Failed to initialize agent storage: Access is denied (0x00000005)

book

Article ID: 197078

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The customer noticed that the Symantec Management Agent service was stopping and restarting randomly after a recent Agent upgrade. 

The agent logs shows entries like these ones:

Entry 1:

Security of 'C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys' was adjusted
-----------------------------------------------------------------------------------------------------
Date: 11/08/2020 15:15:05, Tick Count: 427836687 (4.22:50:36.6870000), Size: 311 B
Process: AeXNSAgent.exe (12876), Thread ID: 12264, Module: AeXAgentExt.dll
Priority: 4, Source: AgentStorage

Entry 2:

Failed to initialize agent storage: Access is denied (0x00000005)
-----------------------------------------------------------------------------------------------------
Date: 11/08/2020 15:15:05, Tick Count: 427836703 (4.22:50:36.7030000), Size: 294 B
Process: AeXNSAgent.exe (12876), Thread ID: 12264, Module: AeXNSAgent.exe
Priority: 1, Source: Agent

Entry 3:

Unable to preprocess received client status data.

DecryptData failure. Error 5
   [System.Runtime.InteropServices.COMException @ Altiris.TaskManagement.Common]
   at Symantec.NSAgent.AgentStorage.DecryptData(Byte[] encryptedData, UInt32 flags)
   at Altiris.TaskManagement.Common.ClientTask.Communication.NsIdentityContext.EnsureExecutedAsLocalSystemIdentity[TResult](Func`1 fn, ThrottledLogAction`2 logAction)
   at Altiris.ClientTask.Server.ClientTaskServer.PreProcessClientStatusXml(Boolean encrypted, String statusXml, Guid secretGuid)

COM Exception errcode: 0x5

 

Another symptom was that the Symantec Management Agent UI is not loading when trying to use AeXAgentActivate.exe:

Failed to start the session or activate the object '{FF1B80EC-257A-4DF9-8712-74150E4ADB2A}' in session 1, COM error: Cannot get the session manager, agent is initializing (0x80070005)
-----------------------------------------------------------------------------------------------------
Date: 11/08/2020 15:09:07, Tick Count: 427478625 (4.22:44:38.6250000), Size: 435 B
Process: AeXAgentActivate.exe (12608), Thread ID: 15004, Module: AeXAgentActivate.exe
Priority: 1, Source: AeXAgentActivate

Cause

In this particular scenario, the client machine had a Windows error that caused a blue screen before they started noticing this issue.

After further review, it was found that the Altiris Service Account did not have needed permissions under the folder "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys".

Environment

ITMS 8.1, 8.5

Resolution

Follow below steps:

  1. Browse to the following location: 
    C:\ProgramData\Microsoft\Crypto\RSA\
  2. Right-click on 'MachineKeys' directory and select Properties.
  3. Select Security.
  4. Click Edit.
  5. Select Add.
  6. Add the Application Identity/Altiris Agent service Account name.
  7. Click on Check Names and click OK.
  8. Assign, at minimum, the following:
    • Modify
    • Read & Execute
    • List folder contents
    •  Read
    • Write
  9. Click Apply and select Continue and click OK.

NOTE: After hitting apply, "Access Denied" errors may appear on as many as 5 subdirectories. This is normal in many situations, click accept.

After running the steps above, you may need to restart the client machine to make sure the changes done to the MachineKeys directory takes effect.

 

Note:
In case that the steps above didn't help, check the Windows Application Event Log. In some rare situations, an anti-virus may be blocking the access for the AeXNSAgent.exe to the MachineKeys folder.

Attachments