none
Spot of bother with Software Distribution to DMZ-based clients RRS feed

  • Question

  • Hi,

    I wondered if I could tap into the collective knowledge here to see if I can find a resolution to a problem that's been causing us all sorts of grief.

    A little background before I get to the problem.

    We have an SCCM R2 server structure running on 64-bit 2003 servers.  Our clients in the DMZ are running SMS2003 Advanced client and have IPSec rules for "any" protocol over port 80 to their MPs and DPs.  The DMZ clients are in a local workgroup.  We have a domain account which the clients use to connect to the DPs.

    The clients are receiving policies from their MPs and are returning inventory.

    We have allowed both anonymous and Windows Intergrated authentication to the virtual directories on the DPs.  WebDAV is allowed.

    The relevant portion of the IIS log file is below :-

    Code Snippet

    2008-12-09 01:06:54 W3SVC1 10.69.105.42 HEAD /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 2 2148074254
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 HEAD /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 HEAD /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 64
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 HEAD /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 2 2148074254
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 HEAD /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 HEAD /SMS_DP_SMSPKGP$/GLB0003B - 80 INTRANET\sysSCCMNetwork 10.82.99.1 SMS+CCM 200 0 64
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 5
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:06:54 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 INTRANET\sysSCCMNetwork 10.82.99.1 SMS+CCM 200 0 0
    2008-12-09 01:06:57 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:06:57 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 5
    2008-12-09 01:06:57 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:06:57 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 INTRANET\sysSCCMNetwork 10.82.99.1 SMS+CCM 200 0 0
    2008-12-09 01:07:24 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:07:24 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 5
    2008-12-09 01:07:24 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 - 10.82.99.1 SMS+CCM 401 1 0
    2008-12-09 01:07:24 W3SVC1 10.69.105.42 PROPFIND /SMS_DP_SMSPKGP$/GLB0003B - 80 INTRANET\sysSCCMNetwork 10.82.99.1 SMS+CCM 200 0 0

    So, the client tries to connect via it's IP address and get an 401.x HTTP error.  It then tries with the SCCMNetwork account and receives a connection.  The client then responds with a 64 message which relates to "The specified
    network name is no longer available".

    So the client just sits at "Waiting for content" until the advert expires.

