassword. Access to the path 'C:\ProgramData\Symantec\SMP\KMS' is denied.

book

Article ID: 173768

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

During a repair or an upgrade, while using SIM (Symantec Installation Manager), it fails during configuration process with some errors related to:
 

Failed to retreive key: DbPassword

Access to the path 'C:\ProgramData\Symantec\SMP\KMS' is denied.
   [System.UnauthorizedAccessException @ mscorlib]  

Failed to retreive key: DbPassword

Access to the path 'C:\ProgramData\Symantec\SMP\KMS' is denied.
   [System.UnauthorizedAccessException @ mscorlib]
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileSystemEnumerableIterator`1.CommonInit()
   at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
   at System.IO.Directory.GetFiles(String path)
   at Altiris.NS.Security.Cryptography.SymmetricKeyManager.KeyExists(String name)
   at Altiris.NS.Security.Cryptography.SymmetricKeyManager.PerformKey[TKey,TValue](String name, Func`2 func, LoadKeyType keyType, Boolean throwOnError)
   at Altiris.NS.Utilities.BasicCrypto.TryDecrypt(EncryptedData t, String keyName, Byte[]& result, Boolean throwMissingKey)
   at Altiris.NS.Utilities.BasicCrypto.FromBase64(String encryptedData, String keyName, String legacyKeyName, Boolean& usedLegacyKey)
   at Altiris.NS.Installation.DbConfiguration.GetPassword(String configName, String legacyKeyName, String& cache)

Exception logged from:
   at Altiris.NS.Installation.DbConfiguration.GetPassword(String, String, String&)
   at Altiris.NS.Utilities.DbUtils.GetConnectionParameters(String, String&, String&, String&, String&)
   at Altiris.NS.Utilities.DbUtils.GetSqlServerVersion(String)
   at Altiris.NS.DataAccessLayer.DatabaseAbilities.ReloadDatabaseVersion()
   at Altiris.NS.DataAccessLayer.DatabaseAbilities.get_SqlVersion()
   at Altiris.NS.DataAccessLayer.DatabaseAbilities.RefreshAbilities()
   at Altiris.NS.Logging.EventLog+HouseKeeper.PerformUpdate()
   at Altiris.NS.Logging.EventLog+EventLogQueueThreadRunner.DoHouseKeeping()
   at Altiris.Common.Threading.HouseKeepingList.DoHouseKeeping()
   at Altiris.Common.Threading.HouseKeepingList+HouseKeepingController.DoHouseKeepingThreadProc(Object)
   at Altiris.Common.Threading.LocalThreadPool.ExecuteWorkerRequest(Altiris.Common.Threading.LocalThreadPool+LocalThreadPoolWorkerState, Altiris.Common.Threading.LocalThreadPool+UserWorkItem)
   at Altiris.NS.Threading.NSThreadPool.ExecuteWorkerRequest(Altiris.Common.Threading.LocalThreadPool+LocalThreadPoolWorkerState, Altiris.Common.Threading.LocalThreadPool+UserWorkItem)
   at Altiris.Common.Threading.LocalThreadPool.ThreadPoolProc(Object)
   at System.Threading.ThreadHelper.ThreadStart(Object)

User [DSG\dsiaaltiris], Auth [DSG\dsiaaltiris], AppDomain [NSConfigurator.exe]

-----------------------------------------------------------------------------------------------------
Date: 2/11/2019 2:37:45 PM, Tick Count: 20190796 (05:36:30.7960000), Size: 2.74 KB
Process: NSConfigurator (7440), Thread ID: 21, Module: Altiris.NS.dll
Priority: 2, Source: Altiris.NS.Installation.DbConfiguration.GetPassword

Cause

Having the incorrect permissions set on the RSA/MachineKeys folder. Please refer to:
https://support.microsoft.com/en-us/help/278381/default-permissions-for-the-machinekeys-folders

 

Environment

ITMS 8.0 or later

Resolution

In some rare cases, even with the mentioned fix mentioned here, you may need to verify the following:

  1. Give your user (In our case, the «user» should be NS «App Identity») Full Access to the following folder: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys (or C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys in previous OS versions).

We found that in some occasions the permissions in the machine keys directory needed to have the service account (App Identity) added instead of just administrators group:

  1. Change security on directory:
    • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  2. Add your App Identity account, with the following minimum "Advanced" set of permissions:
    • Create files / write data

    • Create folders / append data

    • Write attributes

    • Write extended attributes

    • Delete

  3. After hitting apply, accept that 5 directories were "Access is denied", if any.