Java Console pop-up message "Status Code: 8021 - Unable to validate the user or group"

Article: 100047635
Last Published: 2021-01-14
Ratings: 1 1
Product(s): NetBackup & Alta Data Protection

Problem

At NetBackup 8.2, after successfully logging into the NetBackup Java Administration Console, a pop-up error is observed showing the message:

Status 8021
Unable to validate the user or group.
 

After clicking Close on the pop-up window, most functionality in the Administration Console is successfully.

Upon clicking into Certificate Management or Host Management, the pop-up may be observed again.

Error Message

Status 8021
Unable to validate the user or group.

Cause

In order to manipulate some content within the Host Management or Certificate Management portions of the Java Console, the authenticated user must be a confirmed administrator on the Master Server Operating System.

NOTE: Only enabling Enhanced Auditing can overcome this constraint.

This situation has been known to occur in the following scenarios:

Scenario 1
1. The Master Server OS is Unix/Linux
2. The Master Server OS has been configured with SSSD, LDAP, or another mechanism which allows authentication of Active Directory users onto the Unix OS.
3. The credential supplied at the Java Console Login screen is in the format of 'domain\username'

Scenario 2
1. The Master Server OS is Windows
2. The service named "NetBackup Authentication" starts with the LocalSystem default user
3. OS hardening has occurred which removes "Authenticated Users" from the Builtin Domain Group called "Pre-Windows 2000 Compatible Access"

Solution

1.  For the first scenario, it may be possible to work around the issue by adjusting the format of the user credential supplied at the Java Console Login Screen, from 'domain\user' to 'user@domain', in addition to adding a new row within /usr/openv/java/auth.conf specifying the user in the same format.

Example for a user named 'user1' in a domain called 'vlab':
cat /usr/openv/java/auth.conf
root ADMIN=ALL JBP=ALL
user1@vlab ADMIN=ALL JBP=ALL
* ADMIN=JBP JBP=ENDUSER+BU+ARC

For the first scenario, in the case of a smart-card reader or other mechanism which prevents the user from knowing the password or adjusting the credential format, it may be possible to obtain an Emergency Engineering Binary (EEB) from ET 3986887 by contacting Veritas Support and referencing this article.

 

2.  For the second scenario, there are two possible workarounds
     a. Ask the Domain Administrator to re-add 'Authenticated Users' or Computer Object (Windows Master) back to the group named 'Pre-Windows 2000 Compatible Access'
     b. Reconfigure the service named  'NetBackup Authentication' to start with an account which is a member of the 'Domain Administrators' group

 

Was this content helpful?