    The DTS log from the client is as follows :-

    Code Snippet

    <![LOG[DTSJob {D6E4D04E-C0AA-471E-B905-250EA7D449C1} created to download from 'http://LDNPSM0001301.INTRANET.COM/SMS_DP_SMSPKGP$/GLB0003B' to 'C:\WINNT\system32\CCM\Cache\GLB0003B.2.System'.]LOG]!><time="10:11:30.815+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="548" file="datatransferservice.cpp:128">
    <![LOG[DTSJob {D6E4D04E-C0AA-471E-B905-250EA7D449C1} in state 'DownloadingManifest'.]LOG]!><time="10:11:30.815+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="2752" file="dtsjob.h:115">
    <![LOG[Error sending DAV request. HTTP code 401, status 'Unauthorized']LOG]!><time="10:11:30.924+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:433">
    <![LOG[GetDirectoryList_HTTP('http://LDNPSM0001301.INTRANET.COM:80/SMS_DP_SMSPKGP$/GLB0003B') failed with code 0x80070005.]LOG]!><time="10:11:30.924+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:472">
    <![LOG[Job {D6E4D04E-C0AA-471E-B905-250EA7D449C1} impersonating Network Access Account.]LOG]!><time="10:11:30.940+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="3964" file="netaccessaccount.cpp:416">
    <![LOG[Error sending DAV request. HTTP code 0, status '']LOG]!><time="10:11:31.128+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:433">
    <![LOG[GetDirectoryList_HTTP('http://LDNPSM0001301.INTRANET.COM:80/SMS_DP_SMSPKGP$/GLB0003B') failed with code 0x80072f78.]LOG]!><time="10:11:31.128+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:472">
    <![LOG[Job {D6E4D04E-C0AA-471E-B905-250EA7D449C1} reverted impersonation.]LOG]!><time="10:11:31.128+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="3964" file="netaccessaccount.h:94">
    <![LOG[DTSJob {D6E4D04E-C0AA-471E-B905-250EA7D449C1} in state 'DownloadingManifest'.]LOG]!><time="10:12:01.127+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="3428" file="dtsjob.h:115">
    <![LOG[Error sending DAV request. HTTP code 401, status 'Unauthorized']LOG]!><time="10:12:01.127+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:433">
    <![LOG[GetDirectoryList_HTTP('http://LDNPSM0001301.INTRANET.COM:80/SMS_DP_SMSPKGP$/GLB0003B') failed with code 0x80070005.]LOG]!><time="10:12:01.127+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:472">
    <![LOG[Job {D6E4D04E-C0AA-471E-B905-250EA7D449C1} impersonating Network Access Account.]LOG]!><time="10:12:01.143+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="3964" file="netaccessaccount.cpp:416">
    <![LOG[Error sending DAV request. HTTP code 0, status '']LOG]!><time="10:12:01.143+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:433">
    <![LOG[GetDirectoryList_HTTP('http://LDNPSM0001301.INTRANET.COM:80/SMS_DP_SMSPKGP$/GLB0003B') failed with code 0x80072f78.]LOG]!><time="10:12:01.143+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:472">
    <![LOG[Job {D6E4D04E-C0AA-471E-B905-250EA7D449C1} reverted impersonation.]LOG]!><time="10:12:01.143+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="3964" file="netaccessaccount.h:94">
    <![LOG[DTSJob {D6E4D04E-C0AA-471E-B905-250EA7D449C1} switched to location 'file:\\LDNPSM0001301.INTRANET.COM\SMSPKGP$\GLB0003B'.]LOG]!><time="10:12:01.174+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="3964" file="dtsjob.cpp:2211">
    <![LOG[DTSJob {D6E4D04E-C0AA-471E-B905-250EA7D449C1} in state 'DownloadingManifest'.]LOG]!><time="10:12:01.174+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="548" file="dtsjob.h:115">
    <![LOG[DTSJob {D6E4D04E-C0AA-471E-B905-250EA7D449C1} in state 'DownloadingManifest'.]LOG]!><time="10:12:31.174+000" date="12-09-2008" component="DataTransferService" context="" type="1" thread="2752" file="dtsjob.h:115"> 

    I guess the most interesting message is

     <![LOG[GetDirectoryList_HTTP('http://LDNPSM0001301.INTRANET.COM:80/SMS_DP_SMSPKGP$/GLB0003B') failed with code 0x80072f78.]LOG]!><time="10:12:01.143+000" date="12-09-2008" component="DataTransferService" context="" type="3" thread="3964" file="util.cpp:472">

    I've researched this error code and come back with these Technotes (which seem to tie up with the problems we've been seeing, are fairly old) 

    http://support.microsoft.com/kb/838893/

    http://support.microsoft.com/kb/885819/ 

    I have checked the version of Wininet.dll on the client and it is of a later version that the one listed in the Technote. 

    Has anyone ever seen this type of behaviour before? 

    TIA, 

    Steve. 

    Tuesday, December 9, 2008 12:09 PM

Answers

  • Is this happening on all DPs? The 2f78 error means "the server returned an invalid or unrecognized" response, and the 80070005 is an access denied error. You mentioned you were using a SMS2003 client, are your ConfigMgr 2007 clients working properly? Is this only affecting workgroup clients?

    I also am pretty sure that we don't support manually setting any options on the DP other than ensuring the WebDAV settings are correct. It's possible that a setting that was changed may have rendered the DP inoperable. You may want to try reinstalling the DP. If there's certain files as part of the package that are in the list of restricted extensions (.config, .cs, and others), this may also cause the DP to return an error (this is on Windows 2008, so this may not be applicable to your environment).

    I'm just throwing some ideas out there, so I'm not sure how helpful any of these will be.

    Monday, June 15, 2009 4:18 PM
    Moderator

All replies


  • Just putting a link here to a thread I have with the same issue.

    http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/407a9cb0-9558-45ea-a52a-5f2a8169f008  (same issue part way down the blog)

    IronPaw
    Monday, March 30, 2009 4:08 AM

  • Maybe I'll out it here too


    Indeed it is a little complicated.  After closing off my ports and doing some testing http is not being used (though I am pretty sure it was testing last week perhaps it was a combo).  All clients I've looked at have the same issues ans the unanswered thread here: 

    http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/befaa06b-684c-4d22-b3bf-c2667d167288/

    It seems the client cannot connect to IIS (gets 401) tries the Network Access Account (looks fine in IIS logs) and on the SCCM side goes nowhere and reverts to SMB.  I get the reverting all good.  I'm still not sure what the HTTP issues are though.  My Client installed well with Just HTTP (as you say above I copied files to server and installed with command lines).  However the apps sat forever in downloading content as SMB was blocked and HTTP Failed.

