Avamar: Data Domain Token Authentication Fails with Insufficient Access Rights Error

Summary: Avamar 7.3 to Data Domain 5.7+ fails error 5075 "user has insufficient access rights." This happens if client Fully Qualified Domain Name (FQDN) forward or reverse Domain Name System (DNS) lookups differ, or Network Address Translation (NAT) changes IP. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Backup failures when using Data Domain Boost token‑based authentication

Observed behavior

  • Avamar client attempts to connect to the Data Domain system using a token.
  • Connection appears to be established, but the backup terminates almost immediately.
  • The client log contains a warning with result code 5075 and the message "the user has insufficient access rights."
  • The backup reports a missing /ddr_files.xml file and is marked as incomplete.
  • The issue may affect only a subset of clients; if every client fails, the problem could be different.

Example log excerpts from a failing client:

avtar Info <41236>: - Connecting to Data Domain Server name "test-dd-lab3.emc.com" with token:cc343af1edf716d3de8af0ede44cc9ab2285ebce
avtar Info <19156>: - Establishing a connection via token to the Data Domain system with encryption (Connection mode: A:3 E:2)

2018-02-05 08:55:44 avtar Warning <18125>: Calling DDR_OPEN_VIA_TOKEN returned result code:5075 message:the user has insufficient access rights
2018-02-05 08:55:44 avtar Error <10542>: Data Domain server "test-dd-lab3.emc.com" open failed DDR result code: 5075, desc: the user has insufficient access rights
2018-02-05 08:55:44 avtar Error <10509>: Problem logging into the DDR server:'', only GSAN communication was enabled.
2018-02-05 08:55:44 avtar FATAL <17964>: Backup is incomplete because file "/ddr_files.xml" is missing

Cause

Token‑Based Authentication Failure Due to DNS or Network Address Translation Issues

Key Conditions Triggering the Error

  • Data Domain OS version 5.7.1.x or later is required for token authentication.
  • The backup client must use a resolvable Fully Qualified Domain Name (FQDN).
  • Forward (hostname → IP) and reverse (IP → hostname) DNS lookups for the client must return identical results on the client, the Avamar server, and the Data Domain system.
  • If any lookup differs or fails, the client falls back to traditional authentication; token‑based authentication then fails with error code 5075 ("the user has insufficient access rights").
  • Clients located behind a NAT device that rewrites the source IP address break the DNS consistency, causing the same insufficient‑access error.

Relevant Error Indicator

2018-02-05 08:55:44 avtar Warning <18125>: Calling DDR_OPEN_VIA_TOKEN returned result code:5075 message:the user has insufficient access rights

Resolution

Fixing "the user has insufficient access rights" error for token‑based authentication.

Step‑by‑step resolution

Follow these steps to ensure that token‑based authentication works between Avamar and Data Domain.

  • Confirm that the backup client, Avamar server, and Data Domain system can resolve the client’s Fully Qualified Domain Name (FQDN) and that forward and reverse lookups return identical results.
  • If any lookup differs, correct the DNS entries or add appropriate /etc/hosts records on the affected hosts.
  • Verify that the client is not behind a NAT device that rewrites its source IP address.
  • After DNS is fixed, re run a backup to confirm that token authentication succeeds.
  • If the problem persists, open a Service Request with Dell Support and reference this KB.

Nslookup from the client machine: 
 

@linux-testvm1 ~]$ nslookup linux-testvm1
...
Non-authoritative answer:
Name:   linux-testvm1.emc.com
Address: 10.46.18.11

@linux-testvm1 ~]$ nslookup linux-testvm1.emc.com
...
Non-authoritative answer:
Name:   linux-testvm1.emc.com
Address: 10.46.18.11

@linux-testvm1 ~]$ nslookup 10.46.18.11
...
Non-authoritative answer:
151.18.167.136.in-addr.arpa     name = linux-testvm1.emc.com.


Nslookup from the Avamar server: 
 

admin@test-av1:~#: nslookup linux-testvm1
...
Non-authoritative answer:
Name:   linux-testvm1.emc.com
Address: 10.46.18.11

admin@test-av1:~#: nslookup linux-testvm1.emc.com
...
Non-authoritative answer:
Name:   linux-testvm1.emc.com
Address: 10.46.18.11

admin@test-av1:~#: nslookup 10.46.18.11
...
Non-authoritative answer:
151.18.167.136.in-addr.arpa     name = linux-testvm1.emc.com.


Nslookup from the Data Domain system: 
 

SE@test-dd-lab3## net lookup linux-testvm1
linux-testvm1.emc.com has address 10.46.18.11

SE@test-dd-lab3## net lookup linux-testvm1.emc.com
linux-testvm1.emc.com has address 10.46.18.11

SE@test-dd-lab3## net lookup 10.46.18.11
151.18.167.136.in-addr.arpa domain name pointer linux-testvm1.emc.com.

Affected Products

Avamar Client

Products

Avamar, Avamar Client, Avamar Server, Data Domain, Data Domain Boost, PowerProtect Data Protection Software, Integrated Data Protection Appliance Software
Article Properties
Article Number: 000031800
Article Type: Solution
Last Modified: 31 Oct 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.