Getting message "Unable to retrieve the name associated with the specified identity" when opening some of the Security Roles.
Last Updated February 28, 2009
After moving the Altiris database to a new server or just after rebuilding the current Notification Server, the following message appears for most of the Security Roles under Configuration>Server Settings>Notification Server Settings>Security Roles:
The following error occurred on the page 'RoleManager.aspx'
Unable to retrieve the name associated with the specified identity. Identity: S-1-5-21-1379470142-1319269765-252482137-1019. Inner: Altiris.NS.Exceptions.AeXException: Unable to lookup the name of the account associated with the specified SID (Code: 0x00000534) at Altiris.NS.Security.SecurityTrusteeProvider.LookupNameFromSid(String scope, String sid) at Altiris.NS.Security.SecurityTrusteeManager.GetName(String scope, String trusteeIdentity, Int32 trusteeType).
The SID's of the new server or rebuilt server and Altiris Security Roles have changed and now those don't match from the information stored in the Altiris database. When the Notification Server checks security, it fails to recognize the SIDs associated to those Security Roles with the new ones in the system.
NOTE:: The following Steps are not supported in Symantec Management Platform 7.x. Moving a DB to a server with a different name than it was created on is not supported.
To recover from this situation. follow these steps:
1. Run NSSetup and create a new (test) Altiris database (like Altiris2, or AltirisTest, etc).
2. Run the following SQL query on the test database created:
where [Name] ='Altiris Supervisors'--replace here the name of the Security Role
3. Run the same query (above) on the original database (the one that complains that the SIDs doesn't match). This should return a different SID.
4. Copy the SIDs associated from the desired Security Role from Step 2 and 3.
5. Run the following query on the original database. This will replace the old SID with the current SID on the new NS server)
SET Trustee ='SID on working DB(step2)'
WHERE Trustee ='SID from the original DB (step3)'
6. Refresh the NS Console and you should now have access to the desired Security Role.
Note: An alternative method to get the SID is to logon as an Altiris Administrator account (on the NS host) and run command "whoami /GROUPS" and copy the SID for group "Altiris Administrator". A second alternative is to use Sysinternal's utility "psGetSid" with the /groups "Altiris Administrators" parameter (on the NS host).
Note: This technique only describes how to update the SID for the Altiris Supervisors' Role. The process would need to be repeated for any other Altiris Roles. A more comprehensive approach is to rerun the NSSetup wizard (which will roll-back some NS settings to their defaults). If you don't want to run NSSetup, you can use the following query to identify the current SIDs on the Altiris Database and then modify them to use the right ones: SELECT sr.name, st.* FROM securitytrustee st LEFT JOIN securityrole sr ON sr.trusteeguid = st.guid ORDER BY trusteeid
You can find all the right SIDs for the new Notification Server by running from the command prompt 'whoami /all'.
Applies To Notification Server 6.0.6074 SP3 SQL Server 2000 or 2005 Cases where the database has been moved to a new server or the Notification Server has been rebuilt.
Imported Document ID: TECH41440
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe