OS Security settings that affect CLM

This is a collection of non-CLM specific permissions and user rights which affect the operation of CLM 2007 and FIM2010 (CM part).

These are commonly seen in scenarios where security hardening has been performed on the DC's or the member servers or if specific users have been placed in 'protected' OU's where access to them has been restricted.

User Rights

    • Backup Files and Folders (SeBackupPrivilege)
      CLMWebPool and CLMAuthAgent need to be able to write to the CLM event log.

CLM Event log:

Event Type: Error

Event Source: System.Web

Event Category: None

Event ID: 0

  Inner Exception:Message: A required privilege is not held by the client. (Exception from HRESULT: 0x80070522)

  Type System.Runtime.InteropServices.COMException

Reason: A CLM thread or process is failing to read from or write to the custom CLM event log. Temporarily adding the CLM account to the Backup Operators group on the server is a quick way of testing if this is the case (restart the CLM server afterwards). If this resolves the problem then you may need to take a closer look at the ACL's on the CLM event log service (permanently granting the SEBackupPrivilege to the CLM service accounts is a bit of an overkill permissions-wise).



    • The CLMWebPool and CLMAuthAgent accounts need to be able to query for users that they are processing. By default the Authenticated Users group has this permission.
      Symptoms of removing this:
      Searching for users to manage within the CLM web pages fails with a 'User not found' or similar error message.

      Reason: The CLM agent and CLM Web Pool Accounts need to be have at least read permissions on all users that they are intended to manage. In some instances, the user doing the request is the user that needs to have the permission. This is most frequently seen where 'Protected' or 'Hidden' OU's or groups have been created and the default ACL's have been removed from them. This can occur if either user or a group the user is a member of is a part of that restricted OU.

Security settings

    • Domain controller: LDAP server signing requirements (LDAPServerIntegrity)
      If this is set to '2' (Require Signing) the Domain Controller *must* have a valid Domain Controller Authentication certificate.
      Symptoms: When browsing the CLM webpages, any operation that causes LDAP queries to be sent to the DC's (such as the UserSearch.aspx page) returns 'An operations error occurred'.

Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignmentshttp://support.microsoft.com/kb/823659

How to set event log security locally or by using Group Policy in Windows Server 2003