The customer reported that this error occurs quite frequently in her logs (see below for full message):
The current user 'NT AUTHORITY\IUSR' does not have required permission 'read' to load item: 8bfcd6b4-ea1e-4008-94ac-4536cb650848
Also there was another log entry for another page:
The current user 'NT AUTHORITY\IUSR' does not have required permission 'read' to load item: 17a0ca06-4636-4920-9762-794114305d8f
This 'NT AUTHORITY\IUSR' account is not the account that they are logged in.
Looks like something is trying to authenticate with the wrong credentials.
Error 1:
Failed to include communication profile data in agent policy.
The current user 'NT AUTHORITY\IUSR' does not have required permission 'read' to load item: 8bfcd6b4-ea1e-4008-94ac-4536cb650848
[Altiris.NS.Exceptions.AeXUnauthorizedAccessException @ Altiris.NS]
at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags, Boolean& cacheHit)
at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlag
Error 2:
Unable to get signature of response data.
Attempted to perform an unauthorized operation.
[System.UnauthorizedAccessException @ Altiris.NS]
at Altiris.NS.Security.Cryptography.DataSigning.GetSignatureForPackage(Byte[] dataToSign)
at Altiris.NS.Utilities.NsResponseOps.GetContentSignature(Byte[] data)
User [NT AUTHORITY\IUSR], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS/Agent-2-132167338005963303]
HTTP [GET]: http://SMPserver/altiris/NS/Agent/GetPackageInfo.aspx?xml=<request resource="{C24A1978-5715-4489-904F-B2BEDB0D63AF}" version="1" type="codebases" compress="1" totalTime="0" totalFailureTime="0">
<packages>
<package guid="{D706609E-4F50-49F3-A010-CD06437EB4FC}"/>
</packages>
<addresses>
<address ip="<IP Address>"/>
</addresses>
</request>
ip: [<IP ADDRESS>]; x-sma-version: [8.5.4249.0];
response: [200 OK]; x-smp-nsversion: [8.5.4249.0];
-----------------------------------------------------------------------------------------------------
Date: 10/28/2019 1:21:38 PM, Tick Count: 506358140 (5.20:39:18.1400000), Size: 2.86 KB
Process: w3wp (6900), Thread ID: 237, Module: Altiris.NS.dll
Priority: 1, Source: Altiris.NS.Utilities.NsResponseOps.GetContentSignature
ITMS 8.5 and later
Extra <identity impersonate="true"> entry under "…\Program Files\Altiris\Notification Server\AgentWeb\Agent\web.config" .
The same behavior is noticed by disabling ASP.NET Impersonation on IIS authentication page for Agent Web. Setting is back, web.config is OK but all calls are under IUSR.