WPNinjas HeaderWPNinjas Header

Access Denied on Clients from Untrusted Domains/Workgroups

Applications and Windows Updates are not downloaded on clients which are in a workgroup or not in the same domain like the SCCM primary site server. The Network Access Account is specified in the site settings and is used for downloading Packages during OSD. When the OSD task sequence starts an “install application” step it fails. In the ContentTransferManager.log I found, that the Download failed because of an access denied:

<![LOG[Starting CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3}.]LOG]!><time="08:26:09.663-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="4916" file="ctmjob.cpp:2980">
<![LOG[Created CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3} for user S-1-5-18]LOG]!><time="08:26:09.667-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="4916" file="ctmanager.cpp:487">
<![LOG[Created and Sent Location Request '{96CD2545-35FB-4DDD-A84A-E01C4FDB1BEE}' for package dd43f1d8-f8e9-4a2d-a3b4-4dd1c80a1610]LOG]!><time="08:26:09.721-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="2980" file="ccmpkglocation.cpp:83">
<![LOG[CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA]LOG]!><time="08:26:09.721-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="2980" file="ctmjob.cpp:1432">
<![LOG[Queued location request '{96CD2545-35FB-4DDD-A84A-E01C4FDB1BEE}' for CTM job '{41390251-33FE-406E-A4D4-47D80F3F36B3}'.]LOG]!><time="08:26:09.722-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="2980" file="ctmjob.cpp:151">
<![LOG[Persisted locations for CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3}:
(LOCAL) http://SPCH1784.zrh.local/SMS_DP_SMSPKG$/dd43f1d8-f8e9-4a2d-a3b4-4dd1c80a1610]LOG]!><time="08:26:09.805-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="4916" file="ctmjob.cpp:1894">
<![LOG[CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3} (corresponding DTS job {BF198017-32A1-4071-97FA-3BCFDC302DFA}) started download from 'http://SPCH1784.zrh.local/SMS_DP_SMSPKG$/dd43f1d8-f8e9-4a2d-a3b4-4dd1c80a1610' for full content download.]LOG]!><time="08:26:09.810-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="4916" file="ctmjob.cpp:413">
<![LOG[CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA]LOG]!><time="08:26:09.845-120" date="07-03-2012" component="ContentTransferManager" context="" type="1" thread="3040" file="ctmjob.cpp:1432">
<![LOG[CTM job {41390251-33FE-406E-A4D4-47D80F3F36B3} encountered error 0x80070005 during download ('Error processing manifest.')- The error maps to denied access.]LOG]!><time="08:26:10.034-120" date="07-03-2012" component="ContentTransferManager" context="" type="3" thread="2980" file="ctmjob.cpp:2489">
In the DataTransferService.log I found, that he is impersonating as Network Access Account:
<![LOG[Job {7F6583EF-07F8-414B-9597-5B314CCC1620} impersonating Network Access Account.]LOG]!><time="08:20:26.752-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5108" file="netaccessaccount.cpp:429">
<![LOG[[CCMHTTP] ERROR: URL=http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/4f058605-3b88-4208-8d77-3847173a77b3, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="08:20:26.757-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5108" file="ccmhttperror.cpp:291">
<![LOG[Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:D0220B78-F06A-4B36-A4C6-E0BE2306385E";
DateTime = "20120703062026.758000+000";
HostName = "SPCH1784.zrh.local";
HRESULT = "0x87d0027e";
ProcessID = 5548;
StatusCode = 401;
ThreadID = 5108;
};
]LOG]!><time="08:20:26.758-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5108" file="event.cpp:729">
<![LOG[UpdateURLWithTransportSettings(): OLD URL - http://SPCH1784.zrh.local/SMS_DP_SMSPKG$/e1abc7a6-0fb6-4306-b790-0cd97d4ce847]LOG]!><time="08:20:26.771-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="2288" file="ccmutillib.cpp:3083">
<![LOG[UpdateURLWithTransportSettings(): NEW URL - http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/e1abc7a6-0fb6-4306-b790-0cd97d4ce847]LOG]!><time="08:20:26.771-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="2288" file="ccmutillib.cpp:3095">
<![LOG[DTSJob {46515960-CFEC-4732-874B-AA1B3A84594E} created to download from 'http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/e1abc7a6-0fb6-4306-b790-0cd97d4ce847' to 'C:\Windows\ccmcache\26'.]LOG]!><time="08:20:26.774-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="2288" file="datatransferservice.cpp:186">
<![LOG[DTSJob {46515960-CFEC-4732-874B-AA1B3A84594E} in state 'DownloadingManifest'.]LOG]!><time="08:20:26.774-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5400" file="dtsjob.h:157">
<![LOG[[CCMHTTP] ERROR: URL=http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/3fe62967-58a6-43e5-94cc-0de1495d5c5b, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="08:20:26.795-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="3440" file="ccmhttperror.cpp:291">
