locked
Remote Control asking for credentials RRS feed

  • Question

  • I'm getting challenged for credentials  when I try to remote control to some (not all) of the machines in my SCCM environment.  We get this message:

    Credentials required
    The currently logged-in user does not have rights to access the client machine. You must provide the username, domain, and password of an account in the client's remote control operators group.

    I was reading some of the other posts, but my scenario seems different so I'm starting a new thread for my question.  Site configuration is correct (my DOMAIN\SMSRC group is configured in the Permitted Viewers).  I looked at two PCs in the same site (making sure it wasn't a sitewide issue):

    PC-A:  Asks for credentials
    --The local ConfigMgr Remote Control Users group has no entries
    --The HKLM\Software\Microsoft\SMS\Client\Client Components\Remote Control | Permitted Viewers value contains only "Administrators"

    PC-B: Does not ask for credentials
    --The local ConfigMgr Remote Control Users group contains my DOMAIN\SMSRC group as it should.
    --The HKLM\Software\Microsoft\SMS\Client\Client\Client Components\Remote Control | Permitted Viewers value contains my DOMANI\SMSRC group as it should

    SO... I know the site is configured correctly and I know that some of the PCs at that site have applied that configuration correctly.  However, I would say that at least 40% of my clients at that site are not receiving that configuration (they look like PC-A described above).

    I'm not sure where to look in the client logs, etc. to figure out why some of the clients are not adding that group to their configuration to allow remote control access.  Any suggestions about what to check?

    Thanks so much!  --Jo

    Wednesday, February 11, 2009 4:54 PM

Answers

  • The only thing I could think of would be to advertise some script to your clients that checks the group membership or do so through DCM (and no we don't provide this in the product).

    As I have mentioned in other threads on Remote Control, if a client or multiple clients are not set correctly, then you could try to retrieve policies again, but could very well be that the client is not completely healthy (not fully working correctly) and you'd need to repair or reinstall the client.

    This is not something we look at on clients after the policy has been retrieved and run locally. You'd really need to find the appropriate policy (policypv.log on the site server), then track in the client logs to see if it did download the policy (DataTransferService.log), and then execute it (PolicyEvaluator.log). Outside that, it is going to be some script on your end of things.
    Wally Mead
    Monday, February 16, 2009 10:51 PM

All replies

  • I had the same issue.  What I did to correct it was:
    1. Go to the PC and uninstall the client using msiexec /x c:\windows\system32\ccmsetup\{35BE0386-E1B9-4F59-8DBD-E5B390AA8A09}\client.msi
    2. Delete the PC from configmgr

    The system then rediscovered the PC and re-installed the client.
    Cheers  Wayne O
    Wednesday, February 11, 2009 11:50 PM
  • Thanks.  Reinstalling the client worked on the one I was testing.  However, it's a "one-off" kind of solution... I'd like to understand why the problem is occurring and fix whatever systemic issues exist in my infrastructure and/or on my clients proactively instead of needing to uninstall and reinstall individual clients after the issue is encountered.

    I've been digging further and now I'm finding that some of the machines are in this state:

    The ConfigMgr Remote Control Users group is blank
    ---but---
    The HKLM\Software\Microsoft\SMS\Client\Client Components\Remote Control | Permitted Viewers value DOES contain the correct group

    I looked at the online documentation and it says this about that ConfigMgr Remote Control Users group:
    By default, there are no members in this group. As you add users to the Permitted Viewers list, they are automatically added to this group. You should always add users to the Permitted Viewers list instead of adding them directly to this group. 

    In my case, the Permitted Viewers list on the site is correct and the client has applied the registry key for permitted viewers that matches the site, but the local group was not managed to include that data.  Any idea where I can look to understand why this group management didn't happen?  I'm assuming that (as discussed above) if I uninstall/reinstall the client everything will be OK, but again, in an environment with over 40,000 clients where do you start?  How do you know that a client is in this state without looking manually at the group/registry and is the only option really to uninstall/reinstall the client? 

    Thanks again! --Jo

    Thursday, February 12, 2009 3:27 PM
  •  
    Wayne O said:

    I had the same issue.  What I did to correct it was:
    1. Go to the PC and uninstall the client using msiexec /x c:\windows\system32\ccmsetup\{35BE0386-E1B9-4F59-8DBD-E5B390AA8A09}\client.msi
    2. Delete the PC from configmgr

    The system then rediscovered the PC and re-installed the client.
    Cheers  Wayne O

    For everyone's benefit, Wayne's procedure to fix this would not be the supported method to uninstall our client. The supported method to uninstall the client is to run "Ccmsetup.exe /uninstall".

    That is what we want y'all to do if you ever need to uninstall a client :-)
    Wally Mead
    Monday, February 16, 2009 10:46 PM
  • The only thing I could think of would be to advertise some script to your clients that checks the group membership or do so through DCM (and no we don't provide this in the product).

    As I have mentioned in other threads on Remote Control, if a client or multiple clients are not set correctly, then you could try to retrieve policies again, but could very well be that the client is not completely healthy (not fully working correctly) and you'd need to repair or reinstall the client.

    This is not something we look at on clients after the policy has been retrieved and run locally. You'd really need to find the appropriate policy (policypv.log on the site server), then track in the client logs to see if it did download the policy (DataTransferService.log), and then execute it (PolicyEvaluator.log). Outside that, it is going to be some script on your end of things.
    Wally Mead
    Monday, February 16, 2009 10:51 PM
  • Hi, I know its old thred but did you find a soluction to this as we having same issue within our environment

    Tuesday, June 30, 2020 10:13 AM