Skip to main content

Explanation of Common UI Errors

Explanation of Common UI Errors

Explanation of Common UI Errors

This article describes a number of common errors that have been observed during the operation of Privilege Secure.  Many of them  are related to either DNS issues or incorrect credentials.

Incorrect DNS entries are very common in large enterprise environments, and many errors that Privilege Secure surfaces have to do with DNS entries, especially slow or incorrect updates to Dynamic DNS records.

rpc_s_access_denied

  • Cause 1 – Privilege Secure scan account does not have permissions to enumerate the local Administrators group. The GPO allowing the scan account to make remote calls to SAM.
  • Solution 1 – Scan GPO Guide (Server 2016+ Domain Controllers) or Scan GPO Guide (Server 2012 or 2008 Domain Controllers)
  • Cause 2 – System can not reach a domain controller for AD account authentication.  Can verify by receiving an error to that affect while attempting to RDP to that system using an AD account.  If a terminal is available via EDR or remote management solution, you can also verify by running a gpupdate /force in the terminal.
  • Solution 2 – Ensure system can reach a domain controller, verify with gpupdate /force.  Local account will have to be used to log into the system.  This includes built-in RID 500 local Administrator or alternate administrator account if OAM is being used.

403 Error: Forbidden from viewing this resource

  • Cause – User logged into Privilege Secure is attempting to view a system in the Grant Access page that the user does not have permissions to. Permission is granted if the user is in, or a member of a group in, the Privilege Secure Administrator Account inventory.

Failed to Connect with Credentials

There are a few reasons why this error can come up and these are the most common encountered. Typically there is a DNS issue that will need to be resolved.

  • Cause 1 – Privilege Secure has tried connecting to the target system on the IP address received from DNS and after successfully pinging the machine, and either failed to connect at all (RPC/TCP error), or did connect and got some kind of error. For instance, the VerifyHost failed (i.e. the computer connected to has a different hostname than the one in DNS) or possibly got another SessionError of some kind.
  • Cause 2 – Privilege Secure will now try the backup IP address for the computer, if there was one. If there wasn't one, or if the backup IP address also failed, the error is thrown: "Failed to connect with credentials".
  • Cause 3 – The system has a mismatch in the Active Directory attributes of Computer Name (CN) and the Computer (NetBIOS) Name as seen in Active Directory Administration Center.  If the Computer (NetBIOS) Name has over 15 characters, reduce to 15 characters.
  • Reference – https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou
  • Solution – Regarding cause #1, "VerifyHost" can be confirmed host access by running ipconfig /all. Then compare the hostname returned with the name of the system in Privilege Secure. If it is mismatched, the DNS entry for the machine(s) should be corrected and retried.

STATUS_NONE_MAPPED

  • Cause 1 – Duplicate or redundant Built-In administrator in local Administrators group causing OAM to error while scanning system.
  • Solution 1 – Determine which built-in admin is on system.  Disable OAM and rescan system.  If incorrect built-in administrator is not removed from Privilege Secure inventory, remove via QuickStart or database.
  • Cause 2 – OAM was set to use the same name for the alternate admin as the Built-In administrator.  Enable OAM and rescan.
  • Solution 2 – Disable OAM and rescan system.  Change the OAM policy to a different name from the Built-In local Administrator.  Enable OAM and rescan.

STATUS_SPECIAL_ACCOUNT

Indicates an operation that is incompatible with built-in accounts has been attempted on a built-in (special) SAM account. For example, built-in accounts cannot be deleted.

  • Cause – OAM alternate admin name and RID500 account name were named the same when OAM was enabled (e.g. "Administrator". Once OAM is set to unmanaged, Privilege Secure will attempting to remove the alternate admin account on the next scan, which is actually the RID500.
  • Solution – lease contact Customer Success (CS) to assist.  While OAM is set to Unmanaged, CS will need to enter the database and remove "config.accounts" entries that end in "-500" for that system.  OAM can then be left Unmanaged of enabled, with an Alternate Admin Account name that is different from the current local Administrator (RID 500) account name on the system.

Maximum Attempts Exceeded

  • Cause 1 – Privilege Secure has exceeded the time limit to communicate with system, the process will keep attempting to complete action (Rescan, JITA, extend, or expire)
  • NOTE:  If the error occurs and the logged in user has a JITA session that will not expire, either because it is overdue or by manual expiration attempt. The  Overview  -> Overdue Users with Admin Access  for JITA does not have an action button to dismiss and shows the message "Pending expiration run."
  • Solution 1 – Wait a minute, refresh Grant Access page on system.  Try action again if necessary.
  • Cause 2 – Privilege Secure worker was hung or restarted and the queue record for the user JITA on this system was left with the "request.inProgress" value set to true.
  • Solution 2 – Set the "request.inProgress" value set to false for queue record for the user JITA on this system.

Unable to connect to system: Host is offline - 660240 - Last known IP is unreachable

  • Cause – System does not respond to a ping

Additional Errors

| Error | Cause | Solution | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Unable to connect to system: (SessionError(), ('STATUS_LOGON_FAILURE', 'The attempted logon is invalid. This is either due to a bad username or authentication information.')) - 177696 | This could be one of two reasons: - Cause 1 – The DNS is not up to date and causes Privilege Secure to connect to the wrong IP, and thus use the wrong credentials. - Cause 2 – Credentials on the system have been changed by another Admin. | | | Unable to connect to system: (SessionError(), ('STATUS_ACCOUNT_LOCKED_OUT', 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.')) - 20234 | The Privilege Secure service account is locked out, due to the same reasons as STATUS_LOGON_FAILURE | | | Unable to connect to system: (SessionError(), ('STATUS_LOGON_TYPE_NOT_GRANTED', 'A user has requested a type of logon (for example, interactive or network) that has not been granted. An administrator has control over who may logon interactively and through the network.')) - 12575 | This message most likely means Privilege Secure is connecting to the incorrect system, due to the same reason as STATUS_LOGON_FAILURE. | | | Access Error: STATUS_MEMBER_IN_ALIAS - The specified account name is already a member of the group. - 1031 | Privilege Secure attempted to add a user to the admin group but that account was already present. | | | Access Error: STATUS_MEMBER_NOT_IN_ALIAS - The specified account name is not a member of the group. - 138 | Privilege Secure attempted to remove a user from the local admin group, but the user was not present in the group. | | | System hostname does not match: (details) - 995 | DNS is not up to date and causes Privilege Secure to connect to the wrong IP | | | Access Error: STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. - 928 | Authentication to the system succeeded for the Privilege Secure service account, but access was denied. | - Verify Service Account (Protect/Scan) is on the local admin group – The service account must be On System: Yes and Persistent: Yes on every machine that needs scanned. Typically these are managed by a team, process, or GPO. Immediate resolution is to SSH onto the affected box and add the missing Service Account to the local administrator group. - If OAM is Enabled – Disable OAM and in DB $pull any admins found under "config.accounts".  Please contact Customer Success team for assistance. | | (SessionError(), ('STATUS_ACCOUNT_LOCKED_OUT', 'The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.')) - 391 | The Privilege Secure service account is locked out, due to too many incorrect login attempts. | | | (SessionError(), ('STATUS_LOGON_FAILURE', 'The attempted logon is invalid. This is either due to a bad username or authentication information.')) - 345 | The Privilege Secure service account failed authentication, due to the same reasons as STATUS_LOGON_FAILURE | | | The attempted logon is invalid. This is either due to a bad username or authentication information. - 105 | The Privilege Secure service account failed authentication, due to the same reasons as STATUS_LOGON_FAILURE | | | Rescan button doesn't work | In some cases an AD entry may represent a cluster (e.g. MS-SQL) instead of the individual machines. In this case, the rescan doesn't work as it is expecting an individual server. | | | SAMR SessionError: code: 0xc000006c - STATUS_PASSWORD_RESTRICTION - When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria. | There is a conflict with OAM password complexity and domain password policy rule. | | | 'module' object has no attribute 'MODE_CCM' | SMB encryption is enabled on the server. | Issue resolved in Privilege Secure version 2.10.1 and 2.9.1.  