Applies to:
- Acronis SCS Cyber Backup 12.5 Hardened Edition
Use Case
By default, a new user account is created during installation called "Acronis Agent User". After installation changing the Acronis Agent User password causes access issues that result in the failure of the agent to communicate with the Management Console.
Symptoms
Agents goes offline after changing the password of the “acronis agent user” account that MMS runs under by default.
MMs.0 and zmq_client_sessions.0 under C://ProgramData/Acronis/BackupandRecovery/MMS log shows:
2022-11-04T00:01:17:667-07:00 100 E00000000: [ConfigMonitoringComponent][ZmqClient] Error 0x276000a: Cannot get access to protected storage.
| line: 0x9bf77d935f2c69d8
| file: e:\186\enterprise\service\impl\credential_store_factory.cpp:133
| function: Core::CredentialStore::`anonymous-namespace'::SecurePersistentCredentialStore::LoadBlob
| $module: mms_rest_api_vsa64_16866
|
| error 0x273000d: Could not access credentials from line with tag: '0x9bf77d935f2c69d8', executable: 'mms.exe', module: 'mms_rest_api.dll'.
| line: 0xe839411589f18c06
| file: e:\185\enterprise\managers\access\impl\profile_vault_component.cpp:1741
| function: AccessManagement::ProfileVaultComponent::LookupLocalGenericAccount
| $module: access_manager_vsa64_16866
|
| error 0x26a0001
| line: 0xa8327e5e8937b8d4
| file: e:\186\enterprise\common\security\core\impl\scrambler_meta.cpp:386
| function: Scrambler::LoadSessionData
| $module: security_core_vsa64_16866
Steps to reproduce
-
Change the password for the “acronis agent user” account
-
Reboot the agent machine
-
Check if MMS is running (should be stopped)
-
Change MMS service password to new password and start service
-
Check if the machine is online in AMS, check MMS.0 log for error
Root Cause
Changing any user account password in windows without signing in as the user and doing so from the GUI results in the password reset being recognized as a hard reset. This reset forces the rotation of encrypted keys within the account during a reboot or logout thus no longer matching up.
Solution
In order to resolve a full uninstall will have to perform, making sure to check the box to
Workaround
As of update 4.7, it is possible to utilize the localsystem account if you install using the MSI by utilizing the flag "MMS_USE_SYSTEM_ACCOUNT=1" during installation.
Comments
0 comments
Please sign in to leave a comment.