Error attempting to view Local Security Solution password with limited security user, "Unable to discover your essential user data for logging purposes"

Article:TECH32885  |  Created: 2007-08-02  |  Updated: 2007-12-14  |  Article URL http://www.symantec.com/docs/TECH32885
Article Type
Technical Solution

Issue



In the attempt to extend password visibility access for Local Security Solution to a Notification Server console security role in Altiris, some errors were encountered. The role was given the following privileges:

Item Tasks --> Show Managed Password, Show Current Password
Item Tasks - Local Security --> Show Managed User Passwords

And the following item permissions:

Report for LSS Access - Read, Run Reports
Resource Management/Resources/Defaults --> Read Resource Data, Read Resoucre Association, View Passord, Write Resource Data

When logged in as a member of the limited access security role, a right-click is performed on a computer resource to select "Show Managed Password". Instead of seeing the managed password, as an NS Console administrative user would see, the following error is displayed, and the associated text below appears in the Notification Server a.log: 

Unable to discover your essential user data for logging purposes.

A.log entries:

Process: w3wp.exe (4136)
Thread ID: 7788
Module: AltirisNativeHelper.dll
Source: MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword
Description: Unable to log password disclosure ( Unhandled exception. Type=Altiris.NS.Exceptions.AeXResourceNotFoundException Msg=Unable to discover user resource for SID x-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxxxx. Aborting User Password disclosure Src=MSoft.LocalSecurity
StackTrace=
at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress)
at MSoft.LocalSecurity.LocalUserPassword.GetCurrentManagedPasswordLogged(Guid UserGuid, String strRemoteAddress)
at MSoft.LocalSecurity.Web.Resource.ShowLocalUserPassword.ShowPassword(Guid UserGuid)
Inner exception. Type=Altiris.NS.Exceptions.AeXSecurityException Msg=The caller ('xxxxx\xxxxx') does not have the specified permission ('Data Class Read') on the item ('Global Windows Users'). Src=Altiris.NS StackTrace= at Altiris.NS.Security.SecurityMonitor.Demand(ItemPermissionEntryCollection entries)
at Altiris.NS.Security.ItemPermission.Demand()
at Altiris.Resource.ResourceDataTable.DeferredLoad()
at Altiris.Resource.ResourceDataTable.Load(Guid ResourceGuid)
at Altiris.Resource.ResourceDataClass.GetResourceTable(Guid resourceGuid)
at Altiris.Resource.ResourceDataTableCollection.get_Item(Guid dataTableGuid)
at MSoft.Resource.Resources.UserHelper.GetCurrentUserFromSecurityContext()
at MSoft.LocalSecurity.LocalSecurityPassword.LogDisclosure(LocalSecurityPassword lup, String strRemoteAddress) )


Environment



Notification Server 6.0.6074 R3
Local Security Solution 6.1

Cause



This error "Unable to discover your essential user data for logging purposes.” applies to the following situations:

1.  The user attempting an operation currently does not exist in the NS as a user resource (via the User.Domain resource key

2.  The user does not have rights to create a user resource and ....

               3.  The user does not have read/write access on the GlobalWindowsUser dataclass

Item 3 was the problem. 

Typically with LSS, when provisioning, domain users and groups get created dynamically as they are encountered in group memberships on local computers. 


Solution



Simply add the appropriate permissions and rights as listed below:

 

1.  Read/write access on the GlobalWindowsUser dataclass

2.  Have rights for the Item Action (Show Managed Password)

3.  Read/Write Resource Data to : User Account Password Disclosure

4.  Read Resource Data access to: User Account Password, User Account Password Change, User Account Password Change Request (based on what is required)

 


Legacy ID



36632


Article URL http://www.symantec.com/docs/TECH32885


Terms of use for this information are found in Legal Notices