OpsMgr 2007: Error running report: "Message: Loading reporting hierarchy failed.” “Access is denied"


Hi Everyone, my name is Prakash and I recently worked an interesting case that I wanted to share with you here.  The issue was that whenever you tried to run a report in System Center Operations Manager 2007 you would receive this error:

Error message when you try to run a report in System Center Operations Manager 2007: "Message: Loading reporting hierarchy failed.”  “Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))”   

This turned out to be caused by how the particular domain environment was constructed and I thought it might be helpful to blog this just in case you run into something similar:

========

Consider the scenario where we have a resource domain that is part of forest ‘A’ and we have all of the SCOM components and SCOM services account belonging to it. We also have another domain (the Resource domain) that is part of forest ‘B’ which has the SCOM report operators account in it.  There’s only a one-way trust between the Resource domain and Account domain where the Resource domain trusts the Account domain.

In this scenario, if we try to run the report using a user which belongs to the Resource domain, the reporting fails with the following error.

Date: DD/MM/YYYY hh:hh:ss
Application: System Center Operations Manager 2007
Application Version: 6.0.6278.0
Severity: Error
Message: Loading reporting hierarchy failed.
System.Web.Services.Protocols.SoapException: An internal error occurred on the report server. See the error log for more details. —> An internal error occurred on the report server. See the error log for more details. —> Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
  at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ReportingService.ReportingService2005.ListChildren(String Item, Boolean Recursive)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.ManagementGroupReportFolder.GetSubfolders(Boolean includeHidden)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingSubtree(TreeNode node, ManagementGroupReportFolder folder)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingTree(ManagementGroupReportFolder folder)
   at Microsoft.EnterpriseManagement.Mom.Internal.UI.Reporting.WunderBar.ReportingPage.LoadReportingTreeJob(Object sender, ConsoleJobEventArgs args)

Also we will have the below event Details generated in the Operations Manager event log on RMS server.

Event ID: 26319
Source: OpsMgr SDK Service
Description: An exception was thrown while processing GetUserRolesForOperationAndUser for session id uuid:38834c07-855b-47b9-9425-2297b283cd90;id=166.
Exception Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Full Exception: System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
   at Microsoft.Interop.Security.AzRoles.IAzApplication2.InitializeClientContextFromStringSid(String SidString, Int32 lOptions, Object varReserved)
   at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AzManHelper.GetScopedRoleAssignmentsForUser(IList`1 roleNames, String userName)
   at Microsoft.EnterpriseManagement.Mom.Sdk.Authorization.AuthManager.GetUserRolesForOperationAndUser(Guid operationId, String userName)
   at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess.GetUserRolesForOperationAndUser(Guid operationId, String userName)
   at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessTieringWrapper.GetUserRolesForOperationAndUser(Guid operationId, String userName)
   at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessExceptionTracingWrapper.GetUserRolesForOperationAndUser(Guid operationId, String userName)
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp

This problem only arises in the case of Reporting because in the reporting scenario the security context is initialized from a SID.

This restriction is an AzMan restriction and more details can be found at the MSDN link below under InitializeClientContextFromStringSid:

http://msdn.microsoft.com/en-us/library/aa377364(VS.85).aspx

So what’s the resolution?  Well at the core this behavior is by design with System Center Operations Manager reporting although we can use the work around for this issue with the restriction mentioned below:

Workaround:

In our scenario, InitializeClientContextFromStringSid was called in the context of a user who belongs to the Resource domain. The SID that was passed belongs to a user from a trusted domain (the Account domain). Since there is only a one-way trust we get the Access Denied error.

As a work around, change the SDK and Config accounts to use a domain user from the Account domain instead of from the Resource domain.  You should also add the SCOM service account from the Account domain to the Windows Authorization Access Group" of both domains and then restart the SDK and Config service.

Restriction:

If you have an architecture where you have one main domain (domain1) with several trusted domains (one way trust, with say domain2, domain3 and domain4), then you can only pass SIDs that belong to users of the main domain (domain1) and ONE of the trusted domains. If you pass SIDs of users from domain3 and domain4 it will fail with access denied.

Note : To change the credentials for the OpsMgr SDK Service and for the OpsMgr Config Service in Microsoft System Center Operations Manager 2007 please follow the steps mentioned in KB936220 – http://support.microsoft.com/?kbid=936220.

Thanks & Regards,

Prakashan A K | Support Escalation Engineer


Comments (8)

  1. Anonymous says:

    Hi Everyone, my name is Prakash and I recently worked an interesting case that I wanted to share with

  2. Anonymous says:

    Hi Everyone, my name is Prakash and I recently worked an interesting case that I wanted to share with

  3. Anonymous says:

    Wanted to let you kwow that I’ve also seen this problem and investigated a caveat on this. It appears there’s a bug in the Reporting functionality of the Operations Console which can lock the SDK and Config Service Account.

    Michiel Wouters

  4. LenH says:

    Awesome blog entry.  I am on a project and we are having this exact issue.  Thank you for posting.  Keep these types of blog entries coming –especially when you solve those unique problems!  It helps us all!

  5. Ravi says:

    I am getting same error. But my setup is little different. My all SCOM servers and report are in one domain of forest A and having a forest level one way trust with Forest B.

    Now I wanted to give SCOM report access to users from Forest B, but getting Access dined error.

    I don't to change SCOM service account. Please let me know any other workaroung than chnaging service account.

    Thanks

  6. show box says:

    Thanks for the great info. I really loved this. I would like to apprentice at the same time as you amend your web site, how could i subscribe for a blog site?
    For more info on showbox please refer below sites:
    http://showboxandroids.com/showbox-apk/
    http://showboxappandroid.com/
    Latest version of Showbox App download for all android smart phones and tablets.
    http://movieboxappdownloads.com/ – It’s just 2 MB file you can easily get it on your android device without much trouble. Showbox app was well designed application for android to watch movies and TV shows, Cartoons and many more such things on your smartphone.
    For showbox on iOS (iPhone/iPad), please read below articles:
    http://showboxappk.com/showbox-for-ipad-download/
    http://showboxappk.com/showbox-for-iphone/
    Showbox for PC articles:
    http://showboxandroids.com/showbox-for-pc/
    http://showboxappandroid.com/showbox-for-pc-download/
    http://showboxforpcs.com/
    There are countless for PC clients as it is essentially easy to understand, simple to introduce, gives continuous administration, effectively reasonable. it is accessible at completely free of expense i.e., there will be no establishment charges and after establishment
    it doesn’t charge cash for watching films and recordings.
    http://www.showboxforipad.org/showbox-apk/ Not simply watching, it likewise offers alternative to download recordings and motion pictures. The accompanying are the strides that are to be taken after to introduce Showbox application on Android. The above
    all else thing to be done is, go to the Security Settings on your Android telephone, Scroll down and tap on ‘Obscure sources’.
    http://www.showboxforipad.org/
    http://movieboxappdownloads.com/moviebox-apk-android/
    http://movieboxappdownloads.com/download-moviebox-pc/
    Movie Box, an esteemed movies application in which you can find stacks of programs and films. The guide is given here to download Movie Box app to Android and to Apple iOS 9.0.2, iOS 8.4/8.3 and also for the lower versions without Jailbreak.
    http://showboxforiphone.org/
    Please do login to Showbox application with the help of Ymail. You can login in Ymail from here –
    http://ymaillogintips.com/
    Sign Up & Do registration for latest movies on Showbox application

  7. anonymouscommenter says:

    Hello all,
    I`m sure a lot of enterprise customers have hit this, where basically you are unable to

Skip to main content