<![LOG[Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:D0220B78-F06A-4B36-A4C6-E0BE2306385E";
DateTime = "20120703062026.796000+000";
HostName = "SPCH1784.zrh.local";
HRESULT = "0x87d0027e";
ProcessID = 5548;
StatusCode = 401;
ThreadID = 3440;
};
]LOG]!><time="08:20:26.797-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="3440" file="event.cpp:729">
<![LOG[DTSJob {4343A1DC-E6AB-4D1E-90C9-51CDD799A876} in state 'Cancelled'.]LOG]!><time="08:20:26.797-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1248" file="dtsjob.h:157">
<![LOG[DTSJob {4343A1DC-E6AB-4D1E-90C9-51CDD799A876} cancelled by client.]LOG]!><time="08:20:26.798-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1248" file="dtsjob.cpp:2771">
<![LOG[Successfully sent location services HTTP failure message.]LOG]!><time="08:20:26.864-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5812" file="ccmhttperror.cpp:395">
<![LOG[Error sending DAV request. HTTP code 401, status 'Unauthorized']LOG]!><time="08:20:26.864-120" date="07-03-2012" component="DataTransferService" context="" type="3" thread="5812" file="util.cpp:629">
<![LOG[GetDirectoryList_HTTP('http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/063e00dd-e1d4-4524-a5fa-a101b9c2112f') failed with code 0x80070005.]LOG]!><time="08:20:26.864-120" date="07-03-2012" component="DataTransferService" context="" type="3" thread="5812" file="util.cpp:688">
<![LOG[[CCMHTTP] ERROR: URL=http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/949e026e-6fea-472a-a1bc-19c5eeb48dbe, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="08:20:26.871-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1760" file="ccmhttperror.cpp:291">
<![LOG[Job {D0BD367A-6DD6-4D93-907F-AD7D8452FA12} impersonating Network Access Account.]LOG]!><time="08:20:26.871-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5812" file="netaccessaccount.cpp:429">
<![LOG[Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:D0220B78-F06A-4B36-A4C6-E0BE2306385E";
DateTime = "20120703062026.872000+000";
HostName = "SPCH1784.zrh.local";
HRESULT = "0x87d0027e";
ProcessID = 5548;
StatusCode = 401;
ThreadID = 1760;
};
]LOG]!><time="08:20:26.873-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1760" file="event.cpp:729">
<![LOG[[CCMHTTP] ERROR: URL=http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/063e00dd-e1d4-4524-a5fa-a101b9c2112f, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="08:20:26.876-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5812" file="ccmhttperror.cpp:291">
<![LOG[Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:D0220B78-F06A-4B36-A4C6-E0BE2306385E";
DateTime = "20120703062026.878000+000";
HostName = "SPCH1784.zrh.local";
HRESULT = "0x87d0027e";
ProcessID = 5548;
StatusCode = 401;
ThreadID = 5812;
};
]LOG]!><time="08:20:26.878-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5812" file="event.cpp:729">
<![LOG[UpdateURLWithTransportSettings(): OLD URL - http://SPCH1784.zrh.local/SMS_DP_SMSPKG$/a855c8db-248d-49e9-8cf2-e80561ad9462]LOG]!><time="08:20:26.890-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1248" file="ccmutillib.cpp:3083">
<![LOG[UpdateURLWithTransportSettings(): NEW URL - http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/a855c8db-248d-49e9-8cf2-e80561ad9462]LOG]!><time="08:20:26.890-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1248" file="ccmutillib.cpp:3095">
<![LOG[DTSJob {62A554F3-4290-48A0-B07E-383F8B66ECCC} created to download from 'http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/a855c8db-248d-49e9-8cf2-e80561ad9462' to 'C:\Windows\ccmcache\27'.]LOG]!><time="08:20:26.892-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="1248" file="datatransferservice.cpp:186">
<![LOG[DTSJob {62A554F3-4290-48A0-B07E-383F8B66ECCC} in state 'DownloadingManifest'.]LOG]!><time="08:20:26.892-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="5884" file="dtsjob.h:157">
<![LOG[Successfully sent location services HTTP failure message.]LOG]!><time="08:20:26.955-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="3960" file="ccmhttperror.cpp:395">
<![LOG[Error sending DAV request. HTTP code 401, status 'Unauthorized']LOG]!><time="08:20:26.955-120" date="07-03-2012" component="DataTransferService" context="" type="3" thread="3960" file="util.cpp:629">
<![LOG[GetDirectoryList_HTTP('http://SPCH1784.zrh.local:80/SMS_DP_SMSPKG$/3aeb56f9-4cd2-4f97-b8aa-6452f4524967') failed with code 0x80070005.]LOG]!><time="08:20:26.955-120" date="07-03-2012" component="DataTransferService" context="" type="3" thread="3960" file="util.cpp:688">
<![LOG[Job {68E8DDA5-CF34-437C-AD98-199165BFF89C} reverted impersonation.]LOG]!><time="08:20:26.955-120" date="07-03-2012" component="DataTransferService" context="" type="1" thread="3960" file="netaccessaccount.h:93">

In the IIS Log I see that the client connects without credentials.

Solution

Install KB2522623 on the clients before installing applications or updates.

Follow me

0 Comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.