none
Software update deployment to servers in another domain

    Question

  • Hi all,

    We are implementing SCCM 2012 SP1 in our environment to deploy software updates. I can perfectly deploy and install software updates on domain joined server. 

    For servers in another domain I'm encountering the following problem:

    I've installed a SCCM client on two servers. I approved the clients. They have received their policies and can communicate correctly with the SCCM and the WSUS servers. Then I've deployed a distribution package with software updates. The clients are notified about this and are checking for updates. The scan succeeds and folders are being created in the ccmcache folders. Altough there are no software update files being copied to these folders. I have checked the logs and I can only find some errors in the CcmMessaging log. (See below)

    <![LOG[Supplied sender token is null. Using GetUserTokenFromSid to find sender's token.]LOG]!><time="13:31:42.839-120" date="09-17-2013" component="CcmMessaging" context="" type="1" thread="3908" file="messagequeueproc_outgoing.cpp:171">
    <![LOG[[CCMHTTP] ERROR: URL=http://SCCMServer.DOMAINA/ccm_system_windowsauth/request, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="13:31:42.854-120" date="09-17-2013" component="CcmMessaging" context="" type="1" thread="3908" file="ccmhttperror.cpp:297">
    <![LOG[Raising event:

    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:D632717C-1D53-4444-AE75-0FE5F553D829";
    DateTime = "20130917113142.870000+000";
    HostName = "SCCMServer.DOMAINA";
    HRESULT = "0x87d0027e";
    ProcessID = 3776;
    StatusCode = 401;
    ThreadID = 3908;
    };
    ]LOG]!><time="13:31:42.870-120" date="09-17-2013" component="CcmMessaging" context="" type="1" thread="3908" file="event.cpp:706">
    <![LOG[Successfully sent location services HTTP failure message.]LOG]!><time="13:31:42.870-120" date="09-17-2013" component="CcmMessaging" context="" type="1" thread="3908" file="ccmhttperror.cpp:396">
    <![LOG[Post using DOMAINB\MYADMINACCOUNT security context failed due to Integrated Windows Authentication failure]LOG]!><time="13:31:42.870-120" date="09-17-2013" component="CcmMessaging" context="" type="2" thread="3908" file="messagequeueproc_outgoing.cpp:238">
    <![LOG[Post to http://SCCMServer.DOMAINA/ccm_system_windowsauth/request failed with 0x80070005.]LOG]!><time="13:31:42.870-120" date="09-17-2013" component="CcmMessaging" context="" type="2" thread="3908" file="messagequeueproc_outgoing.cpp:442">
    <![LOG[OutgoingMessage(Queue='mp_[http]mp_policymanager', ID={6B4E130B-23DB-4E7F-AAB8-F2EBFF4F0506}): Will be discarded (0x80070005).]LOG]!><time="13:31:42.870-120" date="09-17-2013" component="CcmMessaging" context="" type="3" thread="3908" file="messagequeueproc_outgoing.cpp:1647">

    I can't really get wise out of these errors. As far as I can see there are some authentication errors. Why is the client using my own user account in this context ?

    Any help is welcome

    Kind Regards,

    J. Monnens





    • Edited by JMonnens Tuesday, September 17, 2013 1:50 PM typo
    Tuesday, September 17, 2013 12:37 PM

Answers

  • I've solved the errors by enabling Anonymous Authentication in the IIS settings for the CCM_System_WindowsAuth page. Software updates are still not copied to the servers in the other domain. What log should I check for this issue ?
    Wednesday, September 18, 2013 7:56 AM
  • You can check, UpdatesHandler.log, WUAHandler.log, UpdatesDeployment.log

    Regards, Ibrahim Hamdy

    Wednesday, September 18, 2013 8:23 AM

All replies

  • Hi,

    You can configure HTTPS Distribution point,

    or check below:

    Configure Network access account:

    §      To set up the Network Access Account in SCCM 2012, go to the Administration pane, expand Site Operations and click on Sites

    §      Then, right-click on the Site you want to set up the account for, and select “Software Distribution

    §      Then, click on the “Network Access Account” tab and enter the details of an appropriate user account

    Configure Allow clients to connect anonymously

    §  This setting specifies whether the distribution point will allow anonymous connections from Configuration Manager clients to the content library. 

    §   Administration >> Site Operations >> Servers and Site System Roles

    §    Then click on server name >> from Site System Roles >> R.C on Distribution point and Properties

    §        Then Select Allow clients to connect anonymously


    Regards, Ibrahim Hamdy



    Tuesday, September 17, 2013 12:43 PM
  • Assuming these systems are either Win 7 or Win Server 2008 R2, then you'll need the update described at http://support.microsoft.com/kb/2522623 to correct a kerberos issue.

    Jason | http://blog.configmgrftw.com

    Tuesday, September 17, 2013 12:54 PM
    Moderator
  • The SCCM servers in domain A are running WS2012. The servers in domain B are running WS2012 and WS2008. I'm trying Ibrahims solution. I'll keep you guys up to date.
    Tuesday, September 17, 2013 12:57 PM
  • Are you using HTTPS client communication?

    Jason | http://blog.configmgrftw.com

    Tuesday, September 17, 2013 1:04 PM
    Moderator
  • HTTP Communication
    Tuesday, September 17, 2013 1:05 PM
  • Then why would you configure your DP for HTTPS? This is in no way required and doesn't really make sense to do either.

    You are clearly getting an Access Denied in the log file: 0x80070005

    Do you have a network access account set up?


    Jason | http://blog.configmgrftw.com

    Tuesday, September 17, 2013 1:10 PM
    Moderator
  • First of all, I have never mentioned I'm using HTTPS ... 

    I have set up a Network Access account. Does this account need any special permissions ?

    I have selected Allow clients to connect anonymously, still getting same error.

    Tuesday, September 17, 2013 1:14 PM
  • That was Ibrahim's first line in his post. Just wanted to make sure you weren't going down that path.

    The NAA needs to be a normal domain user account in the forest hosting the DP. If the DP is in the same forest as the client system, then the NAA isn't (typically) used.


    Jason | http://blog.configmgrftw.com

    Tuesday, September 17, 2013 1:19 PM
    Moderator
  • The NAA was perfectly configured before. After checking the Allow clients to connect anonymously option, I'm still getting the same errors in that log. Any other ideas ?
    Tuesday, September 17, 2013 1:29 PM
  • So, when I mentioned the hotfix above, I meant that it was for the clients (I was assuming that they were server OSes so that might have been a little confusing).

    Jason | http://blog.configmgrftw.com

    Tuesday, September 17, 2013 1:55 PM
    Moderator
  • I understood you clearly with the hotfix but it's not applicable in my scenario. 
    • Edited by JMonnens Tuesday, September 17, 2013 2:04 PM
    Tuesday, September 17, 2013 2:02 PM
  • I've solved the errors by enabling Anonymous Authentication in the IIS settings for the CCM_System_WindowsAuth page. Software updates are still not copied to the servers in the other domain. What log should I check for this issue ?
    Wednesday, September 18, 2013 7:56 AM
  • You can check, UpdatesHandler.log, WUAHandler.log, UpdatesDeployment.log

    Regards, Ibrahim Hamdy

    Wednesday, September 18, 2013 8:23 AM