Mobile Search fails with "You do not have access to archives".

Mobile Search fails with "You do not have access to archives".

Article: 100046652
Last Published: 2019-11-19
Ratings: 1 0
Product(s): Enterprise Vault

Problem

Users that belong to many groups in Active Directory will fail to search in Mobile Search. 

Error Message

In the Mobile Search GUI the following error:

You do not have access to archives.  If the problem persists, contact your Enterprise Vault Administrator. 

In a dtrace of the DirectoryService and W3WP processes the following 8418 and 41478 events are seen:

(DirectoryService)    <18456>    EV~I    DirectoryService: GetAllUsersGroups: Getting Users Groups using DC = \\DC and a username of user6 |
(DirectoryService)    <18456>    EV:L    CEventLog::EventIsAllowedByFilter - Thread event filtering - event [0xc00420e2] was filtered out
(DirectoryService)    <18456>    EV~I    DirectoryService: ADO: GetNextLevelArchiveXMLBySite - GetUsersSids Failed |
(DirectoryService)    <18456>    EV:H    {CDirectoryServiceObject::GetNextLevelArchiveXMLBySite} HRXEX fn trace : Error [0x8000ffff], [d:\builds\13_\ev\vh-12.4-m\sources\source\directory\directoryservice\directoryserviceobject.cpp, lines {10061,10071,10096}, built Mar  1 01:08:01 2019].
(DirectoryService)    <18456>    EV~E    Event ID: 8418 Failed to get user groups with domain group error code 234 and local group error code . |
(w3wp)    <11572>    EV:H    {CDirectoryConnectionObject::GetNextLevelArchiveXMLBySite} HRXEX fn trace : Error [0x8000ffff], [d:\builds\16_\ev\v-m-s\sources\source\directory\directoryconnection\directoryconnectionobject_1.cpp, lines {3354,3361,3363}, built Nov  1 13:11:07 2018].
(w3wp)    <11572>    EV~W    |Event ID: 41478 User 'user6' does not have permission on any archive.

Cause

There is a character limit of the sum total of characters of each group the user belongs to.  Users that belong to dynamic groups are more susceptible to this issue. 

To identify the groups that the affected user belongs to run the following PowerShell command on the Domain Controller identified in the dtrace (i.e., DC):

Get-ADPrincipalGroupMembership -Identity user6 | fl name

Solution

Workaround is to reduce the amount of groups the user belongs to. 

Veritas has acknowledged that the above-mentioned issue is present in the version(s) of the product(s) referenced in this article.

This issue is currently under investigation by Veritas. Pending the outcome of the investigation, this issue may be resolved by way of a cumulative hotfix or service pack in the current or future versions of the software. However, this particular issue is not currently scheduled for any release.  If you feel this issue has a direct business impact for you and your continued use of the product, please contact your Veritas Sales representative or the Veritas Sales group to discuss these concerns.  For information on how to contact Veritas Sales, please see http://www.Veritas.com .

Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.

References

JIRA : CFT-2296

Was this content helpful?