Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled FFFFFA27

This document (3576402) is provided subject to the disclaimer at the end of this document. 本文来自Novell迷网站 http://novell.me

Environment

Novell Client 4.91 for Windows 2000/XP
Novell Client 4.9 for Windows NT/2000/XP
Novell International Cryptographic Infrastructure (NICI)

Situation

Windows user account was deleted and re-created.
Windows user account SID was explicitly changed, such as when using Windows workstation imaging and setup utilities to create unique SIDs post-install.
Workstation is a NT 2000 Server that recently had Active Directory removed from it.
Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled FFFFFA27
Error: -1497 reported when attempting to unlock workstation using NDS credentials. FFFFFA27
Internal error 0xFFFFFA78 reported when logging into NDS with NMAS enabled FFFFFA78
Error: "Workstation Locked. An unexpected error occurred while attempting to unlock the workstation. Try unlocking the workstation again, or select a different credential type for unlock. Error -1497 (0xFFFFFA27)" Novell迷网站原创内容，未经允许，谢绝转载!
Error: -1497 reported when logging into NDS from the user's desktop (e.g. from red 'N' in system tray, or by running LOGINW32.EXE).
Error: "NetWare Security Message. Internal error 0xFFFFFA27 occurred. Try again. If the error occurs again, restart your workstation and try again. If the error persists, contact your network administrator."
Error: -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27)
Error only occurs if NMAS is also installed and enabled on the workstation.
Error does not occur during initial login after reboot of workstation, or when logging completely out of Windows and then logging in again.

Resolution

The CCS_E_AUTHENTICATION_FAILURE (-1497, 0xFFFFFA27) error can be returned from NICI under a variety of circumstances, such as when required NICI system files cannot be located or have been corrupted. But one more common scenario in which CCS_E_AUTHENTICATION_FAILURE can be returned is when the security on the NICI user directory (located under"%SystemRoot%\System32\Novell\NICI") no longer permits the Windows user account to access the user directory.

NTFS security permissions on this directory grant permissions based on the SID of the Windows user account, and if the SID of an existing Windows user account changes (i.e. same Windows user account name, but now with a different SID), the permissions established for the NICI user subdirectory will no longer permit the Windows account to access the directory. This causes NICI initialization to fail in a manner which reports the CCS_E_AUTHENTICATION_FAILURE status code.

本文来自Novell迷网站 http://novell.me

If the fact that the Windows user account's SID changed is a by-design and frequent occurrence (for example, if a ZENworks Dynamic Local User (DLU) policy is set to maintain volatile user accounts which will be deleted & recreated at next login), then the NICI configuration of "EnableUserProfileDirectory" would eliminate the need to constantly fix the NICI user directory permissions. This is done by creating a reg key in HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI with a keyname of EnableUserProfileDirectory using a Type=DWORD and a value of 1. See the document Unable to change Universal Password from workstation with ZENworks/DLU installed for additional information. 本文转载自http://novell.me

If the SID has changed due to a one-time event, logging in as a Windows "Administrators" group account and resetting the NTFS security permissions on just the NICI user directory in question (e.g. "C:\Windows\System32\Novell\NICI\username") can potentially be sufficient for resolving this issue. The specific steps to accomplish this varies by Windows platform, but effectively you must start with setting the ownership of the directory & files, rather than the permissions, since NICI secures the directory very tightly and asserting owership over the directory will be required before Windows will allow resetting the permissions on the directory. http://novell.me

First login as an Administrators group member on the Windows machine. Then browse to the actual NICI user subdirectory, e.g."C:\Windows\System32\Novell\NICI\username". You will not be able to access this directory at this time. Right-click on the "username" directory and bring up the properties of the directory. Switch to the "Security" tab, at which point you may be prompted that you do not have permission to change the permissions on the directory. Go to the "Owner" tab (possibly under the "Advanced" button, depending on the Windows platform) and select "Administrators" to be the new owner of the directory. You must select to replace the owner on all subdirectories and objects (files), too. When saving this change, you will be prompted whether to replace permissions on the sub-objects with permissions granting you full control, to which you should respond affirmatively. After saving these changes, re-view the "Security" tab on the "username" directory again, at which point you should be able to see & remove the old SID/user account assigned there. Use the "Advanced" view (if available) and add the new/current Windows user account to have full permission to the directory. When saving this change, select "replace permission entries on all child objects" in order to update the security on individual files and sub-folders under the actual "username" directory.

At this point, if NTFS permissions to the NICI user subdirectory was the issue causing the CCS_E_AUTHENTICATION_FAILURE error, the new/updated Windows account SID should be the one with permission to the existing NICI user directory. 内容来自Novell迷网站

If issues persist, NICI can be completely uninstalled and then re-installed. However, permissions must still be reset on the existing NICI user directories & those existing directories removed, or else after NICI is re-installed the same problem will persist because of the invalid security permission still assigned to the NICI user directory. TAKE CARE IN DECIDING TO REMOVE ALL NICI USER DIRECTORIES, AND BACKUP THE EXISTING INFORMATION. While the manner in which NMAS and the Novell Client use NICI for NDS login will automatically re-create whatever NICI information is needed, if NICI is being used by other NICI-aware applications besides NMAS and the Novell Client, there could be additional steps required to restore and/or re-create the NICI information for these additional applications. Deleting the existing NICI user directories on a Windows Server machine running a Novell eDirectory server is NOT advised, and should only be done at the specific direction of Novell Technical Support or technical support documentation specific to the case of Novell eDirectory servers running on Windows.

版权所有,未经Novell迷允许，不得转载!

The suggested steps for removing and re-installing NICI completely would be to start by uninstalling NICI from the Windows"Add/Remove Programs" control panel applet. Then reboot into safe mode and make "Administrators" the owner with full rights to the"C:\WINNT\system32\Novell\nici" directory and all child directories and files. After ownership has been asserted, now set permissions on the entire directory structure to give yourself full control such that you will be able to delete the entire NICI directory structure. Boot back into Windows normally (non-Safe Mode) and re-install NICI so that the user directories will be re-created after users login again.

Additional Information

Logging into eDirectory with NMAS enabled requires the use of NICI on the local workstation. When the SID changes for a Windows user account which already has an established NICI user directory on the local workstation, the security applied to the NICI user directory no longer permits the new Windows user account SID to access the directory, resulting in a CCS_E_AUTHENTICATION_FAILURE (-1497, 0xFFFFFA27) error when attempting to use NICI while logged in as the new Windows user account/SID. What this means is, NICI creates accounts and associated local file system directories, then changes the permissions on these directories so that only the account user and his associated SID number has access to them. Not even the Administrator can access them. If the SID changes on a local user he will lose all rights to the directories and this condition will result in the -1497 error.

Formerly known as TID# 10094494 本文来自Novell迷网站 http://novell.me
Formerly known as TID# NOVL98737