We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda ArchiveOne

How can Support resolve the error "Error Retrieving User Roles" when launching ArchiveOne Admin console?

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00007372

Scope: 
ArchiveOne Enterprise, 6.5 or earlier

Answer:


SYMPTOMS

A user is on a Windows XP desktop and has the ArchiveOne Enterprise console installed locally. This admin console is connecting to an ArchiveOne service installed on a Windows 2008 R2 server. The user has been set with a bespoke Role from the 'Roles and Users' component of ArchiveOne. When opening the admin console the user sees an error box stating "Error Retrieving User Roles". No functionality is available to the user.


The same user can log onto a desktop with a Windows 7 operating system and use the console as expected. N.B. Windows XP is no longer covered by Microsoft support and is not supported by the latest version of ArchiveOne.


The admin console trace file indicates a failure to connect to the server with an error code of 0x80070721 (and may well say that a security package specific error occurred).


ROOT CAUSE

This error is caused by a Kerberos authentication issue between the Windows XP environment and the Windows 2008 R2 server. This is a known Microsoft issue and is NOT caused by any ArchiveOne installed component.


RESOLUTION

There are a number of checks that should initially be made when faced with this issue. These are:

  1. Locate and delete the files with the extension '.c2cusers'. Restart the console to reload the operation set allowed by the user.
  2. Check that on-access scanning from an installed anti-virus product is not preventing the reading of the role definition files.
  3. Check that the Windows Firewall on the XP machine is set to 'off'.
  4. Log on as a different user and see if the console opens as expected.
  5. Assuming that none of the above resolve the issue, then it will be necessary to register a Service Principal Name (SPN) for the appropriate ArchiveOne service.

Important: If an SPN is already registered for another service on the Archive server (such as Outlook Web Access) do not proceed with the steps in this solution and instead contact Barracuda Support for further advice.


To set an SPN, on the Archive server open a command prompt and complete the following steps, where:

- ARCHIVE_SERVER is the NetBIOS name of the archive server where the Archive One Policy service is installed.
- ARCHIVE_SERVER_FQDN is the Fully Qualified Domain Name of the server where the Archive One Policy service is installed.
- DOMAIN is the Windows domain.
- SERVICE_ACCOUNT is the domain account name that the ArchiveOne Enterprise Service is running under.


If you are using ArchiveOne Enterprise (Policy),
  1. At a command prompt, type:
    setspn -S AOnePolService/ARCHIVE_SERVER DOMAIN\SERVICE_ACCOUNT
  2. Press 'Enter' and then type:
    setspn -S AOnePolService/ARCHIVE_SERVER_FQDN DOMAIN\SERVICE_ACCOUNT
  3. Press 'Enter' and then type the following to verify the SPN was registered successfully:
    setspn -L SERVICE_ACCOUNT
If you are using ArchiveOne Enterprise (Compliance),
  1. At a command prompt, type:
    setspn -S AOneCmplService/ARCHIVE_SERVER DOMAIN\SERVICE_ACCOUNT
  2. Press 'Enter' and then type:
    setspn -S AOneCmplService/ARCHIVE_SERVER_FQDN DOMAIN\SERVICE_ACCOUNT
  3. Press 'Enter' and then type the following to verify the SPN was registered successfully:
    setspn -L SERVICE_ACCOUNT
This should allow the ArchiveOne Enterprise console to open as expected. For further information on setspn.exe, see the Microsoft TechNet article: Service Principal Names (SPNs)


Link To This Page: