The current user NT AUTHORITY\IUSR does not have required permission READ to load item
search cancel

The current user NT AUTHORITY\IUSR does not have required permission READ to load item

book

Article ID: 176295

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer reported that this error occurs quite frequently in her logs (see below for full message):

The current user 'NT AUTHORITY\IUSR' does not have required permission 'read' to load item: 8bfcd6b4-ea1e-4008-94ac-4536cb650848

Also there was another log entry for another page:
The current user 'NT AUTHORITY\IUSR' does not have required permission 'read' to load item: 17a0ca06-4636-4920-9762-794114305d8f

This 'NT AUTHORITY\IUSR' account is not the account that they are logged in.

Looks like something is trying to authenticate with the wrong credentials.

Error 1:

Failed to include communication profile data in agent policy.

The current user 'NT AUTHORITY\IUSR' does not have required permission 'read' to load item: 8bfcd6b4-ea1e-4008-94ac-4536cb650848
   [Altiris.NS.Exceptions.AeXUnauthorizedAccessException @ Altiris.NS]
   at Altiris.NS.ItemManagement.Item.RaiseItemLoadFlagsSecurityException(String message)
   at Altiris.NS.ItemManagement.Item.CheckCanGetItem(IItem item, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlags itemLoadFlags, Boolean& cacheHit)
   at Altiris.NS.ItemManagement.Item.GetItemInternal(Guid itemGuid, IEnumerable`1 accessPermissions, ItemLoadFlag

Error 2:

Unable to get signature of response data.

Attempted to perform an unauthorized operation.
   [System.UnauthorizedAccessException @ Altiris.NS]
   at Altiris.NS.Security.Cryptography.DataSigning.GetSignatureForPackage(Byte[] dataToSign)
   at Altiris.NS.Utilities.NsResponseOps.GetContentSignature(Byte[] data)

User [NT AUTHORITY\IUSR], AppDomain [/LM/W3SVC/1/ROOT/Altiris/NS/Agent-2-132167338005963303]

HTTP [GET]: http://SMPserver/altiris/NS/Agent/GetPackageInfo.aspx?xml=<request resource="{C24A1978-5715-4489-904F-B2BEDB0D63AF}" version="1" type="codebases" compress="1" totalTime="0" totalFailureTime="0">
<packages>
    <package guid="{D706609E-4F50-49F3-A010-CD06437EB4FC}"/>
</packages>
<addresses>
    <address ip="<IP Address>"/>
</addresses>
</request>

 ip: [<IP ADDRESS>]; x-sma-version: [8.5.4249.0];
 response: [200 OK]; x-smp-nsversion: [8.5.4249.0];

-----------------------------------------------------------------------------------------------------
Date: 10/28/2019 1:21:38 PM, Tick Count: 506358140 (5.20:39:18.1400000), Size: 2.86 KB
Process: w3wp (6900), Thread ID: 237, Module: Altiris.NS.dll
Priority: 1, Source: Altiris.NS.Utilities.NsResponseOps.GetContentSignature

Environment

ITMS 8.5 and later

Cause

Extra  <identity impersonate="true"> entry under "…\Program Files\Altiris\Notification Server\AgentWeb\Agent\web.config" .

The same behavior is noticed by disabling ASP.NET Impersonation on IIS authentication page for Agent Web. Setting is back, web.config is OK but all calls are under IUSR.

Resolution

  1. Go to "…\Program Files\Altiris\Notification Server\AgentWeb\Agent\web.config"
  2. Delete the entry:
     <identity impersonate="true">
  3. Restart IIS
  4. Verify that the entries for User [NT AUTHORITY\IUSR] stopped.
Powered by Wolken Software