PackageDelivery Error while downloading package: Failed to create NS Client component. Error number: 46. Error description: Permission denied (70)
In many cases the Altiris Agent is attempting to download the package from a package server.
We have seen issues when a package server agent is running on Windows XP SP2, or even Windows 2003 Server SP1. The COM permissions for the anonymous user account have been reduced causing the agent to fail because it cannot activate the Altiris.AeXNSClient object.
Individual Package Servers are affected, not the whole network. With EnableDACLManagement Disabled ( set to "0" - see TECH204095) the Settings on the Altiris Agent folder are still being modified to have needed permissions removed. For Computer\Users the Read & Execute permissions are being set to "This Folder only". The problem arise when someone remove the Read & Execute permissions to "Altiris Agent" folder on the Package Server. Then IIS just can't access the Agent COM object in order to provide the snapshot.xml to the caller.
Verify where the Altiris Agent is attempting to download the package from. In most cases, the Altiris Agent is attempting to download from a package server. On the source location (i.e. Package Server), verify that the Internet Guest Account (IUSR _<server name>) has the proper COM permissions. This account must have Launch and Activate permissions.
Navigate to: Start > Settings > Control Panel > Administrative Tools > Component Services.
Within Component Services, expand Component Services > Computers > My Computer.
Right-click on My Computer and go to Properties.
Select the Com Security tab and in the "Launch and Activation Permissions" section click the "Edit Default" button.
On the Internet Guest Account (IUSR _<server name>), set all to "Allow."
If the iusr_<servername> account is not listed, click 'add' in the above window, enter the user name. Be sure to check 'allow' for all launch and activation permissions.
In some instances you will also need to modify the security permission on the following folder: Program Files\Altiris\Altiris Agent\Package Server Agent. To give the Network Service user modify rights.
Check the Advanced Security permissions on the ..\Program Files\Altiris\Altiris Agent Folder. Computer\Users should be Read and Execute and apply to "This folder, subfolders and files." If it is only "This folder only" change to included subfolders and files, and then repermission all subfolders by checking "Replace all child object permission entries .... " and then select OK.
NOTE: To fix current problem on multiple package servers,
please download attached "Grant permission for BUILTIN_Users on _Altiris Agent_ folder.xml" to this KB.
Open SMP Console -> Manage -> Jobs and Tasks -> mouse right click -> import -> choose downloaded .xml
now run this client task on affected managed client computers to grant permission for "Altiris Agent" folder
Script task contains this cmd line:
for /f "tokens=2,*" %%a in ('reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent" /V InstallDir ^|findstr /ri "REG_SZ"') do icacls "%%b" /grant *S-1-5-32-545:(RX)