search cancel

Failed to impersonate user 'domain\AppIDaccount' for database validation. Try again or contact support if this problem persists.

book

Article ID: 175158

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer is trying to upgrade from ITMS 8.5  to 8.5 RU2.
When doing so, the following error occurs in a pop up window:

Symantec Installation Manager
Failed to impersonate user 'domain\AppIDaccount' for database validation. Try again or contact support if this problem persists.

According to TECH121939 this issue was addressed with SIM 8.1 and later versions.

The SIM logs shows:

Entry 1:
Impersonating windows user domain\AppIDaccount

Entry 2:
Exception occurred while impersonating user
Unable to cast object of type 'System.DBNull' to type 'System.String'.
   [System.InvalidCastException @ SymantecInstallationManager]
   at Symantec.Installation.InstallClasses.SQLAuth.VerifyDBPermissions(String
dbname, Boolean createNew, Int32 timeout, Boolean& bTempdbAutogrow)

Entry 3:
VerifyDatabaseSettings - AuthenticateCredentials/VerifyDBPermissions failed:
Failed to impersonate user 'domain\AppIDaccount' for database validation. Try
again or contact support if this problem persists.

Error 1:

Exception occurred while impersonating user
Unable to cast object of type 'System.DBNull' to type 'System.String'.
   [System.InvalidCastException @ SymantecInstallationManager]
   at Symantec.Installation.InstallClasses.SQLAuth.VerifyDBPermissions(String dbname, Boolean createNew, Int32 timeout, Boolean& bTempdbAutogrow)

Exception logged from:
   at Symantec.Installation.Logging.LogActivity.ReportException(Int32 severity, String strMessage, String category, Exception exception, String footer)
   at Symantec.Installation.Logging.LogActivity.ReportException(String strMessage, String category, Exception exception)
   at Symantec.Installation.InstallClasses.SQLAuth.VerifyDBPermissions(String dbname, Boolean createNew, Int32 timeout, Boolean& bTempdbAutogrow)
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
   at Symantec.Installation.WPF.CancelProxy.Invoke(IMessage msg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Symantec.Installation.InstallClasses.SQLAuth.VerifyDBPermissions(String dbname, Boolean createNew, Int32 timeout, Boolean& bTempdbAutogrow)
   at Symantec.Installation.Model.DBSettingsManager.VerifyDatabaseSettings(SettingsToValidate settings, ServerValidationInfo& info)
   at Symantec.Installation.Model.DBSettingsManager.VerifySettings(SettingsToValidate settings, Version& existingDBVersion, Boolean& emptyDB)
   at Symantec.Installation.Model.DBSettingsManager.VerifySettings(SettingsToValidate settings)
   at Symantec.Installation.UI.UpdateProductsView.<>c__DisplayClass41_0.<winButtonConfirmInstall_Click>b__0()
   at System.Threading.Tasks.Task.Execute()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot)
   at System.Threading.Tasks.Task.ExecuteEntry(Boolean bPreventDoubleExecution)
   at System.Threading.ThreadPoolWorkQueue.Dispatch()
-----------------------------------------------------------------------------------------------------
Date: 6/13/2019 9:36:25 AM, Tick Count: 993166859 (11.11:52:46.8590000),  Size: 2.95 KB
Process: SymantecInstallationManager (12388), Thread ID: 21, Module: SymantecInstallationManager.exe
Priority: 1, Source: Symantec.Installation.InstallClasses.SQLAuth.VerifyDBPermissions

 

Error 2:

VerifyDatabaseSettings - AuthenticateCredentials/VerifyDBPermissions failed: Failed to impersonate user 'domain\AppIDaccount' for database validation. Try again or contact support if this problem persists.
-----------------------------------------------------------------------------------------------------
Date: 6/13/2019 9:36:25 AM, Tick Count: 993166859 (11.11:52:46.8590000), Size: 508 B
Process: SymantecInstallationManager (12388), Thread ID: 21, Module: SymantecInstallationManager.exe
Priority: 1, Source: Symantec.Installation.Model.DBSettingsManager.VerifyDatabaseSettings

Environment

Upgrade from ITMS 8.5 to 8.5 RU2

Cause

The account used didn't have the proper "Server Role" assigned. We are expecting to have SQL Server Role of sysadmin, diskadmin, or serveradmin.

The customer clarified that usually his DBA creates the initial database and adds the AppID account as a member of a limited group in the SQL Server that doesn't have sysadmin priviledges.

Resolution

After reviewing the SIM logs (under C:\Program Data\Symantec\SMp\Logs), the following warnings showed the permissions that were missing to properly impersonate and authenticate during an upgrade (or install/repairs):

Warning 1:
VerifyDBPermissions determined login 'domain\AppIDaccount' is not in server role (sysadmin, diskadmin, serveradmin)
-----------------------------------------------------------------------------------------------------

Warning 2:
VerifyDBPermissions determined login 'domain\AppIDaccount' does not have explicit server permission for (CREATE DATABASE, CREATE ANY DATABASE, ALTER ANY DATABASE)
-----------------------------------------------------------------------------------------------------

In order to solve this issue:

  1. Grant on your database "sysadmin" server role to the account that you are using to upgrade and try again to upgrade.

 

You can refer to this type of information in the following article:

181352 "What SQL rights are needed for the application identity service account(or SQL account)?"


SQL Server Account Permissions
The account used for SMP 7 and later to access its database needs permissions to modify the Altiris database (Symantec_CMDB), including:

  • create, alter, and drop tables
  • create, alter, and drop views
  • create, alter, and drop stored procedures
  • execute stored procedures
  • view, insert and drop records in these tables.

    Note: Preferred server permissions:
    CREATE DATABASE, CREATE ANY DATABASE, ALTER ANY DATABASE

  • Additionally, this account needs to:
  • view information from the msdb database
  • execute some system stored procedures.

    Note: Required server roles:
    sysadmin, diskadmin, serveradmin

    Additionally, when the Symantec Installation Manager (SIM) is installing SMP; If the Altiris database does not already exist, then this account needs to be able to create the Altiris database.

    See the following KB articles as other references:

     

See the following articles as reference:

HOWTO75157 "Security Information and Tips for ITMS"
179939 "What are the minimum rights requirements that SIM 7 looks for during an installation?"
179741 "Notes on configuring SQL Server for use with SMP 7"
181041 "Common Credentials used for ITMS"