Getting message "Unable to retrieve the name associated with the specified identity" when opening some of the Security Roles.
search cancel

Getting message "Unable to retrieve the name associated with the specified identity" when opening some of the Security Roles.

book

Article ID: 176866

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

After moving the Altiris database to a new server or just after rebuilding the current Notification Server, the following message appears for most of the Security Roles under Configuration>Server Settings>Notification Server Settings>Security Roles:

The following error occurred on the page 'RoleManager.aspx'

Unable to retrieve the name associated with the specified identity. Identity: S-1-5-21-1379470142-1319269765-252482137-1019. Inner: Altiris.NS.Exceptions.AeXException: Unable to lookup the name of the account associated with the specified SID (Code: 0x00000534)
   at Altiris.NS.Security.SecurityTrusteeProvider.LookupNameFromSid(String scope, String sid)
   at Altiris.NS.Security.SecurityTrusteeManager.GetName(String scope, String trusteeIdentity, Int32 trusteeType).


Cause

The SID's of the new server or rebuilt server and Altiris Security Roles have changed and now those don't match from the information stored in the Altiris database.  When the Notification Server checks security, it fails to recognize the SIDs associated to those Security Roles with the new ones in the system.

Resolution

NOTE:: The following Steps are not supported in Symantec Management Platform 7.x. Moving a DB to a server with a different name than it was created on is not supported.


To recover from this situation. follow these steps:

1. Run NSSetup and create a new (test) Altiris database (like Altiris2, or AltirisTest, etc).

2. Run the following SQL query on the test database created:

SELECT Trustee

FROM SecurityTrustee

WHERE Guid in 

(

      select TrusteeGuid

      from SecurityRole

      where [Name] = 'Altiris Supervisors' --replace here the name of the Security Role

)

3. Run the same query (above) on the original database (the one that complains that the SIDs doesn't match). This should return a different SID.

4. Copy the SIDs associated from the desired Security Role from Step 2 and 3.

5. Run the following query on the original database. This will replace the old SID with the current SID on the new NS server)

UPDATE SecurityTrustee

SET Trustee = 'SID on working DB(step2)'

WHERE Trustee = 'SID from the original DB (step3)'

6. Refresh the NS Console and you should now have access to the desired Security Role.

Note: An alternative method to get the SID is to logon as an Altiris Administrator account  (on the NS host) and run command "whoami /GROUPS" and copy the SID for group "Altiris Administrator".  A second alternative is to use Sysinternal's utility "psGetSid" with the /groups  "Altiris Administrators" parameter  (on the NS host).

Note: This technique only describes how to update the SID for the Altiris Supervisors' Role.  The process would need to be repeated for any other Altiris Roles.  A more comprehensive approach is to rerun the NSSetup wizard (which will roll-back some NS settings to their defaults). If you don't want to run NSSetup, you can use the following query to identify the current SIDs on the Altiris Database and then modify them to use the right ones:
SELECT sr.name, st.* 
FROM securitytrustee st
LEFT JOIN securityrole sr
ON sr.trusteeguid = st.guid
ORDER BY trusteeid

You can find all the right SIDs for the new Notification Server by running from the command prompt 'whoami /all'.


Applies To
Notification Server 6.0.6074 SP3
SQL Server 2000 or 2005
Cases where the database has been moved to a new server or the Notification Server has been rebuilt.

Attachments

Powered by Wolken Software