Event 8390 - General access denied error

Article:TECH202698  |  Created: 2013-02-12  |  Updated: 2014-04-02  |  Article URL http://www.symantec.com/docs/TECH202698
Article Type
Technical Solution


Issue



Scenario 1:
This error can occur during the FSA Synchronization when an EV database is configured to run in SINGLE_USER mode. 
 
Additional Information:
It is an EV best practice that each associated database is placed in a MULTI_USER mode.  Accessibility issues can begin to surface when a database is configured in SINGLE_USER mode.

 
 
Scenario 2:
Users do not have the ability to manually archive items into EV via Microsoft Outlook.
 
A user can manually archive an item via the EV Outlook Add-in (providing that this option is enabled in the desktop policy.  When this action is attempted the Event ID listed above will appears in the Symantec EV Event Viewer as an ERROR. With Outlook open a user highlights one or more messages.


Scenario 3:
Vault Service Account (VSA) Password has changed or was entered incorrectly.
 
The VSA password should be set to never expire.  If the password is not correct there will be numerous other failures within EV, this scenario being one of them.



Scenario 4:
Event 8390 is logged when shutting down the Admin Service.
 
The event is generated because it is possible for the EV Directory Service to shut down before the EV Indexing or EV Storage Services.
 
 
 
Scenario 5:
"The EV service is not available" error is displayed when attempting to use EV "Search.asp" web application and the Event 8390 appears in the event log.
 
Additional Event IDs:
Category:  Service Control Manger
Event ID:  7041
Description: The EnterpriseVaultAdminService service was unable to log on as {Domain\vault service account} with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. This service account does not have the necessary user right "Log on as a service".
 
Category: None
Event ID: 7000
Description: The EnterpriseVaultAdminService service failed to start due to the following error: The service did not start due to a logon failure.

When running search.asp for searching archives, the web browser returns the error The EV service is not available. This error can be caused by the VSA not having the proper Microsoft Windows Local Security Privileges configured on the EV server. If either the Debug programs or the Log on as a service privilege is not assigned to the Vault Service Account, then launching search.asp will display the error message.

 


Error



Event ID: 8390
Event Category: Web Application (WP) / Index Server
Event Description: The EnterpriseVault.DirectoryConnection object reported an error. General access denied error.
V-437-8390

Event ID: 7000
Event Category: None Reported
Description: The EnterpriseVaultAdminService service failed to start due to the following error: The service did not start due to a logon failure.
V-437-7000

Event ID: 7041
Event Category: Service Control Manager
Description: The EnterpriseVaultAdminService service was unable to log on as {Domain\vault service account} with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. This service account does not have the necessary user right "Log on as a service".
V-437-7041


Solution



Scenario 1: FSA Synchronization Error - SQL Single User Mode 
Scenario 2: Unable to manually archive items
Scenario 3: VSA Password
Scenario 4: Shutting down the Admin Service 
Scenario 5: The EV service is not available
 


 

Solution 1:
Follow these steps to locate the current mode of the EV database.  It is recommended that all of the database remain in the same mode.  Please ensure that there is a complete and comprehensive backup of the database before making any changes:
1.  Logon to the SQL Server
2.  Open the SQL Server Management Studio
3.  Expand Site | Name | Databases | [DB Name]
4.  Right click on the [DB Name] and choose Properties
5.  In the next open window navigate to the Options page
6.  Scroll down to see the State section
7.  Review/Modify the Restricted Access option
a.  Options are MULTI_USER / SINGLE_USER / RESTRICTED_USER
 
Notes: For more information about database modes see this Microsoft KB: http://msdn.microsoft.com/en-us/library/bb522682.aspxHere is an example SQL statement that will modify the database:
ALTER DATABASE Database_Name SET MULTI_USER
 
 

 

Solution 2:
1.  Ensure that the Vault Service Account (VSA) is not part of the Domain Administrators group, but listed as a Local Administrator.
a.  For more information about the correct configuration of the VSA, see DOC6239 the ‘Installing and Configuring’ Guide.
2.  If any changes are made to the permissions of the EV VSA, restart all the EV services.
 
 

 

Solution 3:
Update the password of the VSA in the EV Administration Console:
1.  Right click on the EV Directory and select Properties
2.  Select the Service Account tab
3.  Confirm that the VSA account is correct
4.  Enter the VSA account password and confirm the password
5.  Restart all EV services in the site
6.  This is further illustrated in TECH48035
 

 

Solution 4:
This event can be ignored if it is logged when the EV Admin Service is shut down.
  
 

 

Solution 5:
This can be caused if the VSA account does not have Log on as a service privilege.
To determine if this is the issue, launch the Services application:
1.  Determine the startup type of the tasks:
a.  Clicking Start | Programs | Administrative Tools Services.
b. Scroll down the list of services and verify that the EV services are started.
c.  The services should be started if the Startup Type is set to Automatic.
2.  If the above events are present, check the Local Security Policy to determine if the vault service account has Log on as a service privilege.  
a.  Click Start | Programs | Administrative Tools | Local Security Policy to launch the Group Policy Editor application.
3.  Navigate to Local Policies | User Rights Assignment.
a.  Check the Log on as a service privilege to determine if the VSA is listed in the security setting.
4.  After the Log on as a service privilege has been restored to the VSA, all EV services will need to be restarted.
5.  If the Log on as a service user right has been assigned to the account in the past, and the user right appears to be removed, a Windows Group Policy Object (GPO) associated with this node might be removing the right. The Active Directory administrator should be contacted to verify this behavior.
6.  If this computer is a node in a cluster, check that this user right is assigned to the cluster service account on all nodes in the cluster.

Supplemental Materials

SourceEvent ID
Value8390
Description

The EnterpriseVault.DirectoryConnection object reported an error. General access denied error.


SourceEvent ID
Value7000
Description

The EnterpriseVaultAdminService service failed to start due to the following error: The service did not start due to a logon failure.


SourceEvent ID
Value7041
Description

The EnterpriseVaultAdminService service was unable to log on as {Domain\vault service account} with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer. This service account does not have the necessary user right "Log on as a service".




Article URL http://www.symantec.com/docs/TECH202698


Terms of use for this information are found in Legal Notices