locked
SCCM 2012 on Windows 2012 - All client installations fail with "CcmSetup failed with error code 0x80004005" RRS feed

  • Question

  • Have a dedicated SCCM 2012 SP1 server on domain member server Windows Server 2012, local database server running SQL 2008 R2 SP2 (10.50.4000).  All SMS virtual directories appear to be created in IIS 8, services running, currently configured for HTTP only (no SSL), SMS publication to AD working (MP and other records registered in AD). 

    Devices discovered through AD System Discovery, and attempting client push to systems (install account defined in Client Settings with a dedicated service account that is also a Domain Admin).  Client package and update shows as enabled and deployed in the SCCM console, files present on the filesystem.  Clients have traverse directory permissions (Everyone, Users, etc), explicit permissions on the client directory at the NTFS level show IUSR has read. 

    Client push to any system shows success in push wizard.  Systems have %windir%\ccmsetup folder, with ccmsetup.exe, cache, and logs directories.  Logs show that clients find management point, attempt to retrieve additional information and setup configs, but fail with 401 errors (log sanitized with generic hostname for SCCM server):

    <![LOG[Found local location 'http://my-sccm-host.localdomain.local/SMS_DP_SMSPKG$/S0100003']LOG]!><time="11:15:02.370+300" date="03-25-2013" component="ccmsetup" context="" type="0" thread="18324" file="siteinfo.cpp:351">
    <![LOG[Discovered 1 local DP locations.]LOG]!><time="11:15:02.371+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="ccmsetup.cpp:10818">
    <![LOG[PROPFIND 'http://my-sccm-host.localdomain.local/SMS_DP_SMSPKG$/S0100003']LOG]!><time="11:15:02.371+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="httphelper.cpp:807">
    <![LOG[Got 401 challenge Retrying with Windows Auth...]LOG]!><time="11:15:02.377+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="httphelper.cpp:1288">
    <![LOG[PROPFIND 'http://my-sccm-host.localdomain.local/SMS_DP_SMSPKG$/S0100003']LOG]!><time="11:15:02.377+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="httphelper.cpp:807">
    <![LOG[Failed to correctly receive a WEBDAV HTTP request.. (StatusCode at WinHttpQueryHeaders: 401)]LOG]!><time="11:15:02.388+300" date="03-25-2013" component="ccmsetup" context="" type="3" thread="18324" file="httphelper.cpp:1370">
    <![LOG[Failed to check url http://my-sccm-host.localdomain.local/SMS_DP_SMSPKG$/S0100003. Error 0x80004005]LOG]!><time="11:15:02.388+300" date="03-25-2013" component="ccmsetup" context="" type="3" thread="18324" file="httphelper.cpp:1597">
    <![LOG[Enumerated all 1 local DP locations but none of them is good. Fallback to MP.]LOG]!><time="11:15:02.388+300" date="03-25-2013" component="ccmsetup" context="" type="2" thread="18324" file="ccmsetup.cpp:11054">
    <![LOG[GET 'http://my-sccm-host.localdomain.local/CCM_Client/ccmsetup.cab']LOG]!><time="11:15:02.388+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="httphelper.cpp:807">
    <![LOG[Got 401 challenge Retrying with Windows Auth...]LOG]!><time="11:15:02.413+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="httphelper.cpp:1288">
    <![LOG[GET 'http://my-sccm-host.localdomain.local/CCM_Client/ccmsetup.cab']LOG]!><time="11:15:02.414+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="httphelper.cpp:807">
    <![LOG[Failed to successfully complete WinHttp request. (StatusCode at WinHttpQueryHeaders: 401)]LOG]!><time="11:15:02.422+300" date="03-25-2013" component="ccmsetup" context="" type="3" thread="18324" file="httphelper.cpp:1013">
    <![LOG[DownloadFileByWinHTTP failed with error 0x80004005]LOG]!><time="11:15:02.422+300" date="03-25-2013" component="ccmsetup" context="" type="3" thread="18324" file="httphelper.cpp:1081">
    <![LOG[A Fallback Status Point has not been specified.  Message with STATEID='308' will not be sent.]LOG]!><time="11:15:02.422+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="ccmsetup.cpp:9428">
    <![LOG[CcmSetup failed with error code 0x80004005]LOG]!><time="11:15:02.425+300" date="03-25-2013" component="ccmsetup" context="" type="1" thread="18324" file="ccmsetup.cpp:10544">

    From the IIS logs on the server during the above window:

