This is a Comprehensive Guide for troubleshooting Web Console Error: "Unable to Validate the Current User with the Database".
This guide was designed to pinpoint the area causing the problem without unnecessary troubleshooting steps.
Follow each step in order and follow the hyperlinks when prompted or when they apply.
All the troubleshooting steps below take place on the core server.
Note: The core server will need to be activated and licenses checked.
Before Proceeding with the main steps it is suggested to enable logging first, then search for any errors given in the string. Next ensure the proper user accounts are configured. See below.
- Turn on LogEvents on the Core Server
- Enable Logging by adding a reg key: HKLM\Software\LANDesk\ManagementSuite\Core Type: DWORD Name: logevents Value: 1
- Try to connect to the Web Console again a single time.
- Open event viewer by going to Start | Run and running eventvwr.exe. LANDesk will now log a list of LANDesk Abstraction Layer error messages in the Application event log.
- Usually the error message is within the last one to five LANDesk Abstraction Layer events.
- Look for errors and search the Community for these error messages. These events will often point to the source of the problem.
- When finished delete the LogEvents DWORD from the registry so the application log does not fill up.
- If the log contains “there is no connection string for core" the following event should show the database connection information being passed. Commonly the failure will appear here giving an indication of what is wrong.
- If the next event contains: "A web exception (shown below) occurred when contacting the web service on the specified core." Check Proxy settings and also ensure that databaseinformation.asmx can be reached(Step III).
- If there are no further events or the next event appears to be a failure on the connection string then see Core Name
- Get the Domain and User account details.
- Is the user a local user or a domain user?
- Is the Domain Controller in mixed mode or native mode (or old NT 4.0 domain)?
- Is this a multi-domain environment?
- How is the user added to the LANDesk Management Suite group on the Core Server? Example: The user is a domain user called John1. John1 is a member of the LDAdmins group which is a "Security Group - Global". The LDAdmins group is added to the Core Server's LANDesk Management Suite group.
- Now review the LDMS 8.8 Matrix for successful authentication when logging into the Web Console
I: Login – Verify the problem is not with the account being used to login to the Web Console
A. Open up a cmd prompt. Type in the command whoami. Look to see if this user is explicitly listed in the Landesk Management group by checking local users and groups / LANDesk Management Group on the core.
B. If it is not already added, then add it explicitly.
C. Ensure this account is not locked in Active Directory. If the account is locked out then refer to article http://community.landesk.com/support/docs/DOC-1116.
D. If the user account is a domain account then refer to Configuring COM+
E. If you are unsure of the logged in user or do not have access to create a Domain Admin for COM+ account proceed to Configuring a Local Account.
II: ASP.net - Check the versions of .NET that have been installed, LANDesk requires version 1.1
A. Browse the file system to c:\windows\microsoft.net\framework.
B. If directories for versions 2.0 or 3.0 exist, see Troubleshooting Frameworks
C. If only v1.0- v1.1.4322 exists then simply run the command “c:\windows\Microsoft.NET\framework\v1.1.4322\aspnet_regiis.exe” –I to ensure it is registered primarily.
Then run iisreset
III: Internet Information Services Manager
A. Click on Web Sites, ensure the default website shows running.
Expand the Web Sites, then Default Web Site. Right Click and choose properties for Remote. Click the Directory Security tab and click edit in the top section (Authentication…)
Ensure anonymous access is NOT checked and that Integrated windows authentication IS checked. If these settings are incorrect see Comparing IIS Settings
B. Expand the Default Website then expand landesk-ManagementSuite-Core-SSL, Left Click on Information. Right-click Databaseinformation.asmx and choose Browse. https://localhost/landesk/managementsuite/core/ssl/information/DatabaseInformation.asmx
If you receive the correct result: The page must be viewed over a secure channel. (Changing HTTP to HTTPS should bring up the service page) proceed to IV: NTFS Permissions
If the Databaseinformation.asmx will not load correctly then proceed to Advanced IIS Troubleshooting
IV: NTFS Permissions
A. “Elevate” the AppPool credentials by: Right clicking on the effected AppPool and going to “Properties”.
Choose the identity tab. In the “Predefined” drop down box, scroll down and choose Local System.
B. Run IISRESET then Test the Web Console again.
Note: This should be used only for testing, Microsoft recommends that AppPools run as Network Service. If this resolves the issue, it usually signifies that the Network Service does not have proper rights to objects in IIS, can be either NTFS or IIS permissions.
