Windows user account was deleted and re-created.
Windows user account SID was explicitly changed, such as when using Windows workstation imaging and setup utilities to create unique SIDs post-install.
Workstation is a NT 2000 Server that recently had Active Directory removed from it.
Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled FFFFFA27
Error: -1497 reported when attempting to unlock workstation using NDS credentials. FFFFFA27
Internal error 0xFFFFFA78 reported when logging into NDS with NMAS enabled FFFFFA78
Error: "Workstation Locked. An unexpected error occurred while attempting to unlock the workstation. Try unlocking the workstation again, or select a different credential type for unlock. Error -1497 (0xFFFFFA27)"
Error: -1497 reported when logging into NDS from the user's desktop (e.g. from red 'N' in system tray, or by running LOGINW32.EXE).
Error: "NetWare Security Message. Internal error 0xFFFFFA27 occurred. Try again. If the error occurs again, restart your workstation and try again. If the error persists, contact your network administrator."
Error: -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27)
Error only occurs if NMAS is also installed and enabled on the workstation.
Error does not occur during initial login after reboot of workstation, or when logging completely out of Windows and then logging in again.
The CCS_E_AUTHENTICATION_FAILURE (-1497, 0xFFFFFA27) error can be returned from NICI under a variety of circumstances, such as when required NICI system files cannot be located or have been corrupted. But one more common scenario in which CCS_E_AUTHENTICATION_FAILURE can be returned is when the security on the NICI user directory (located under"%SystemRoot%\System32\Novell\NICI") no longer permits the Windows user account to access the user directory.
NTFS security permissions on this directory grant permissions based on the SID of the Windows user account, and if the SID of an existing Windows user account changes (i.e. same Windows user account name, but now with a different SID), the permissions established for the NICI user subdirectory will no longer permit the Windows account to access the directory. This causes NICI initialization to fail in a manner which reports the CCS_E_AUTHENTICATION_FAILURE status code.
There are two approaches to resolving this problem:
1. Employ the Enable User Profile Directory policy
If the fact that the Windows user account's SID changed is a by-design and frequent occurrence (for example, if a ZENworks Dynamic Local User (DLU) policy is set to maintain volatile user accounts which will be deleted & recreated at next login), then the NICI configuration of "EnableUserProfileDirectory" would eliminate the need to constantly fix the NICI user directory permissions. This is done by creating a reg key as follows:
On 64-bit systems:
In HKEY_LOCAL_MACHINE\Software\Novell\nici_x64 create a new value EnableUserProfileDirectory
of type DWORD and assign a value of 1.
This command line will create the new value:
reg add HKLM\SOFTWARE\Novell\NICI_x64 /v EnableUserProfileDirectory /t REG_DWORD /d 1 /f
On 32-bit systems:
In HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI create a new value EnableUserProfileDirectory of type DWORD and assign a value of 1.
This command line will create the new value:
reg add HKLM\SOFTWARE\Novell\NICI /v EnableUserProfileDirectory /t REG_DWORD /d 1 /f
2. Reset the NICI user's directory security permissions
If the SID has changed due to a one-time event, logging in as a Windows "Administrators" group account and resetting the NTFS security permissions on just the NICI user directory in question (e.g. "C:\Windows\System32\Novell\NICI\username") can potentially be sufficient for resolving this issue. The specific steps to accomplish this varies by Windows platform, but effectively you must start with setting the ownership of the directory & files, rather than the permissions, since NICI secures the directory very tightly and asserting owership over the directory will be required before Windows will allow resetting the permissions on the directory.
1. Login as an Administrators group member on the Windows machine.
2. Browse to the actual NICI user subdirectory, e.g."C:\Windows\System32\Novell\NICI\username". You will not be able to access this directory at this time.
3. Right-click on the "username" directory and bring up the properties of the directory.
4. Switch to the "Security" tab, at which point you may be prompted that you do not have permission to change the permissions on the directory.
5. Go to the "Owner" tab (possibly under the "Advanced" button, depending on the Windows platform) and select "Administrators" to be the new owner of the directory. You must select to replace the owner on all subdirectories and objects (files), too. When saving this change, you will be prompted whether to replace permissions on the sub-objects with permissions granting you full control, to which you should respond affirmatively. After saving these changes, re-view the "Security" tab on the "username" directory again, at which point you should be able to see & remove the old SID/user account assigned there. Use the "Advanced" view (if available) and add the new/current Windows user account to have full permission to the directory. When saving this change, select "replace permission entries on all child objects" in order to update the security on individual files and sub-folders under the actual "username" directory.
At this point, if NTFS permissions to the NICI user subdirectory was the issue causing the CCS_E_AUTHENTICATION_FAILURE error, the new/updated Windows account SID should be the one with permission to the existing NICI user directory.
If issues persist, NICI can be completely uninstalled and then re-installed. However, permissions must still be reset on the existing NICI user directories & those existing directories removed, or else after NICI is re-installed the same problem will persist because of the invalid security permission still assigned to the NICI user directory.
TAKE CARE IN DECIDING TO REMOVE ALL NICI USER DIRECTORIES, AND BACKUP THE EXISTING INFORMATION.
While the manner in which NMAS and the Novell Client use NICI for NDS login will automatically re-create whatever NICI information is needed, if NICI is being used by other NICI-aware applications besides NMAS and the Novell Client, there could be additional steps required to restore and/or re-create the NICI information for these additional applications. Deleting the existing NICI user directories on a Windows Server machine running a Novell eDirectory server is NOT advised, and should only be done at the specific direction of Novell Technical Support or technical support documentation specific to the case of Novell eDirectory servers running on Windows.
The suggested steps for removing and re-installing NICI completely are:
1. Uninstall NICI from the Windows"Add/Remove Programs" control panel applet.
2. Reboot into Safe Mode and make "Administrators" the owner with full rights to the"C:\WINNT\system32\Novell\nici" directory and all child directories and files. After ownership has been asserted,
3. Set permissions on the entire directory structure to give yourself full control such that you will be able to delete the entire NICI directory structure.
4. Boot back into Windows normally (non-Safe Mode) and re-install NICI so that the user directories will be re-created after users login again.
Logging into eDirectory with NMAS enabled requires the use of NICI on the local workstation. When the SID changes for a Windows user account which already has an established NICI user directory on the local workstation, the security applied to the NICI user directory no longer permits the new Windows user account SID to access the directory, resulting in a CCS_E_AUTHENTICATION_FAILURE (-1497, 0xFFFFFA27) error when attempting to use NICI while logged in as the new Windows user account/SID. What this means is, NICI creates accounts and associated local file system directories, then changes the permissions on these directories so that only the account user and his associated SID number has access to them. Not even the Administrator can access them. If the SID changes on a local user he will lose all rights to the directories and this condition will result in the -1497 error.
Formerly known as TID# 10094494
Formerly known as TID# NOVL98737
10Sep2015, Earle Wells, Added location for EnableProfileUserDirectory for 64-bit Windows machines.
10Jun2015, Earle Wells, Reformat, add numbered lists, etc.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.