NOTE: This article addresses ADS (Active Directory Services) authentication type only. If you are seeing this issue with the NT authentication type, please see www.symantec.com/docs/TECH202604.
In the Symantec Management Console (SMC) under the Authentication tab of the pcAnywhere Settings policy for Windows, the Domain drop-down list is empty. Or, if multiple domains should be listed, they are not.
"No data" may be displayed in the grid where Active Directory users and groups should be present.
Also, on a managed client computer with the pcAnywhere Solution plug-in installed, the following error may appear at startup:
"The pcAnywhere host you are attempting to run is configured for caller authentication, but no caller items could be found.
You must define at least one caller before you can use this host item."
There are multiple causes for this behavior. Here is a list, presented in the recommended order for troubleshooting:
- There was a defect in pcAnywhere Solution 12.5 which results in a delay in populating the active directory information, or a timeout, or an error, when the Add button is clicked within the Authentication tab of the "pcAnywhere Settings - Windows" policy or a clone of it in pcAnywhere solution 12.5
- The computer browser service is disabled on the Symantec Management Platform (SMP) server.
- NetBIOS over TCP/IP is disabled on the Symantec Management Platform (SMP) server.
- TCP ports 445 and 88 are blocked by a firewall from the SMP server to the domain controller.
- The SMP server is not properly joined to an Active Directory domain. A possible contributing factor is that the server has been recently rebuilt without first deleting the computer account from AD.
- You are attempting to add callers from a different domain than the one to which the SMP server belongs, and a proper trust relationship is missing.
- The Notification Server cannot fully communicate with the domain.
- During installation of the SMP, the Application Identity specified was a local account rather than a domain account.
- The Notification Server may have a defect that is preventing the the browsing of the domain.
- NOTE: This step applies only to pcAnywhere Solution 12.5 (the fix is included in pcAnywhere Solution 12.6)--
Attached to this article is the latest patch for pcAnywhere Solution 12.5 SP2 (Symantec.pcA.Web.dll_Jan312011.zip). Inside the zip file is Symantec.pcA.Web.dll. This latest patch contains a fix to a memory exception error, plus the latest optimizations in the code for browsing AD. Please apply this latest patch over previous versions of the patch.
Before copying the new Symantec.pcA.Web.dll to the Symantec Management Platform server, close all instances of the Symantec Management Console. Copy the original file from C:\Program Files\Altiris\pcA\Web\Bin into a completely separate folder (do not paste the copy into the original folder). Then overwrite the existing file with the new file. Ensure that there are no extra copies of the file in the C:\Program Files\Altiris\pcA\Web\Bin folder. Finally, open a Command Prompt and run the command "iisreset". The command should return "Internet services successfully restarted".
Note that with this new file, the "Add Users or Groups" console page will initially display the first 100 AD user objects, while the thread which queries AD is still running. Eventually, once all of the AD user and group objects have been returned to the console, it will be possible to scroll down and to search for the object. The number of AD objects will affect the duration of the query. Clicking the scroll bar to the right of the window will show the number of user and group objects that have been retrieved to that point.
- Enable the "Computer Browser" service on the SMP server. Reopen the SMC to verify whether the domain list is populated.
- Enable NetBIOS on the SMP server ("Enable NetBIOS over TCP/IP" under Advanced TCP/IP Settings). Reopen the SMC to verify whether the domain list is populated.
- Configure firewalls to allow communication from the SMP server to TCP ports 445 and 88 on the domain controller(s).
- To test for this cause, verify domain membership of the SMP server. One method of verification is to open My Network Places and check that the expected domain(s) are visible and available for browsing. A blank Domain entry in the SMC has been reported when the expected domain(s) were not browsable from My Network Places. Another method to verify domain membership is to add a domain account into the local Administrators group on the SMP server--if that succeeds then most likely the SMP server is correctly joined to the domain.
To resolve this, it may be necessary to temporarily configure the server to be a member of a workgroup, reboot the server, delete the computer account from AD, and then join the server to AD.
- To resolve this, ensure that a proper trust relationship exists from the domain containing the SMP server to any other domains that you plan to specify for caller authentication. As noted immediately above, a simple test that the domains trusts are properly configured is to open My Network Places on the SMP server and check that the expected domains are visible and available for browsing. Also, see the article "Cross-forest (or cross domain) authentication issues when accessing the Altiris Console", TECH133262, for information about issues found with the SMP core in case they impact pcAnywhere Solution
- This does not indicate a product issue. As a test, try to add a domain user or group to the local administrators group directly on the NS. If unable to find the user/group, there may be a problem related to Active Directory (browsing, domain membership of the NS, trusts, etc.). Resolve communication, trust, and permissions issues between the NS and the domain controller.
- To check that the last Cause listed above is the problem, open the SMC and click Settings > All Settings > Notification Server > Notification Server Settings. The Processing tab has an Application Identity section. If the User shown is not in the form of DOMAINNAME\username, then a local account was provided during the initial installation of the SMP. The pcAnywhere Solution browses the Active Directory using the context of the Application Identity, so the Application Identity must be an Active Directory account in order to browse Active Directory.
- To determine if this is a defect on the NS server Navigate and open the full pcAnywhere application that is installed on the Notification Server with each pcAnywhere solution install. Go to Advanced View Then Hosts. From the File menu select New Item then Advanced. Navigate to the Callers tab chage the Authentication type to ADS (Active Directory Services). Locate and click the New Item Icon (this looks like a white pater with a yellow star) Select either User or Group and browse to the domain and user or group. (This can take quite some time depending on the number of items in the domain) If the user or group can be reached this way please note this and contact support as noted below.
AT THIS POINT, CONTACT SYMANTEC TECHNICAL SUPPORT FOR A WORK-AROUND TO ADDING CALLERS TO THE CONSOLE USING MODIFIED COMPONENTS THAT WILL ALLOW THE MANUAL ADDING OF USERS. MENTION KB TECH142550 THIS WORKAROUND IS INCLUDED IN PCANYWHERE SOLUTION 12.6.8 AS DEPLOYED WITH CLIENT MANAGMENT SUITE 7.5 SP1
pcAnywhere Solution version 12.5.x or 12.6.x in an Active Directory (AD) environment
Domains not shown in Add Active directory User or Group window
Warning, this patch is only for pcAnywhere Solution 12.5 SP2. Newer releases include the fix.
Symantec.pcA.Web.dll_Jan312011.zip (61.5 KB)
ADS_Auth.zip (3.5 KB)
Debuggin.Symantec.pcA.Web.zip (56.0 KB)
Symantec.pcA.Web.dll (159.5 KB)