Cross-forest (or cross domain) authentication issues when accessing the Altiris Console
search cancel

Cross-forest (or cross domain) authentication issues when accessing the Altiris Console

book

Article ID: 152513

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

After installing the Symantec Management Platform using a cross forest or cross domain user you are unable to fully navigate the NS console. Key pages (Like Database Settings and Security Roles) are not accessible when logging in as the Service account ("Access Denied" messages).

In addition, when navigating Manage -> Organizational Views and Groups, the "Network resources" group does not appear under Default -> All Resources

Note: There are no errors during installation.

Environment

  • Symantec Management Platform 7.x, 8.x
  • Cross-forest or Cross-domain trusts in place on Windows Side.
  • Cross-forest (or cross-domain) Altiris Service Account user.

Cause

When SMP Core attempts to determine the windows groups that the cross-forest Altiris Service Account user is a member of, windows does not return the complete list of Group SIDS. This is due to a windows-side authentication issue pertaining to cross-forest (or cross domain) trusts.

Sequence of Events:
  • NS Core calls GetCurrentUserMemberships() to get the Windows Group memberships for the logged in user
  • Windows does not return the SID for the Symantec Administrators group when the logged-in user is from a remote domain.
  • When the user attempts to access a page that is restricted to the Symantec Administrators group, an "access denied" message is returned in the console window.

 

Resolution

There are 2 ways to work-around the authentication issue:

Resolution:

  • Add the local and remote domains to the Local Intranet Sites list on the Notification Server

    Be sure to add them in the form of *.domain.com

    For example, if we have 2 domains localDomain.Company.com and remoteDomain.Company.com (and there is a trust between them), we would add the following to entries to the Local Intranet Sites list:

    *.localDomain.Company.com
    *.remoteDomain.Company.com

  • Add the cross-forest Altiris Service Account to the Local Administrators group on the Notification Server
  • Add the cross-forest Altiris Service Account to the Local Administrators group (or other appropriate group) on the SQL Server.
  • Install SMP

    This should allow the windows authentication to work correctly

Work-around:

  • Use a Local Administrator Account on the Notification Server
  • Use a SQL Account (SA or equivalent) to access the SQL Server
  • Install SMP

    This by-passes the Windows authentication issue altogether.


Note::
If the "Network Resources" Organizational Group is still missing after using either the work-around or the Resolution listed above, be sure to adjust the Default Organizational View filter by:

  1. Navigating to Manage -> Organizational Views and Groups
  2. Click on Default
  3. In the upper right-hand corner, click on the Filter... button (It should show up just under the Search bar)
  4. Put a check box next to any resource type that you wish to see (Computer, Virtual machine, Network resource, etc...)
  5. Click OK