    2013-03-25 16:15:00 172.16.0.33 CCM_POST /ccm_system/request - 80 - 172.16.0.180 ccmsetup - 200 0 0 29
    2013-03-25 16:15:00 172.16.0.33 PROPFIND /SMS_DP_SMSPKG$/S0100003 - 80 - 172.16.0.180 ccmsetup - 401 2 5 5
    2013-03-25 16:15:00 172.16.0.33 GET /CCM_Client/ccmsetup.cab - 80 - 172.16.0.180 ccmsetup - 401 3 5 6
    2013-03-25 16:15:00 172.16.0.33 GET /CCM_Client/ccmsetup.cab - 80 - 172.16.0.180 ccmsetup - 401 3 64 7

    I also see BITS_POST errors for CCM_Incoming (403 0 0 49 and 403 0 0 5).

    I have not made any changes to authentication or other settings in IIS 8 after the installation of SCCM 2012.  Is there a change required for HTTP only (non SSL) communication to the distribution and management points to allow the client to complete the installation and register itself with SCCM?  This affects all Windows 2008, 2012, Windows 7 and Windows 8 clients in my environment.  Is there a document showing the required NTFS and IIS permissions for this to function properly?

    Thanks in advance!

    Monday, March 25, 2013 5:07 PM

Answers

  • Thank you, I finally located the problem:

    Probably due to reconfiguration of the site role, the Distribution Point role configuration was lacking the boundary groups.

    Therefore the MP or DP was not assigned correctly.

    After fixing this, the push installation ran immediately.

    So there's another possible reason for this error.

    Thanks again!

    Sunday, November 17, 2013 10:18 PM

All replies

  • There is not anything explicitly to configure in IIS, thus your issues are most likely due to something non-standard in your environment.

    Have you verified that your AV product is not getting n the way?

    The permissions are not documented anywhere; however, a site reset should restore the permissions as they should be.


    Jason | http://blog.configmgrftw.com

    Monday, March 25, 2013 7:04 PM
  • Antivirus / anti-malware is Forefront Endpoint Protection 2010, would think that if AV was interfering I'd see connectivity issues versus HTTP responses in both client and server (401 / 403 responses to GET / POST requests).  I am seeing that a GET for http://CCM-HOSTNAME/CCM_Client/ccmsetup.cab (by simply pasting that URL into a web browser) returns a blank page and generates a 401 error in the IIS logs as well. 

    I noted that I see a WEBDAV error as well, and I know this was a required IIS component in 2007.  From what I read, explicit installation of the WEBDAV component for IIS 8 is not required - is that your understanding as well?

    As far as non-standard configurations - no unusual or restrictive GPOs, DNS and AD healthy.  Using MS Forefront client for security as mentioned with default settings.  SCCM server is single-homed.

    Other suggestions?  Site reset appears to have run with no errors, but did not resolve issue either.

    Monday, March 25, 2013 8:47 PM
  • More or less correct on WebDAV -- it's actually ConfigMgr 2012 that no longer requires the server component because it implements WebDAV internally now.

    Have you verified the health of your DP in the console?

    Is there a proxy configured on the client?


    Jason | http://blog.configmgrftw.com

    Monday, March 25, 2013 10:13 PM
  • In the console, I'm showing current status for the only DP (also MP, Site Server, DB, etc - all-in-one) as healthy, with the Config Mgr Client package successfully deployed.  Files are visible as content through IIS Manager, and all shares appear to be active. I'm seeing no current errors in the Status Monitor for DP components (or any other for that matter).  There was an error about the Config Mgr Client package being distributed earlier in the day, however later messages indicate that the DP was successfully updated with the package.

    No client proxies are confifgured at this time (assume this is referencing something set using the proxycfg / netsh winhttp - none defined).

    Is there DP health check tool other than review of the various status and configuration monitors in the SCCM console?  A powershell cmdlet or the like?

    Tuesday, March 26, 2013 2:12 AM
  • 401 3 translates " Unauthorized due to ACL on resource" also the client should have read and execute not the traverse i believe.

    On "bits error 403 0 0 49 " The below link would be of some help..

    http://myitforum.com/myitforumwp/2012/05/23/problems-with-iis-on-your-cm2012-site-server/


    Delphin

    Tuesday, March 26, 2013 12:42 PM
  • Actually saw that yesterday, thanks.  Local security on the system shows that Everyone, Local Service, Network Service, Users (which has well-known SID Authenticated Users nested in the local group), Administrators, and others assigned to bypass traverse checking. My IIS knowledge is not as deep as I'd like, but it appears the SCCM app pools are all running under Local Service.  Reviewing Local Service and IUSR permissions on the CCM_Client virtual directory, I see READ only permissions (which should allow direct download of a hosted file, say ccmsetup.cab, and for the CCM_Incoming, full control on subfolders and files, which should allow post activities.  I am understanding that the app pool logon account is used for impersonation and filesystem / app access for client systems.

