[Quick Post] Citrix PVS 2402 LTSR Update and the “ALTER ANY LOGIN” privilege issue

Provisioning Server, Citrix

During the Citrix PVS Update from Version 2203 CU2 LTSR to the latest one 2402 LTSR I’m running into an issue with the Config Wizard and the DB permissions with the Option “Farm is already configured”

The following Video shows the issue, but after it I can go further with the wizard and the configuration runs successfully.

After some research with the Product Managers in the CTP Forum, we found some missing database permissions.

So, that error dialog is actually saying the the user being used to administer the database (in this case, you chose integrated auth so it is the user you are running the CW as) does not have sufficient privileges to be able to configure the PVS database in the SQL Server. It’s NOT related to the PVS RBAC at all, but the higher set of privs required for a user to be able to manage the database itself.

[08:25:06.017][0001] EntryExit:TestAdminAuthentication: begin, createFarmDb %d [CommandProcessorConfigWizard.cs(1059): TestAdminAuthentication] [08:25:06.018][0001] DEBUG:Access Test: ConnectionString = <Data Source=SQL-TEST-PVS,1433\SQL-TEST-PVS;Initial Catalog=PVS01T;Integrated Security=True;Enlist=False;Pooling=False;Current Language=us_english> [CommandProcessorConfigWizard.cs(1079): TestAdminAuthentication] [08:25:06.033][0001] DEBUG:Access Test: database login successful [CommandProcessorConfigWizard.cs(1082): TestAdminAuthentication] [08:25:06.034][0001] EntryExit:DetermineServerEngineEdition-enter [CommandProcessorConfigWizard.cs(3022): DetermineServerEngineEdition] [08:25:06.037][0001] DEBUG:SQL Server Engine Edition = 3 [CommandProcessorConfigWizard.cs(3034): DetermineServerEngineEdition] [08:25:06.038][0001] EntryExit:DetermineServerEngineEdition-leave [CommandProcessorConfigWizard.cs(3042): DetermineServerEngineEdition] [08:25:06.040][0001] DEBUG:Access Test: found 2 server permissions [CommandProcessorConfigWizard.cs(1110): TestAdminAuthentication] [08:25:06.041][0001] DEBUG:Access Test: these server permissions were not found: ALTER ANY LOGIN [CommandProcessorConfigWizard.cs(1153): TestAdminAuthentication] [08:25:06.044][0001] DEBUG:Access Test: found 81 database permissions [CommandProcessorConfigWizard.cs(1181): TestAdminAuthentication] [08:25:06.045][0001] EntryExit:TestAdminAuthentication: end, FAIL [CommandProcessorConfigWizard.cs(1241): TestAdminAut

So your user is apparently missing the “ALTER ANY LOGIN” privilege which is required to ensure the DB permissions are setup to permit the user that the PVS services run as will have a login.

Why do we need this when you say farm is configured? Because you can change the user that runs the services in the CW in that case and that would require changes to the DB logins.

After running the following command at the SQL-Server DB, the PVS Configuration Wizard runs without issues.

Please use it for your own group or users

GRANT ALTER ANY LOGIN TO "<domain>\PVS-Administrators"

https://docs.citrix.com/en-us/provisioning/2402-ltsr/install/pre-install#configuration-wizard-user-permissions — that says you need SECURITYADMIN – that happens to encompass ALTER_ANY_LOGIN but you need all of the privs covered by SECURITYADMIN.

alway happy PVS Streaming

EUCweb.com | EUCblog.com | Founder Base Image Script Framework (BIS-F) | IT-Architect EUC | Automation Enthusiast

Leave A Comment

CAPTCHA ImageChange Image