    Some logs
    DataTransferService.log

    CAutoImpersonate::ImpersonateUser DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)
    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78 DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)
    [CCMHTTP] HTTP ERROR: URL=http://<FQDN_OF_SCCM_SERVER>:80/SMS_DP_SMSPACKAGES/TEST/TEST APP - 1.7.0L - 1, Port=80, Protocol=http, SSLOptions=0, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)
    Raising event:

    instance of CCM_CcmHttp_Status
    {
     ClientID = "GUID:9745B5E0-65C8-4DF4-B475-FC245496F132";
     DateTime = "20090330010550.613000+000";
     HostName = "<FQDN_OF_SCCM_SERVER>";
     HRESULT = "0x80072f78";
     ProcessID = 2320;
     StatusCode = 0;
     ThreadID = 3844;
    };
     DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)
    Error sending DAV request. HTTP code 0, status '' DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)

    GetDirectoryList_HTTP('http://<FQDN_OF_SCCM_SERVER>:80/SMS_DP_SMSPACKAGES/TEST/TEST APP - 1.7.0L - 1') failed with code 0x80072f78. DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)

    CDTSJob::ProcessManifestCallback - processing manifest for job '{9C0EBD69-072E-4BE0-AEEE-23523FBE8657}'. DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)
    Non-recoverable error retrieving manifest (0x80072f78). DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)

    CDTSJob::_NotifyStatus DataTransferService 30/03/2009 2:05:50 p.m. 3844 (0x0F04)
    CDataTransferService::ModifyJobSourceImpl({9C0EBD69-072E-4BE0-AEEE-23523FBE8657}, file:\\<FQDN_OF_SCCM_SERVER>\SMSPACKAGES\TEST\TEST APP - 1.7.0L - 1, 8) DataTransferService 30/03/2009 2:05:50 p.m. 3560 (0x0DE8)
    Retrieving existing BITS job for DTS job {9C0EBD69-072E-4BE0-AEEE-23523FBE8657}. DataTransferService 30/03/2009 2:05:50 p.m. 3560 (0x0DE8)

    CDTSJob::ModifySource(JobID={9C0EBD69-072E-4BE0-AEEE-23523FBE8657}, Old="http://<FQDN_OF_SCCM_SERVER>:80/SMS_DP_SMSPACKAGES/TEST/ TEST APP - 1.7.0L - 1", New="file:\\<FQDN_OF_SCCM_SERVER>\SMSPACKAGES\TEST\ TEST APP - 1.7.0L - 1") DataTransferService 30/03/2009 2:05:50 p.m. 3560 (0x0DE8)
    CDTSJob::ModifySource : Start processing manifest. DataTransferService 30/03/2009 2:05:50 p.m. 3560 (0x0DE8)
    DTSJob {9C0EBD69-072E-4BE0-AEEE-23523FBE8657} switched to location 'file:\\<FQDN_OF_SCCM_SERVER>\SMSPACKAGES\TEST\TEST APP - 1.7.0L - 1'. DataTransferService 30/03/2009 2:05:50 p.m. 3560 (0x0DE8)
    In CDataTransferService::Resume DataTransferService 30/03/2009 2:05:50 p.m. 3560 (0x0DE8)
    Execute called for DTS job '{9C0EBD69-072E-4BE0-AEEE-23523FBE8657}'.  Current state: 'DownloadingManifest'. DataTransferService 30/03/2009 2:05:50 p.m. 5504 (0x1580)

     CCMSETUP  (showing the client gets bits to the computer)
    <![LOG[Successfully downloaded client files via BITS.]LOG]


    IIS Logs

    2009-03-30 03:21:01 W3SVC1 10.1.1.101 PROPFIND /SMS_DP_SMSPACKAGES/TEST/APP+NAME+-+4+-+1 - 80 CORP\COMPUTER$ 10.1.1.11 SMS+CCM 200 0 0
    2009-03-29 19:39:11 W3SVC1 10.1.1.101 HEAD /CCM_Client/x64/WindowsUpdateAgent30-x64.exe - 80 - 10.1.1.11 Microsoft+BITS/7.0 200 0 0


