When attempting to access the 7.1 console the user is rejected and redirected to the "/Altiris/NS/access_denied.aspx" page, even though the user's account is a member of the Symantec Administrators, or another role.

Access Denied

You currently do not have sufficient network access rights to the Notfication Server console.
Please contact your local area network administrator for further assistance.

Symantec Management Platform 7.1 SP2 MP1.1

CAUSE 1: The SID of the user being passed in during authentication does not match the one currently registered in the ResourceKey table for that user. This may be because the user's account had been deleted and then recreated again, or some other similar activity.

CAUSE 2:  The platform had been moved to a different server, or the server had been rebuilt, and the cryptography files (NS.WebServiceCredentials.kms) in "C:\ProgramData\Symantec\SMP\KMS" were manually copied in from the original installation.

SOLUTION 1:  Verify that the SID of the user matches what is currently registered for the user logging in. This can be done by doing the following:

1. On a computer the user has successfully logged into run regedit.exe and go to "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList”
2. Under the ProfileList key will be many keys. The names of the keys are the actual SID of the user profile it belongs to. In the right pane, in the “ProfileImagePath” value will be the name of the user it belongs to.             
   • Example:
   • S-1-5-21-3432280060-18471939-2378652306-1013
   • C:\Users\JoeUser
3. Run the following SQL query against the Symantec_CMDB database, which will show all user accounts, their known SID, and what security roles the users are members of.
   • Compare the results of the query (the “Logon Account SID” column) with the SID extracted from the registry where the user had logged on.
     select i1.name as [User Account], i2.name as [Windows Logon Account], i2.Guid, rk.KeyValue as [Logon Account SID], i3.name as [Security Role Membership]
from ResourceAssociation ra
join vItem i1 on i1.Guid = ra.ParentResourceGuid
    and ra.ResourceAssociationTypeGuid = '4582ADBC-43FA-4783-807A-A3CD7D58992C' -- Account Credential
join vItem i2 on i2.Guid = ra.ChildResourceGuid
join ResourceAssociation ra2 on ra2.ChildResourceGuid = ra.ParentResourceGuid
    and ra2.ResourceAssociationTypeGuid = '63468F04-6751-448D-891C-B59906360A27' -- Role Trustee
join vItem i3 on i3.Guid = ra2.ParentResourceGuid
left join ResourceKey rk on rk.ResourceGuid = ra.ChildResourceGuid
   and rk.KeyName = 'sid'
order by 1,5
4. If the SIDs do not match then that is likely why the user was rejected. The following SQL statement could be used to inject the correct SID. Just replace the SID value and the ResourceGuid value with the correct SID and the GUID of the account that was returned by the previous query:
   update ResourceKey set KeyValue = 'S-1-5-21-3432280060-18471939-2378652306-1008' where ResourceGuid = '69381C01-EB37-4471-A025-1D793D3C32EC' and KeyName = 'sid'

SOLUTION 2:  If there is a question about the cryptography files in the KMS folder then they can be regenerated by doing the following:

1. Open a command prompt and go to “.\Program Files\Altiris\Notification Server\bin”
2. Run the following command:  AeXConfig.exe /configure "C:\Program Files\Altiris\Notification Server\Config\CoreSolution.config"
3. NOTE: If the platform was installed on a volume other than C: then change the path to the config file accordingly.