Re: Problems with saweb, status, etc.

c-milan · ‎07-29-2002

I've just upgraded a customer to 3.14 from 2.46. In the process I ran the permissions wizard for an installer account and a service account. Now when the users try to use the web utils they are prompted with: (Also I have run the grantunityaccess command to see if I could stop this behavior, it reports that zero[0] items have been setup with this tool) Are there any other means to stop this behavior? Did I do something wrong in my upgrade procedures?

Message follows below---

Your Windows Domain Account [USRCORP\UNITY_SERVICE] is associated with multiple Unity Subscribers.

Please select the subscriber as whom you wish to sign in.

Unity Installer Account - USRVM

Unity Service - USRVM

lindborg · ‎07-29-2002

It does this for all accounts trying to get to the SA? Everyone has an alternate association with the installer account specifically or is it different accounts for other folks? So the GrantUnityAccess -L returns nothing at all? Is this Exchange 5.5? Do some of these accounts have multiple mailboxes associated with the same NT account by any chance? Is this site using a 3rd party tool to migrate from NT to 2K which created 'dummy accounts' or the like?

Very strange. The SA authentication process is pretty straight forward and the only reason you'd get prompted like that is if the SIDHistoryTable (the guy the GrantUnityAccess tool fronts for you) has entries for user's SIDs that remap it to the installer account. I see this often with sites that have used GrantUnityAccess when they shouldn't be... This is really only supposed to be used to allow non subscribers SA access on the system for multiple box help desk type scenarios.

If you haven't added any links and there's no 3rd party product at play here and that table is empty, there's really no way it would present you with that list...

c-milan · ‎07-29-2002

No, the only account is the unity_service account. This is exchange 5.5. I'll check and see if the account has multiple mailboxes associated, very likely. No 3rd party tools were used. And yes, the grantunityaccess -L returns nothing.

c-milan · ‎07-29-2002

OK, I found an account in Unity called Unity_Service that was the problem however in attempt to fix the problem earlier, I had read where the Example Administrator needed to be associated with the account. Having done such the two names that now show up are for

Unity Installer

Example Administrator

I have reversed the primary account association in MSEX 5.5 system manager however Example Administrator still shows up in the list. Any help?

lindborg · ‎07-29-2002

I'm unsure exactly what problem you'd be fixing by associating the Example Administrator account with anyone other than SA access issues for an account that is not a subscriber/admin on the local Unity box.

The authentication process is very straight forward. Unity gets the your token via IIS which uses NTLM to make sure it knows who you are (i.e. if you're not authenticated on the domain or a trusted domain you get a challange and response dialog). Using that token we ask Exchange 55 (in this case) which mailboxes are associated with this account. If more than one is returned you will get this list since we can only let you access the system as a specific user.

If you have multiple Exchange mailboxes associated with the NT account you're logged in as, you will always get that prompt. This isn't a Unity thing... there's nothing we can do to weed that out for you.