C. IF elevating the rights made the web console work then see Troubleshooting NTFS Permissions
D. Ensure IIS_WPG and IUSER_CORENAME users exist and permissions match a working core for these folders: wwwroot and its subfolder remote, both found in :\inetpub.
If they do NOT match, proceed to Troubleshooting NTFS Permissions
If none of the above troubleshooting steps helped pinpoint the problem, proceed with each of the in depth sections below.
1) Configuring COM+
A. Specify credentials for the LANDesk COM+ objects by clicking on Start, going to Administrative Tools, choose Component Services, click the plus sign next to Component Services, click the plus sign next to Computers, click the plus sign next to My Computer, COM+ Applications, right click on LANDesk (you will also perform this task on LANDesk1), click on the Advanced Tab, place the Radial button in “Leave running when idle”, click on the Identity tab, specify a Domain Administrator and password in this user. (This will replace LANDeskComPlus, the new username must be in the domain\username format.)
B. Restart the Core Server. (This must be done because of caching done by IIS, for more information see Microsoft KB Article # 326818, http://support.microsoft.com/kb/326818.)
Back to top
2) Configuring a local account
A. Create a local account on the core server
Add it to the landesk management group, ensure this user has web console rights by modifying the user in the console.
B. Specify which user to log into the web console: In IE specify other user credentials by going to Tools > Internet Options, choose the Security Tab, click on Custom Level, scroll to the bottom and place the radial button in “Prompt for user name and password”. Restart the web console and specify credentials for a known local user in the LANDesk Management Suite Group. If this works then the problem was specific to the account they were logging in with prior.
Back to top
3) Troubleshooting Frameworks
A. If version 2.0 is present then in IIS check the web service extension, allow .net 1.1 and prohibit .net 2.0.
Run the command “c:\windows\Microsoft.NET\framework\v1.1.4322\aspnet_regiis.exe” –I
In IIS Choose properties on the default web site, click the aspnet tab, ensure 1.14322 is selected from the drop down.
B. If .NET version 3.0 has been previously installed it must remain installed in version 8.7, removal can cause non-function of IIS components.
In versions previous to 8.7 an uninstallation of IIS and a rebuild of the Core Server may be required C. Browse to \LANDesk\ManagementSuite, sort details fields by “Date Modified”, scroll down until you see the LANDesk DLL and TLB files, verify that the dates that the tlb files match the corresponding .dll file.
If the dates do not match, run the following command on the dll’s effected:
C:\Windows\Microsoft.NET\Framework\v1.1.4322\regasm.exe /codebase /tlb "drive:\path\LANDesk\ManagementSuite\file.dll"
Note: For the purpose of the error being discussed the LANDesk.ManagementSuite.Database.dll is most important.
Note: 8.7 LANDesk should tolerate later versions having been installed (2.0, 3.0) provided that 1.1 has been re-registered. Versions previous to 8.7 require later versions of .NET to be removed and 1.1 re-registered. The command to re-register .NET is:
Back to top
4) Comparing IIS Settings
Verify IIS configuration
A. IIS settings including application pools, web sites, and web service extensions can be compared manually to a working core server. For web sites pay special attention to the directory security tab found in the web site’s properties.
B. IIS settings can also be compared by exporting the website to an XML and checked using the XML Comparison Tool, contact LANDesk support to have this done.
Back to top
5) Advanced IIS Troubleshooting
A. If when Browsing to databaseinformation.asmx the result is: Page Cannot be displayed
1- Ensure the Default Web Site has a certificate assigned found in the Directory security section. When clicking view certificate it must state “You have a private key that corresponds to this certificate". If the certificate is not present or doesn’t have a private key, proceed to Assigning a Certificate.
2- Expand the Default Website then expand landesk-ManagementSuite-Core-SSL, right click the SSL web site and choose properties. Edit Secure Communications and make sure Require secure channel (SSL) and Require 128-bit encryption are enabled. If not, enable them and propagate to dependents when prompted.
If when Browsing to databaseinformation.asmx the result is: The browser attempts to download Databaseinformation.asmx instead of browsing it. <BR ...> 1- Check MIME types of the Default Website. Go to Properties of the Default Website, HTTP Headers Tab, and choose MIME Types. <BR ...> 2- Make sure .asmx or .as* are not listed and then remove .*. Otherwise remove .asmx or .as*. <BR ...>C. If when Browsing to databaseinformation.asmx the result is: ASP.NET error "Access is Denied" after adding S to HTTP. 1- Enable anonymous access is enabled. Change it to Integrated Windows Authentication only by choosing properties for SSL, Click the Directory Security tab and click edit in the top section (Authentication…)
Ensure anonymous access is NOT checked and that Integrated windows authentication IS checked.
