Error: "You either have insufficient permissions to access this application or your user credentials are not refreshed." when attempting to open the Symantec Mail Security for Microsoft Exchange console.
Last Updated May 31, 2016
When you try to use the console for Symantec Mail Security for Microsoft Exchange (SMSMSE) you see the following message:
You either have insufficient permissions to access this application or your user credentials are not refreshed. Try logging off and logging in again to reload the user credentials.
The Windows account logged on to the computer must be a member of one of the following Active Directory (AD) groups: 'SMSMSE Admins' or 'SMSMSE viewers'.
This message indicates either
1) the Windows account logged into the computer is not a member of one of the groups
2) the SMSMSE Administration Console cannot determine if the user is part of the group.
Ensure the user is a member of the SMSMSE Admins or SMSMSE Viewers group
On the Windows task bar of a Domain Controller, click Start > AllPrograms > Administrative Tools > Active Directory Users and Computers.
Right-click the user for which you need to change permissions, and then click Properties.
In the Properties window, on the Members Of tab, verify SMSMSE Admins or SMSMSE Viewers is in the list, if neither are there, add the appropriate group for the permissions you would like to grant this user.
If the user already has appropriate access permissions, make sure you have refreshed your credentials by logging off and logging back on. If the problem persists, it is likely that SMSMSE was unable to determine whether the user is a member of one of the SMSMSE user groups or not using it's normal method.
Technical Information Additional Troubleshooting Steps
SMSMSE will query for a list of names of the groups the user is associated with by asking .NET to translate the SIDs (security identifiers) associated with the user account into NT Names. This is to restrict access to users that have access to the appropriate locations in NTFS, but are not a member of the SMSMSE Admins group. If we did not require a list of names of groups associated with the user account, a local administrator on the Exchange server could easily modify settings within SMSMSE, exposing the Exchange server to the possibility of tampering. If SID to NT Name translation fails, SMSMSE cannot verify whether the user is or is not a member of the SMSMSE Admins or Viewers groups, and will thus deny access as if they were not a member of those groups.
.NET APIs take care of SID to NT Account name translation. SMSMSE first determines the groups corresponding to the logged-in user and then iterates over these groups to check whether the user belongs to SMSMSE Admins or SMSMSE Viewers groups. It is during this process that the IdentityNotMappedException is encountered for a particular group and further group checking is aborted.
To use securitycheck.exe to diagnose SID to NT Name translation issues
Download the attached file and save to the desktop of the machine that is running the SMSMSE console: SecurityCheck.zip
Unzip the utility and launch SecurityCheck.exe using the user account that is having problems opening the console.
A black command line box will flash for a moment and the utility will create a file SecurityCheck.txt in the same directory containing SecurityCheck.exe.
Open the file with notepad and look for a log entry similar to the following:
Conversion valid: True
iex.Message: Some or all identity references could not be translated.
Unmapped identity SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXXX-XXXXX
Error encountered while performing test: Object reference not set to an instance of an object.
While a successful translation will show the ntAccount.Value as: <DOMAIN NAME>\<GROUP NAME>
This error indicates that the SID that is showing the error "Object reference not set to an instance of an object." could not be translated to an NT name. This will cause the SMSMSE console to fail to authenticate successfully.
In order to resolve this problem, the SID referenced must be either: A. Be fixed within Active Directory to translate successfully to an NT name B. Be removed from the user account attempting to access the SMSMSE console.
Keep in mind that SIDs will be inherited from groups the user is indirectly a member of. For example, if the user is a member of "Domain Admins" and the "Domain Admins" group has been added to the "Schema Admins" group, the "Schema Admins" SID will show up in this list of SIDs associated with this user account as if the user was directly a member of "Schema Admins". In other words, the user is not necessarily directly a member of the group with the broken SID to NT name translation.
Ultimately, fixing the root cause of this issue will require use of ADSI edit to fix the broken SID, or delete the broken SID. Because this process can have substantial impact on domain operations, Symantec recommends contacting Microsoft for assistance with this process, as we cannot guarantee the outcome of making these edits in your domain.