    Does that match what you see on functional systems?  I attempted to open a direct ticket last night through my subscription here, ticket system was offline - I'll be retrying that today.

    Tuesday, March 26, 2013 3:29 PM
  • Or I would ... if the system were up and running.  Managed to get a page or two of detail and log uploads done last night before I hit submit and got this error.

    Tuesday, March 26, 2013 8:34 PM
  • What happens if you remove the DP role and put it on a different machine?

    Kev


    • Edited by Webbeye Tuesday, March 26, 2013 9:28 PM
    Tuesday, March 26, 2013 9:27 PM
  • I'm having the same thing at a customer.  Have you found anything more?
    Thursday, April 4, 2013 3:18 PM
  • Hi Dustin/Levi,

    401 Unauthorized:If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials.

    403 Forbidden:the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).

    So the its approching with correct rights but some where b/w its went forbitten so it got filtered i guess

    I doubt its related to the Authorization of .cab file on the IIS request filtering on the server since there is 200 also there in IIS logs its no doubt other than the IIS filtering in 2003 server its by default allow all files but in 2008 its not same case will be there for 2012 also(Though i did not worked on 2012 yet assumming it will also have same filtering like 2008)

    Open up the IIS manager and you will now have a "Request Filtering" icon that shows up. Clicking on this will allow you to access the new "Request Filtering" GUI interface.

    File extension and allowed column will be there check for the .cab file and in column True/False will be there just allow it

    Otherway:

    doesn't download  because error code 2 = "The system cannot find the file specified.

    To check the issue :

    go to iis logs in intepup/logs/logfiles/w3svc1

    there in the log if we found 404/401 error for a file for ex(.mdb,.bin) that is the issue which blocks the content download WEBDAV is not getting the source which its trying to download

    The solution applied :

    1.Click Start, type Notepad in the Start Search box, right-click Notepad, and then click Run as administrator.

    Note If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.

    2.On the File menu, click Open, type %windir%\System32\inetsrv\config\applicationHost.config in the File name box, and then click Open.

    3.In the ApplicationHost.config file, locate the <requestFiltering> element, and then locate the <hiddenSegments> element.

    4.In the <hiddenSegments> element, delete the entry that matches the directory in your package (in my case it was .mdb,.config)

    5.On the File menu, click Save.

    This filtering is happening only on 2008 servers by default 2003 allow all http requests and allows webdav to transfer the content

    Hopefully the issue will be resolved

    Kamala kannan.c

    http://kamalakannansccmblog.wordpress.com/

    This posting is provided with no warranties/guarantees and confers no rights.

    Please Mark it as answer if its helpful in the resolution of issue


    Thursday, April 4, 2013 8:23 PM
  • Levi.. Besides, are "Windows authentication" and "basic authentication" features installed as a part of IIS role ?

    I've seen this very similar kind when those are not installed.


    Delphin

    Friday, April 5, 2013 9:05 AM
  • Did you figure it out Levi?

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Friday, May 10, 2013 8:38 PM
  • Has anyone figured this out yet?  We seem to be having issues that are related to yours.  We are running ConfigMgr on a Windows 2012 box as well.
    Monday, June 10, 2013 4:10 PM
  • Same problem at a new customer running Windows Server 2012 R2 and SCCM 2012 R2.

    Strangely enough, the deployment went well for a few days in the beginning, then the same issue:

    StatusCode at WinHttpQueryHeaders: 500
    "DownloadFileByWinHttp failed with error 0x80004005"

    Already added "Basic Authentication" to IIS role and allowed anonymous connection at distribution point configuration.

    Anyone managed to figure this out?

    Thanks in advance!!!

    Sunday, November 17, 2013 8:11 PM
  • 0x80004005 = Unknown error. http 500 = "internal server error".
    Have you already examined the server (IIS logs) and used the Monitoring node of the console to check if everything is still healthy?

    Torsten Meringer | http://www.mssccmfaq.de

    Sunday, November 17, 2013 8:38 PM
  • Thank you, I finally located the problem:

    Probably due to reconfiguration of the site role, the Distribution Point role configuration was lacking the boundary groups.

    Therefore the MP or DP was not assigned correctly.

    After fixing this, the push installation ran immediately.

    So there's another possible reason for this error.

    Thanks again!

    Sunday, November 17, 2013 10:18 PM