locked
Management point errors in the DMZ RRS feed

  • Question

  • We recently setup a management point in the dmz .Already have boundary groups and added it to forrest discovery (Took a a few ports to open that up so it would work) , and have firewall rules setup to allow our inside primary site to interact with the management point in the dmz

    THe management point in the dmz got setup to talk to sql using the insidedomain\service_account that has rights to the sql database. In looking at the mpcontrol.log I see several errors.

    Call to HttpSendRequestSync failed for port 80 with status code 500, text: Internal Server Error

    Http test request failed, status code is 500, 'Internal Server Error'. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:43 PM 2068 (0x0814)

    and also

    *** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

    *** [28000][18452][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

    *** Failed to connect to the SQL Server, connection type: MP_CONTROL_ACCESS. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

    Failed to get connection to the configured SQL database. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)
    Failed to connect to the configured SQL database. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)
    Failed to get the current CLR Enabled configuration setting for the configured SQL Server hosting the database. SMS_MP_CONTROL_MANAGER 11/5/2013 2:26:54 PM 2068 (0x0814)

    We do not have a sccm client on this system yet so i know the health evaluation scheduled task isn't an issue (no client installed).

    We've gotten TCP port 1433 and 1443 open to the sql box so that the management point in the dmz can talk to the sql server. Also have other ports for the site server on the inside to talk to the MP in the dmz.

    Has anyone seen this before or have any tips that might help with setting up a MP in a dmz that is untrusted.

    Tuesday, November 5, 2013 7:33 PM

All replies

  • Is the MP in a separate forest? I'm assuming so.

    Where exactly did you configure the account mentioned above?


    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Joyce L Thursday, November 7, 2013 12:47 PM
    Tuesday, November 5, 2013 9:39 PM
  • Jason -

    Correct the MP is in a separate forrest, our DMZ

    The account was set when the MP was created in the servers and site system roles area of the Administration section of sccm 2012. The Management Point Database was set up using the specify the account that connects the management point to the sql server database.

    I have a case open with microsoft and we've tried a UDL connection back to sql and see there is a handshake but no connection done due to "The login is from an untrusted domain and cannot be used with Windows" message.

    Everywhere I've looked I see that port 1433 is needed to open up a connection from the firewall to the SQL server and thats it. We have a rule that allows the MP in the DMZ to initiate a connection to our internal sql server over port 1433.

    Thursday, November 7, 2013 10:18 PM
  • Hi to all,

    I am in the same situation: two different untrusted domain, SQL server on domain A / Management Point on domain B / firewall between domains.

    I set Management point connection to SQL server database by a specific account, and I opened only the requested port for MP installation (success) and the SQL port for communication.

    I suppose the opened firewall port are OK, I got the same error, on mpcontrol.log and on SQL server log "The login is from an untrusted domain and cannot be used with Windows authentication" ... but i set a domain account in SQL server domain ... what's the problem?

    Any further help (or suggestion) will be higly appreciate,
    thanks in advance.

    Tuesday, February 4, 2014 4:04 PM
  • Hello Kevin,

    I know this post is old but I faced the exact same issue on an untrusted domain.

    For me this was the situation;

    I had the same message "The login is from an untrusted domain and cannot be used with Windows authentication. SMS_MP_CONTROL_MANAGER" while trying to connect from my MP in untrusted forest to SQL on Primary Site.

    I checked NTLM, Ports, Permissions and SPNs were OK, but there was something from the SQL side that was not working properly.

    Doing some research I found out that there is also needed SPN records for the NTLM authentication to happen. And you have to configure this on the SQL. It's configured on Accepted NTLM SPNs.

    Hope it helps who encounters the same issue.


    • Proposed as answer by EduardoMendes Thursday, December 11, 2014 12:31 AM
    • Unproposed as answer by EduardoMendes Thursday, December 11, 2014 12:31 AM
    • Edited by EduardoMendes Thursday, December 11, 2014 12:32 AM
    • Proposed as answer by EduardoMendes Thursday, December 11, 2014 12:32 AM
    Thursday, December 11, 2014 12:30 AM
  • Hi Eduarodo, Could you please elaborate on your work around. I am having exact same problem. 2012 R2 SP1

    SPN is correct

    Serverprinciplename for sccm-admin account = MSSQLSvc/<FQDN>:1433; MSSQLSvc/<FQDN>

    Hi Kevin, Did Microsoft fix your problem?

    Thanks.

    Thursday, February 18, 2016 12:04 PM
  • anybody managed to get it working with MP in different domain of DMZ ?
    Saturday, March 5, 2016 4:41 PM
  • Hi. I had a situation like this and I could solved it with this link:

    https://support.microsoft.com/sv-se/kb/2689646

    Also I had to register a SPN record for the account used to connect the Management Point to the SQL Server. You can use this link to help you

    http://being-sccmadmin.blogspot.com/2013/06/registering-spn-for-sql-server-for-sccm.html

    Hope you have the same luck.

    Ruben

    Tuesday, March 8, 2016 2:40 PM