CAS can't access SMS_CAS & SMS_SITE RRS feed

  • Question

  • Any SCCM expert have ever seen this problem? I have an open case with Microsoft SCCM 2012 but so far, they haven't been able to figure it out!

    My environment in test (it's been up & running for 2 months at least):
    - Server 2012 R2 Standard
    - SCCM 2012 R2 CU1
    - SQL 2012 Standard SP1

    · 1 CAS

    · 1 x Primary

    · Remote SQL either on CAS or Primary

    From CAS, log-in as SCCM Admin Service Account (as Domain Admins), SCCM Admin Service Account can't access SMS_CAS & SMS_SITE

    Message (see my attached pictures):
    Windows cannot access \\sccmcas01\SMS_CAS

    You do not have permission to access \\sccmcas01\SMS_CAS. Contact your network administrator to request access.

    Windows cannot access \\sccmcas01\SMS_SITE

    You do not have permission to access \\sccmcas01\SMS_SITE. Contact your network administrator to request access.

    BUT from Primary Site: there's no problem access



    And I just stood up my production (3 days ago), haven't deploy the SCCM client yet just finished setting up boundaries, AD discovery, etc.

    The same problem occurs as well.

    Did I miss something here? OR new undiscovered bugs either in Windows Server 2012 R2 Standard or SCCM 2012 R2.

    Here's the thing, even my home SCCM 2012 R2 also does the same thing, at work in test environment same thing, even new setup in production is same thing can't access that 2 directories from CAS. So I think either I did wrong on all 3 of them OR something else...

    No problem from CAS accessing \\sccmcas01\c$

    I really appreciated any help on this. It's been one week. Thanks, Reza

    Can't access share of SMS_CAS

    Can't access share of SMS_SITE from CAS

    Reza Prawirasatya

    Tuesday, June 24, 2014 4:12 AM

All replies

  • Thanks to my LinkedIn SCCM Experts!

    I asked around my Linkedin friend (last Firday) and at least 5 of them said “NO way that you have access to CAS its own share! (\\sccmcasservername\SMS_CAS &\\sccmcasservername\SMS_SITE)”

    BUT there’s one of my LinkedIn SCCM Expert this morning pointed out to do this.

    Here's the question, is this by design (Server 2012 R2 Standard) to blocked this directory from CAS? 

    I always turn off UAC on CAS, Primary Site, Remote SQL for CAS & Primary Site, Another MP/DP with PXE server.

    I follow his suggestions and it worked.

    From: CAS

    Go to Run: secpol.msc

    then follow my screenshots below (I tried it first at home (on Hyper-V))

    Disable Admin Approval Mode-3

    Disable Admin Approval Mode-1

    Reza Prawirasatya

    Tuesday, June 24, 2014 4:28 AM
  • I can only upload 2 pictures per post. So, here's the next pictures...

    Disable Admin Approval Mode-2

    Disable Admin Approval Mode-4

    then you must REBOOT!

    Reza Prawirasatya

    Tuesday, June 24, 2014 4:40 AM
  • File permissions and access have nothing to do with ConfigMgr.

    There are multiple possibilities here but UAC is most likely culprit.

    Also, why are you testing with a CAS and single primary at all? You should only ever have a CAS if you have multiple primaries and you should only ever have multiple primaries if you have 100,000+ managed systems.

    Jason | http://blog.configmgrftw.com

    Tuesday, June 24, 2014 4:41 AM
  • Here's the result, where I could have access to these directories from CAS



    are now accessible

    Disable Admin Approval Mode-5

    Reza Prawirasatya

    Tuesday, June 24, 2014 4:44 AM
  • Jason,

    I know I would received this question from anybody regarding "Why I am using CAS?" This is due to our unique environments. Yes, I'm aware of this CAS requirement.

    It didn't think SCCM problem either since this is folder permission issues (Server OS). The think that I didn't understand UAC was off (that's my habit to always to turn off UAC) and I still had these problems.

    Reza Prawirasatya

    Tuesday, June 24, 2014 4:59 AM
  • Without belaboring the CAS issue, I can assure you that you will rue the day when you chose to use a CAS (unless you have 100,000 managed client in which case you have no choice).

    As for permissions, I don't know the exact set of permissions causing this, but I cannot access those shares either as a domain admin in my lab (single primary site) either locally or remotely. So, to my knowledge this is normal. Is there a reason you want to access these shares? They are meant for internal ConfigMgr use so there truly is no need or reason you should be accessing or using them.

    Jason | http://blog.configmgrftw.com

    Tuesday, June 24, 2014 3:29 PM
  • I know about this after at least more than 5 of my LinkedIn friends, NO WAY.

    The reason that I need to have access because when we called Microsoft SCCM support with the problem that we're having (stuck packages software updates). They wanted my co-worker to delete SCCM client package and SCCM client update package from CAS. My co-worker was able to delete per Microsoft SCCM support instructions but he couldn't put it back for the SCCM client update package that needs access to this directory \\sccmcas01\sms_cas

    That leads me to turn to my LinkedIn SCCM friends.


    Reza Prawirasatya

    Wednesday, June 25, 2014 2:41 AM
  • I know about this after at least more than 5 of my LinkedIn friends, NO WAY.

    Not sure what the above means.

    As for accessing the sms_cas directory, you don't need access to the directory to create the package, ConfigMgr has access. All that is needed is to provide the proper UNC by typing it in.

    Jason | http://blog.configmgrftw.com

    Wednesday, June 25, 2014 2:46 AM
  • He may of "fixed his issue" but he's totally compromised the security model on that server to get results.

    If this is something you need to do once, revert that permission back to get the Site server into a less compromised state.

    Robert Marshall | This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs

    Wednesday, June 25, 2014 11:28 AM
  • Robert, That's what I am thinking to revert the changes because I just need to be able to get to this share to put it back Client configuration update back & distributed. Hopefully, there's no other impact...

    Reza Prawirasatya

    Wednesday, June 25, 2014 1:28 PM
  • Thanks, Reza!

    I had the same problem, even in control panel it was showing the UAC is disabled but still, I had to do disable it via local security policy. 

    Thursday, February 9, 2017 2:06 PM