VIP Healthcheck fails with SASMONITOR error "This account is not authorized to perform the requested operation."
search cancel

VIP Healthcheck fails with SASMONITOR error "This account is not authorized to perform the requested operation."

book

Article ID: 176178

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Healthcheck is failing with SASMONITOR and puts the VIP EG into business continuity mode

From VIP Manager reports, the test SASMONITOR user shows error "This account is not authorized to perform the requested operation."

The VIP Healthcheck cannot assign the credential and fails with error:

INFO  "2019-10-03 08:33:14.367 GMT+0300" 0.0.0.0 healthcheck 0 0 0  "text=Binding credential to 'sasmonitor_CITRIXNET'"
ERROR "2019-10-03 08:33:29.273 GMT+0300" 0.0.0.0 healthcheck 0 0 0  "text=There was some error processing request: Read timed out

Cause

The credential assigned to the SASMONTOR test user is a desktop credential with a SYHC prefix. VIP Manager policy settings need to allow desktop credentials.

Resolution

Options to allow the credential to be assigned to the user:

  • Log into VIP Manager. Click the POLICIES tab. Under the CREDENTIALS option, enable desktop credential types. Restart the Health Check service on the VIP Enterprise Gateway to add the credential to the SASMONITOR. Optionally, the SYHC credential can manually be added to the SASMONITOR from VIP Manager. Set the Health Check service on the VIP EG to DEBUG level, then restart the service. The credential ID is exposed in the Symantec\VIP_Enterprise_Gateway\logs\healthcheck.log file. Example:

    DEBUG "2021-05-12 09:27:27.209 GMT-0600" 10.32.168.200 healthcheck 0 0 0  "actor=healthcheck-service,text=http-outgoing-1 << \"<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S=\"http://schemas.xmlsoap.org/soap/envelope/\"><S:Body><GetUserInfoResponse xmlns=\"https://schemas.symantec.com/vip/2011/04/vipuserservices\"><requestId>7004284332089294216</requestId><status>0000</status><statusMessage>Success</statusMessage><userId>sasmonitor_dc</userId><userCreationTime>2020-07-23T04:15:45.567Z</userCreationTime><userStatus>ACTIVE</userStatus><numBindings>1</numBindings><credentialBindingDetail><credentialId>SYHC17264811</credentialId><credentialType>STANDARD_OTP</credentialType><credentialStatus>ENABLED</credentialStatus><bindingDetail><bindStatus>ENABLED</bindStatus><lastBindTime>2021-02-01T16:04:09.947Z</lastBindTime><lastAuthnTime>2021-03-15T17:08:07.575Z</lastAuthnTime><lastAuthnId>01EED341A0B2228A</lastAuthnId></bindingDetail></credentialBindingDetail></GetUserInfoResponse></S:Body></S:Envelope>\",op=healthcheck"

    (Note: Once added, the policy can be set back to not allow desktop credentials. This will not affect the SASMONITOR credential)

  • Limit other users from accessing this credential type if it is enabled at the global level by adding users to user groups and limiting credential types at the group level.

 

Powered by Wolken Software