D. Open C:\Windows\System32\Logfiles\HTTPERR1, sort the folder by “Date Modifed” and view errors, this log usually details errors with AppPools (only applicable in Windows Server 2003), and only holds information on IIS Error code series 500 errors
The 500 error in this log would indicate the service is unavailable. When receiving these determine if the application pool is being overwhelmed or if it is just dropping connections.
It may be necessary to optimize IIS if there are multiple 500’s within seconds. See http://community.landesk.com/support/docs/DOC-1071 to optimize IIS. Ensure only 1 worker process is assigned to the remote application pool.
E- If getting a 404 when browsing remote or database information it could mean that the aspnet extension being used by that site is prohibited. Check the aspnet tab in the web site properties, ensure it is 1.1. Now check web service extensions, ensure 1.1 is allowed.
F- If getting a Server Error in 'any' Application then check IIS settings with the comparison tool as well as checking NTFS permissions. Also choose properties on the default website, ensure the home directory(tab)local path is set to c:\inetpub\wwwroot.
Back to top
6) Troubleshooting NTFS Permissions
A. Check NTFS permissions on C:\Inetpub\WWWRoot and \LANDesk\ManagementSuite\LANDesk folders by comparing them to your Core Server.
B. Obtain Process Monitor from SysInternals (http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx ), delete C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files, start a capture, run IISRESET, and attempt to reload the Web Console.
Note: When interpreting the capture, it is easiest to create a filter that only looks for “Access Denied” messages or the particular message you’re looking for.
Back to top
7) Core Name
Core.asp may have an incorrect server name listed. Change the server name in the Core.asp to reflect the correct Core Server name. It is also possible the core was renamed after IIS was installed.
1. Push CTRL-PAUSE and click computer name to see what the machine is currently named.
2. In IIS Manager, right click and choose permissions on the default web site and compare the IUSR_ name to the machine name, they must match.
If they match then look at the core.asp file which is located in two different places. Ensure the server name is correct in both locations.
Note: if the core server name has been changed after IIS was installed, IIS in most instances will not function correctly, a rebuild is sometimes necessary in that instance. It is not suggested to rebuild unless it is confirmed that the core server name has been changed and IIS cannot be salvaged.
Back to top
8) Assigning a Certificate
For help with troubleshooting certificates click here.
Back to top
9) SSL is not installed
SSL may not be installed and/or configured for IIS. This step can also be used if the certificate is not showing a private key.
Right click on the default website and check the properties. If you don't have a port listed for SSL (it should be 443) then run the following commands from the ManagementSuite directory on the server with the web console.
- securewebsiteinstall.exe "cert name" landesk/managementsuite/core/ssl
- securewebsiteinstall.exe "cert name" landesk/managementsuite/core/ssl/remotecontrol
- securewebsiteinstall.exe "cert name" landesk/managementsuite/core/ssl/information
Back to top
10) Using 3rd Party tools to see which files have incorrect permissions:
A. Obtain Process Monitor from SysInternals:
B. Delete C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files.
C. Open Process Monitor.
D. Start a capture.
E. Run IISRESET.
F. Attempt to reload the Web Console.
G. Stop the Process Monitor capture.
Note: When interpreting the Process Minitor capture, it is easiest to create a filter that only looks for “Access Denied” messages or the particular message you’re looking for.
H. If access was denied to a specific file, provide proper permissions for that file. Again, comparing the permissions to those of a clean lab core may be best.
Back to top
11) Oracle Client Permissions
In some cases the user has incorrect permissions set on the Oracle Client directory.
In that case reference the following article: http://community.landesk.com/support/docs/DOC-7015
12) Patching and Reinstalling
In rare instances, none of the troubleshooting steps above will correct the problem.
If so it may be necessary to work with a PSE for web console, and then proceed to the steps below if nothing is found.
A. Re-apply the latest service pack with all Intel & LANDesk services stopped. Ensure streams are not present on the service pack or landesk & inetpub file systems.
B. Rebuild - Back everything up, Uninstall LANDesk, Uninstall IIS, Reinstall IIS, Reinstall LANDesk giving it a new keyname, Apply the latest Service Pack.
Back to top
13) Modify permissions on the Temporary ASP.NET Files Folder
It may be necessarey to modify the permissions on C:\Windows\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files folder. In some instances, we have seen permissions issues with the Tempory ASP.NET Files folder. Once we added the NETWORK SERVICE account and the LANDesk XXXXX accounts to the folder and propagated the permissions down, it worked as expected.
Back to top