For older Privilege Secure versions:  Disable SMB encryption on server | | Error 9999: Connection reset by peer | File and Print Sharing for Microsoft Networks is disabled, preventing connections on port 445 and 139. | Enable Windows File and Print Sharing for Microsoft Networks.  Reference: https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354 | | new() takes at least 2 arguments (1 given) | SmbServerConfiguration, RequireSecuritySignature is set to true, requiring SMB signing for all SMB communication, preventing SMB communication with computers where SMB signing is disabled. | Issue resolved in Privilege Secure version 2.10.1 and 2.9.1.  For older Privilege Secure versions:  If SMB signing is not required, a workaround is to Set SmbServerConfiguration, RequireSecuritySignature to false with administrative PowerShell: Set-SmbServerConfiguration -RequireSecuritySignature $false If SMB signing is required, please contact Customer Success. | | Unable to connect to system: (SessionError(), ('STATUS_TRUSTED_RELATIONSHIP_FAILURE', The logon request failed because the trust relationship between this workstation and the primary domain failed. | Active Directory has no trusted relationship with the system. This can be caused by deleting a computer from AD and re-adding in AD. | On the system, leave the domain, reboot, and join the domain again. | | [Errno 12] Cannot allocate memory | Know issue being investigated regarding suspected memory usage bloat/leak for the LDAP service when the nightly database tasks run.  This is suspected to cause a node to run out of memory.  If the scanner and/or worker are running on the same node this error occurs and scan and JITA fails. | Stop the ldapsync, scanner, and worker services; wait 5 seconds; start the ldapsync, scanner, and worker services. | | - No Answer! - Timed outt - Unable to connect to system: (error(u'Connection error (X.X.X.X:445)', error(110, 'Connection timed out')), ('CONNECTION_ERROR', '[Errno 110] Connection timed out')) - - 37100 - Unable to connect to system: (error(u'Connection error (X.X.X.X:445)', error(111, 'Connection refused')), ('CONNECTION_ERROR', '[Errno 111] Connection refused')) - 8540 - Unable to connect to system: (error(u'Connection error (X.X.X.X:445)', error(113, 'No route to host')), ('CONNECTION_ERROR', '[Errno 113] No route to host')) - 2193 - (SessionError(), ('STATUS_PIPE_NOT_AVAILABLE', 'An instance of a named pipe cannot be found in the listening state.')) - ('Error while reading from remote', 255, None)) - The NETBIOS connection with the remote host timeout. | Microsoft File and Printer Sharing is disabled or service(s) are in a hung state and SMB is no longer listening for connections. | Verify lanmanserver is listening on port 445 via Command Prompt on system, start if stopped: - Check Port 445 open and reports LISTENING: netstat -n -a | findstr “LISTEN” | findstr “445”`- Check lanmanserver status: -`sc query lanmanserver`- If lanmanserver stopped, start with: `sc start lanmanserver - Solution 1 – Ensure  Microsoft File and Printer Sharing is enabled on the network adapter in use. - Solution 2 – In Windows Services ensure Server service is set to Automatic and started.  Server Service Name in service properties is LanmanServer.  Use check above to verify lanmanserver is listening on port 445 via Command Prompt on system. - Solution 3 – Stop and start the Server Service (lanmanserver). Use check above to verify lanmanserver is listening on port 445 via Command Prompt on system. - Solution 4 – Reboot the system.  Sometimes the Server Service (lanmanserver) will no longer start or remain running until a system is rebooted. Use check above to verify lanmanserver is listening on port 445 via Command Prompt on system. REFERENCE: https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354 | | POSTMAN/Registration "Unhandled error: Host is Unreachable: Failed to connect to the host via ssh: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! " | SSH key from Privilege Secureto the Linux system has a different key in Privilege Secure's Worker container's known host, due to a change in the SSH keys for that target system | - Solution 1 – Restart the worker service via the UI at Configure > Services > Worker > "Restart" - Solution 2 – Restart the worker service via the command line, on any node, with the command "s1 restart worker" | | No sudoers file present in UI.  