Symantec Management Platform (Notification Server)

 View Only

  • 1.  Pass through Authentication not working for Console after SP2 upgrade

    Posted Dec 20, 2011 08:18 AM

    I've just updated from CMS and Inv Soln for Servers 7.1 SP1 to SP2. We use Role Based Access Control (RBAC) with nested AD Global Groups.

    So we have a Domain Global Group for anyone performing the Infrastructure Administrators Role, ROL_Inf_Admin, which is a member of the Domain Global Group for roles that need to perform Administrative Tasks in the Altiris Console, TSK_Alt_Admin. This TSK group is in the Console's "Symantec Administrators" security group. Prior to SP2, users in ROL_Inf_Admin had full admin rights to the Altiris console.

    The day after the SP2 upgrade (run as the Altiris service account) we all lost access to the console, getting "Access Denied". If I add the individual Domain user account into "Symantec Administrators" access is restored for that account.

    If I have just ROL_Inf_Admin in the "Administrators" group of a domain PC, a member of that Group logging into the PC has local Administrator rights, so pass through for the domain is working.

    I've got Symantec Support trying to recreate but has anyone else upgraded to SP2 and either had or not had this happen to them?



  • 2.  RE: Pass through Authentication not working for Console after SP2 upgrade

    Posted Dec 21, 2011 12:03 PM

    Andy,

    just to confirm, you're using "Import Role and Account" in Settings - NS - AD Import and pointing that at a pre-existing group in AD?

    As I understand it, this then automatically creates the AD accounts therein as Altiris accounts with the AD credentials correctly associated. Have you checked that these accounts were there before and therefore are still there afterwards and members of the right Altiris roles?

    I realise this might be a bit tricky now you've already upgraded :)

    haven't seen the same issues post SP2 here...sorry



  • 3.  RE: Pass through Authentication not working for Console after SP2 upgrade

    Posted Dec 22, 2011 05:59 AM

    I think the accounts were there beforehand because they are there afterwards and I made no changes to Security at all.

    So I can log in to the server because my account is in the ROL group, which is in the TSK group, which is in the local Administrators Security group in Windows. But I could no longer log in to the console even though the ROL and TSK group were already imported into the console and the imported TSK group is in the Symantec Administrators group. Only by adding my imported account directly into Symantec Administrators could I log in.