Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

WinUsers getting 'You are not authorized to use Helpdesk at this time'

Created: 19 Apr 2013 • Updated: 09 May 2013 | 7 comments
This issue has been solved. See solution.

We have run into an issue where users logging into the WinUser interface are getting the 'You are not authorized to use Helpdesk at this time' error message.  This primarily seems to effect new users logging in for the first time and creating their account but I have had at least one other user report the error when they have already created an account.

I have tried the following Symantec KB articles:

http://www.symantec.com/business/support/index?page=content&id=TECH26335

http://www.symantec.com/business/support/index?page=content&id=TECH14051 - This procedure fixed the error on our test server

http://www.symantec.com/business/support/index?page=content&id=TECH23590 - Specifically the part regarding access to the Altiris and Console

I have verified that the Domain\Domain Users group, of which my test account is a member, is a member of the Altiris Guest group.  The error seems to indicate that it is defaulting to the 'Anonymous login' rights.  Any suggestions of where else to look?

Operating Systems:

Comments 7 CommentsJump to latest comment

CygnusX-1's picture

Should my Custom folder and custom.config file have Anonymous access enabled or disabled?

CygnusX-1's picture

Ok, I made the Custom folder and Custom.config files available to Anon and we still get the error.

The Gaffer's picture

It seems to me that if the issue is only affecting new users then it can hardly be related to the access settings on the files as that would affect all users of the WinUser console.

You can try creating a file in the AeXHD\winuser folder called CheckCredentials.aspx containing the following code:

<%@ Page Language="C#" %>
<script runat="server">
private void Page_Load(object sender, EventArgs e)
{
    bool requestAuthenticated = HttpContext.Current.Request.IsAuthenticated;
    if (requestAuthenticated)
    {
        Label1.Text = "True";
        Label2.Text = HttpContext.Current.User.Identity.Name;
        System.Security.Principal.WindowsImpersonationContext impersonationContext;
        System.Security.Principal.WindowsIdentity currentWindowsIdentity = (System.Security.Principal.WindowsIdentity)HttpContext.Current.User.Identity;
        impersonationContext = currentWindowsIdentity.Impersonate();
        string fullPath = HttpContext.Current.Request.MapPath("~/winuser/Default.aspx");
        bool retval = System.IO.File.Exists(fullPath);
        if (retval)
            Label3.Text = "True";
        
    }
}
</script>
<html>
    <head>
        <title>Helpdesk Credential Check</title>
    </head>
    <body>
        <form runat="server">
        <div>
           User is authenticated?&nbsp;<asp:Label id="Label1"
             runat="server" Text="False">
           </asp:Label>
           <br />
           Username:&nbsp;<asp:Label id="Label2"
             runat="server" Text="Unknown">
           </asp:Label>
           <br />
           Winuser Console access?&nbsp;<asp:Label id="Label3"
             runat="server" Text="False">
           </asp:Label>
           <br />
        </div>
        </form>
    </body>
</html>

Get one of the users to enter the URL: http://<servername>/AeXHD/winuser/CheckCredentials.aspx

This should show that

he is passing a windows token which has authenticated

his domain\username

whether he has read access to the Winuser console

If there are no errors on that page, the next step would be to check the contact table in the Altiris_Incidents database to see if the user is already registered.

SELECT [id]
      ,[nt_id]
      ,[name]
      ,[email]
      ,[status]
      ,[resource_guid]
      ,[is_imported]
  FROM [dbo].[contact]
 WHERE nt_id = '<domain\username>'

This query must return no more than a single row. If it returns more than one, the user will be denied access to the console. If it returns one row but the status is not 'a', again the user will be denied access. If a corresponding entry is not found, the user should be redirected to the enrollment page.

Let me know how you get on with that.

John

SOLUTION
CygnusX-1's picture

Thanks!  I ran a CheckCredentials and it came up good.  I did a search in the Contact DB and found the account.  It is odd because they don't show up when you search for the same NT ID in the Worker interface.  Is it safe to delete the entry in the Contact DB so they can register again?

The Gaffer's picture

The risk you run deleting a contact is that there could be existing incidents that reference their contact_id. You could take the id value and search the workitem table for any entries in the contact_id field.

As long as there is only one row of data in the contact table for their account and the value of the status is 'a', the user should be able to access the winuser console. An entry in the worker table would allow them to access the worker console.

CygnusX-1's picture

Thanks, it had no incidents linked so there was no issue.  I think I remember deleting this account a while back which unlinks the tickets, I guess it didn't remove them from the DB this time.