No users or group showing UI permissions in UI | - Cause 1 – internal_api service not installed or started - Cause 2 – Database migration not completed during an upgrade - Cause 3 – Privilege Secure cluster, the docker-stack.yml internal_api DB environment variable is using a single-node entry instead of the cluster entry | - Solution 1 – Deploy the internal_api service - Solution 2 – Complete database migration - Solution 3 – Correct docker-stack.yml internal_api DB environment variable to use the cluster entry. Please contact Customer Success team for assistance with solutions. | | "'NoneType' object has no attribute 'getitem'"  error message in the upper right corner of the UI and be logged in the Access History. | The reason for this error was due to the queue collection document for the affected system having a different "requested_by" ObjectId as the "request.user" ObjectID. Specifically, the "request.user" ObjectID is one of a user account that is no longer referenced or valid in ldap_store and/or in AD for a user. | The resolution of this ObjectID mismatch does require a MongoDB side update including a query to update the queue collections ObjectID reference. Because of this, assistance from our Customer Success Engineers is advised. | | When setting up domain in Configure -> Server -> Domain Configuration, clicking the Test Connection button results in the error:  Your configuration is not valid. (ECONNRESET) | The domain controller (LDAP Server) does not use SSL connections for LDAP and has closed the connection. | Uncheck the SSL box and change port to 389. | | Scanning a linux system error:  Remote script exited with error: see details in log | The linux system is out of space or the disk or /tmp directory is in read-only mode. | Free up space on disk; or resolved read-only state or/tmp permissions | | Scanning results in a STATUS_NOT_SUPPORTED error | Microsoft patch to secure an NTLM vulnerability, reference: https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-ac[…]ficate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429. | - Updated the “Network security: Restrict NTLM: Incoming NTLM traffic” to Allow all and the systems could be scanned and JITA accessed again. - Reference:  https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429 - Microsoft Best Practices – If you select Deny all domain accounts or Deny all accounts, incoming NTLM traffic to the member server will be restricted. It is better to set the Network Security: Restrict NTLM: Audit Incoming NTLM traffic policy setting and then review the Operational log to understand what authentication attempts are made to the member servers, and subsequently what client applications are using NTLM. - Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic | | Remote script exited with error: see details in log | The 'Privilege Secure' service account password has expired. | Set password to never expire with: sudo change =M99999 Privilege Secure | | Scanning a linux system error:  SSH connection error: encountered RSA key, expected OPENSSH key | | | | STATUS_NO_LOGON_SERVERS, No logon servers are currently available to service the logon request. | System is having issue reaching a Domain Controller. | - Solution 1 – Fix any network path issues (firewall, routing, VPN, etc. - Solution 2 – Reboot system, as this error typically means you cannot log on to the system to administer | | SAMR Session Error: unknown error code: 0xc000a08b Note: This is a passthrough error from Windows, it is not generated by Privilege Secure and is generated on the endpoint during the attempted action. | Microsoft LAPS is preventing password changes to the local Administrator account (RID 500).  You can verify Microsoft LAPS is blocking the password change the Event Viewer logs under: Applications and Services > Microsoft > Windows > LAPS > Operational Reference https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-management-event-log | - Solution – Prevent LAPS Group Policy Object from being applied to the system. - Workaround – Disable Privilege Secure OAM rotating the local Administrator account password.  This will allow Privilege Secure to still keep the local Administrator account disabled, and manage an alternate administrator account. | | SAMR SessionError: unknown error code: 0xc000030c Note: This is a passthrough error from Windows, it is not generated by Privilege Secure and is generated on the endpoint during the attempted action. | The local Administrator (RID 500 account) password was never set and is blank. EAS policy requires that the user change their password before this operation can be performed. | Set a local Administrator (RID 500 account) password. | | (Popup) The file does not have a header with value "Name" | When using the "Select By File" on the Management => Systems page, a CSV is being uploaded that was edited and saved in Excel as a CSV file.  This removed the quote marks that a CSV upload requires. | - Solution 1 – Save a CSV edited in Excel as an Excel  *.xlsx file - Solution 2 – Edit and save CSV with a text edition |