In the attempt to extend password visibility access for Local Security Solution to a Notification Server console security role in Altiris, some errors were encountered. The role was given the following privileges:
Item Tasks --> Show Managed Password, Show Current Password Item Tasks - Local Security --> Show Managed User Passwords
And the following item permissions:
Report for LSS Access - Read, Run Reports Resource Management/Resources/Defaults --> Read Resource Data, Read Resoucre Association, View Passord, Write Resource Data
When logged in as a member of the limited access security role, a right-click is performed on a computer resource to select "Show Managed Password". Instead of seeing the managed password, as an NS Console administrative user would see, the following error is displayed, and the associated text below appears in the Notification Server a.log:
Unable to discover your essential user data for logging purposes.
Process: w3wp.exe (4136) Thread ID: 7788 Module: AltirisNativeHelper.dll Source: MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword Description: Unable to log password disclosure ( Unhandled exception. Type=Altiris.NS.Exceptions.AeXResourceNotFoundException Msg=Unable to discover user resource for SID x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx. Aborting User Password disclosure Src=MSoft.LocalSecurity StackTrace= at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress) at MSoft.LocalSecurity.LocalUserPassword.GetCurrentManagedPasswordLogged(Guid UserGuid, String strRemoteAddress) at MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword(Guid UserGuid) Inner exception. Type=Altiris.NS.Exceptions.AeXSecurityException Msg=The caller ('xxxxx\xxxxx') does not have the specified permission ('Data Class Read') on the item ('Global Windows Users'). Src=Altiris.NS StackTrace= at Altiris.NS.Security.SecurityMonitor.Demand(ItemPermissionEntryCollection entries) at Altiris.NS.Security.ItemPermission.Demand() at Altiris.Resource.ResourceDataTable.DeferredLoad() at Altiris.Resource.ResourceDataTable.Load(Guid ResourceGuid) at Altiris.Resource.ResourceDataClass.GetResourceTable(Guid resourceGuid) at Altiris.Resource.ResourceDataTableCollection.get_Item(Guid dataTableGuid) at MSoft.Resource.Resources.UserHelper.GetCurrentUserFromSecurityContext() at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress) )
This error "Unable to discover your essential user data for logging purposes.” applies to the following situations:
1. The user attempting an operation currently does not exist in the NS as a user resource (via the User.Domain resource key
2. The user does not have rights to create a user resource and ....
3. The user does not have read/write access on the GlobalWindowsUser dataclass
Item 3 was the problem.
Typically with LSS, when provisioning, domain users and groups get created dynamically as they are encountered in group memberships on local computers.
Simply add the appropriate permissions and rights as listed below:
1. Read/write access on the GlobalWindowsUser dataclass
2. Have rights for the Item Action (Show Managed Password)
3. Read/Write Resource Data to : User Account Password Disclosure
4. Read Resource Data access to: User Account Password, User Account Password Change, User Account Password Change Request (based on what is required)
Applies To Notification Server 6.0.6074 R3 Local Security Solution 6.1
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.