ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Authentication Connectivity Credential (ACC) account lock out when the agent on domain controller wants to register with tasks server

book

Article ID: 237958

calendar_today

Updated On:

Products

Client Management Suite IT Management Suite

Issue/Introduction

Symantec Management Agent on Domain Controllers causes the ACC account locks out!

The issue is caused when any of the domain controllers want to register with Task Server!

It happens only with the ACC account, and if you use Application ID as ACC account, it works fine:

  •  Settings> All Settings> Symantec Management Agent> Settings> Global Agent Settings  > Authentication tab

 

Error in the logs:

  • Could not impersonate user "\acc_user_vm2". Current user is "<ACC Account>".
       [System.Security.SecurityException @ Altiris.Profiling]
       at Altiris.Profiling.Support.ImpersonateOps.ImpersonateUser(String domain, String user, SecureString password, Boolean forceLogon)
       at Altiris.NS.Utilities.Impersonate.ImpersonateUser(String domain, String user, String password, Boolean forceLogon)

 

  • Security context setup failed: 

Some or all identity references could not be translated.
   [System.Security.Principal.IdentityNotMappedException @ mscorlib]
   at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
   at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
   at System.Security.Principal.WindowsIdentity.GetName()
   at System.Security.Principal.WindowsIdentity.get_Name()
   at Altiris.NS.Security.SecurityTrusteeProvider.GetCoreGroups(WindowsIdentity identity, String& accountName, String& userToken, Boolean& isLocalAdmin, Boolean& isEnabled)
   at Altiris.NS.Security.SecurityContextManager.SetContextData(WindowsIdentity identity, Boolean testEnabled, Boolean updateWebContext, String[] keys, String[] values)

 

Error in Windows Event Viewer:

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

 

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

 

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

 

The Process Information fields indicate which account and process on the system requested the logon.

 

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

 

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

 

Error in the task server logs:

  • Failed to handle request to a service: resource=4ca16329-b0a0-4016-b1fd-9990bb1dbb8f, service=RegisterClient
    Error response returned from server: The handler 'GetClientData' failed to process the request. System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.

 

Cause

Registration to the task server using ACC account and mis-configuration of the IIS!

Environment

Release: 8.x

Resolution

  1. Installed the 8.6RU1 point fix (Or 8.6RU2 Point fix)
  2. Changed the provider order for 'Windows Authentication' and put Negotiate first then NTLM
    • IIS > Default Website> Altiris>    Client task server >> Authentication
    • IIS > Default Website> Altiris> > Task Management >> Authentication
    • IIS > Default Website> Altiris> > Task Management >CT agent >> Authentication
  3. After this change, the Domain Controllers could register with the Notification Server as the task server, but not with other task servers. 
  4. Enable 'Anonymous' authentication on task servers, so the agent on Domain Controllers could also register with them:
    • IIS > Default Website> Altiris>    Client task server >> Authentication