    LocationServices.log

    Calling back with the following distribution points LocationServices 30/03/2009 4:21:00 p.m. 3380 (0x0D34)
    Distribution Point='http://<FQDN_OF_SCCM_SERVER>\/SMS_DP_SMSPACKAGES/TEST/KB PROSPER - 4 - 1/', Locality='LOCAL', DPType='SERVER', Version='5931', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="WOL" Version="1"/></Capabilities>', Signature='http://<FQDN_OF_SCCM_SERVER>\/SMS_DP_SMSSIG$/XXX00108.2.tar' LocationServices 30/03/2009 4:21:00 p.m. 3380 (0x0D34)
    Distribution Point='\\<FQDN_OF_SCCM_SERVER>\\SMSPACKAGES\TEST\AppName - 4 - 1\', Locality='LOCAL', DPType='SERVER', Version='5931', Capabilities='<Capabilities SchemaVersion="1.0"><Property Name="WOL" Version="1"/></Capabilities>', Signature='' LocationServices 30/03/2009 4:21:00 p.m. 3380 (0x0D34)



    The FileBITS.log seems happy for the files that fell back to SMB

    Copied file '\\<FQDN_OF_SCCM_SERVER>\SMSPACKAGES\TEST\APPNAME - 4 - 1/Package\Program Files\Prosper\Prosper.exe' to 'C:\Windows\system32\CCM\Cache\KB100108.2.System\Package\Program Files\Prosper\Prosper.exe' FileBITS 30/03/2009 4:21:46 p.m. 5420 (0x152C)
    Copied file '\\<FQDN_OF_SCCM_SERVER>\SMSPACKAGES\TEST\APPNAME - 4 - 1/Package\Program Files\Prosper\eAppGateway.dll' to 'C:\Windows\system32\CCM\Cache\KB100108.2.System\Package\Program Files\Prosper\eAppGateway.dll' FileBITS 30/03/2009 4:21:46 p.m. 5420 (0x152C)
    FileCopyJob {B8A5647D-00E2-4C39-B5E8-09AEBA1B672D} successfully copied files. FileBITS 30/03/2009 4:21:46 p.m. 5420 (0x152C)



    So its almost like half the system seems happy it just doesnt Bits down packages using HTTP.  My guess is around IIS and resetting permissions.
    Any help is very appreciated.

    Short points:
    SCCM client installs file with firewall on and SMB locked out (seems to bits down client fine)
    I turned on anonymouse access for Directory Security (and Windows Intergrated) for the IIS share the packages are sitting in (cust folder name)
    In testing I added the Network Access Account to SCCM Admins and the Administrators group on the SCCM server (made no difference so I removed it)

    BT


    IronPaw
    Monday, March 30, 2009 9:49 PM
  • Is this happening on all DPs? The 2f78 error means "the server returned an invalid or unrecognized" response, and the 80070005 is an access denied error. You mentioned you were using a SMS2003 client, are your ConfigMgr 2007 clients working properly? Is this only affecting workgroup clients?

    I also am pretty sure that we don't support manually setting any options on the DP other than ensuring the WebDAV settings are correct. It's possible that a setting that was changed may have rendered the DP inoperable. You may want to try reinstalling the DP. If there's certain files as part of the package that are in the list of restricted extensions (.config, .cs, and others), this may also cause the DP to return an error (this is on Windows 2008, so this may not be applicable to your environment).

    I'm just throwing some ideas out there, so I'm not sure how helpful any of these will be.

    Monday, June 15, 2009 4:18 PM
    Moderator
  • Marking Adam's reply as the answer - IronPaw/Steve if you disagree please change back.
    Wednesday, July 1, 2009 9:52 PM
    Moderator
  • I know this is a very old post but I just helped someone with the same symptoms and there was a third party software causing issues with the download. We simply found this by turning off all MSFT services and disabling startup (also known as a clean boot) and retrying with success. If you are in an enterprise environment and find yourself in this state and cannot disable all services (AV and firewall software may not allow you to properly disable) then build a test machine from a fresh Windows image (from the ISO) and try again. 
    Monday, April 20, 2020 6:21 PM