Problem
In the Symantec Management Console (SMC) under the Authentication tab of the pcAnywhere Settings policy for Windows, the Domain drop-down list is empty. Or, if multiple domains should be listed, they are not. In addition, "No data" may be displayed in the grid where Active Directory users and groups should be present.
Also, on a managed client computer with the pcAnywhere Solution plug-in installed, the following error may appear at startup:
"The pcAnywhere host you are attempting to run is configured for caller authentication, but no caller items could be found.
You must define at least one caller before you can use this host item."
Environment
pcAnywhere Solution 12.5 in an Active Directory (AD) environment
Cause
There are multiple causes for this behavior. Here is a list, presented in the recommended order for troubleshooting:
- There was a defect in pcAnywhere Solution which results in a delay in populating the active directory information, or a timeout, or an error, when the Add button is clicked within the Authentication tab of the "pcAnywhere Settings - Windows" policy or a clone of it.
- The SMP server is not properly joined to an Active Directory domain. A possible contributing factor is that the server has been recently rebuilt without first deleting the computer account from AD.
- You are attempting to add callers from a different domain than the one to which the Symantec Management Platform (SMP) server belongs, and a proper trust relationship is missing.
- NetBIOS over TCP/IP is disabled on the Symantec Management Platform server.
- The Notification Server cannot fully communicate with the domain.
- During installation of the SMP, the Application Identity specified was a local account rather than a domain account.
Solution
- Attached to this article is the latest patch for pcAnywhere Solution 12.5 SP2 (Symantec.pcA.Web.dll_Jan312011.zip). Inside the zip file is Symantec.pcA.Web.dll. This latest patch contains a fix to a memory exception error, plus the latest optimizations in the code for browsing AD. Please apply this latest patch over previous versions of the patch.
Before copying the new Symantec.pcA.Web.dll to the Symantec Management Platform server, close all instances of the Symantec Management Console. Copy the original file from C:\Program Files\Altiris\pcA\Web\Bin into a completely separate folder (do not paste the copy into the original folder). Then overwrite the existing file with the new file. Ensure that there are no extra copies of the file in the C:\Program Files\Altiris\pcA\Web\Bin folder. Finally, open a Command Prompt and run the command "iisreset". The command should return "Internet services successfully restarted".
Note that with this new file, the "Add Users or Groups" console page will initially display the first 100 AD user objects, while the thread which queries AD is still running. Eventually, once all of the AD user and group objects have been returned to the console, it will be possible to scroll down and to search for the object. The number of AD objects will affect the duration of the query. Clicking the scroll bar to the right of the window will show the number of user and group objects that have been retrieved to that point. - To test for the second Cause listed above, verify domain membership of the SMP server. One method of verification is to open My Network Places and check that the expected domain(s) are visible and available for browsing. A blank Domain entry in the SMC has been reported when the expected domain(s) were not browsable from My Network Places.
To resolve this, it may be necessary to temporarily configure the server to be a member of a workgroup, reboot the server, delete the computer account from AD, and then join the server to AD. - To resolve the third Cause listed above, ensure that a proper trust relationship exists from the domain containing the SMP server to any other domains that you plan to specify for caller authentication. As noted immediately above, a simple test that the domains trusts are properly configured is to open My Network Places on the SMP server and check that the expected domains are visible and available for browsing. Also, see the article "Cross-forest (or cross domain) authentication issues when accessing the Altiris Console", TECH133262, for information about issues found with the SMP core in case they impact pcAnywhere Solution.
- You will need to enable NetBIOS on the server ("Enable NetBIOS over TCP/IP" under Advanced TCP/IP Settings).
- This does not indicate a product issue. As a test, try to add a domain user or group to the local administrators group directly on the NS server. If unable to find the user/group, there may be a problem related to Active Directory (browsing, domain membership of the NS, trusts, etc.). Resolve communication, trust, and permissions issues between the NS and the domain controller.
- To check that the last Cause listed above is the problem, open the SMC and click Settings > All Settings > Notification Server > Notification Server Settings. The Processing tab has an Application Identity section. If the User shown is not in the form of DOMAINNAME\username, then a local account was provided during the initial installation of the SMP. The pcAnywhere Solution browses the Active Directory using the context of the Application Identity, so the Application Identity must be an Active Directory account in order to browse Active Directory.
The following steps are based on Method 3 from the following Knowledge Base article:
How to change Application Identity in NS7.
WARNING: There are several places to check when changing the Application Identity, and mistakes can result in failures of services to start and failures accessing the SQL database! Symantec recommends a full server and database backup before proceeding with the steps below. Please contact Symantec Technical Support with any questions prior to proceeding with these steps...
A. In Active Directory Users and Computers, create the account that you plan to use as the new Application Identity and leave it a member of the Domain Users group.
B. On the SMP server, add the new domain account to the local Administrators group.
Verify that the domain account can login to the SMP server, and can login to the SMC.
C. Open the SMC and click Settings > All Settings > Notification Server > Notification Server Settings
Change the Application Identity to your domain account in the format DOMMAINNAME\username, provided the password twice, and click OK (the OK button is located in the lower-right corner of the page).D. In the SMC click Settings > All Settings > Database Settings. Verify that "Use application credentials" is selected (this is the default). If it is not selected then ensure that the database credentials are valid.
E. In the SMC, click Settings > Security > Roles > Symantec Administrators > Membership tab. Verify that the domain account specified as the new Application Identity appears here.
F. In the Service management console on your SMP server, look at the Log On As column. If any of the services listed show the old local account under this column, right-click service, click the Log on tab, and set the "This account" value to the domain account you specified for the Application Identity in the format DOMMAINNAME\username. Also, set the correct Password and Confirm Password values. Click OK.
Following is a list of services to check: Altiris Client Message Dispatcher, Altiris Client Task Data Loader, Altiris Event Engine, Altiris Event Receiver, Altiris File Receiver, Altiris Object Host Service, Altiris Service, Altiris Support Service.G. On your SMP server (or your SQL server if this is an off-box implementation), check whether the following services are configured to run as the old local Application Identify account: SQL Server (MSSQLSERVER), SQL Server Agent (MSSQLSERVER), SQL Server Browser, SQL Server Full Text Search (MSSQLSERVER). If they are, similar to the step above, configure those services to run as the new domain Application Identity.
H. On your SMP server (or your SQL server if this is an off-box implementation), open Microsoft SQL Server Management Studio and click SERVERNAME > Security > Logins. Add the domain account used for the new Application Identity. Under Server Roles for that user, add both "public" and "sysadmin" roles and click OK.
Once you have made these changes, reboot your SMP server and verify that all of the services you changed have started. If a service fails to start, then correct the account and password used to start the service as shown above. Finally, verify within the SMC that you can now add users and groups from the Active Directory to the Authentication tab for the pcAnywhere host configuration policy.
Fix can be downloaded on
No comments:
Post a Comment