locked
Access denied against DP for untrusted clients RRS feed

  • Question

  • Hi,

    I have an SCCM 2012 R2 environment.

    There are a few clients in an untrusted domain behind a firewall.
    DP's and MP's are not configured for SSL. The following ports have been opened to the MP and DP's.
    TCP 80
    TCP 10123
    TCP 2710

    DNS or AD for the untrusted servers have not been extended with SCCM data.

    Clients were installed on the untrusted servers using the SMSMP switch.
    After installation the clients appeared in SCCM and were manually approved.
    Boundaries exist for the lcients associated with the correct boundary group for site system assignment

    Since installation the clients have successfully discovered MP's, DP's and performed inventories

    There is however a problem with software deployment.
    The clients try to download content as expected from the correct DP's however the log files show 80070005 therefore access denied.

    There is anetwork access account configured for the site which definatley works because we have no OSD issues.

    Am I right in thinking that these untrusted clients should revert to using the network access account when they get an access denied ?
    If so what may prevent them from doing this

    Thanks,

    Jim

    Monday, January 12, 2015 9:30 AM

Answers

  • Enabling anonymous access on the DP is a workaround that generally works for scenarios such as what you've described. Unfortunately, know one (in the community at least) knows why it is sometimes becomes necessary when things were working fine previously. I've run into in my lab before and my seen other on the forums run into also -- I flattened my lab and started over and have never had the issue again as it really should not be the case.

    It's possible some IIS permission has been changed or a policy was applied somewhere that "tightened" or changed default security.

    Have you reviewed the IIS log files on the DP? They may give clues. Alternatively, it's possible your AV is getting in the way on one particular file -- the IIS logs could help you narrow down which file it is having issues with. They will also tell you the account be used which may help you determine what's going on.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Friday, January 16, 2015 8:00 AM
    • Marked as answer by Joyce L Monday, January 19, 2015 10:02 AM
    Wednesday, January 14, 2015 3:34 PM

All replies

  • Correct. That's the entire purpose for the network access account.

    Can you post the entire, unedited, and relevant snippet of the log file containing the error code please?

    Are these Win 7 clients? If so, you will need to apply the hotfix from http://support.microsoft.com/kb/2522623 to these clients. Reference: http://blog.configmgrftw.com/configmgr-2012-application-installation-failures/


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, January 12, 2015 1:36 PM
  • Hi Jason,

    The clients are running server 2012 R2

    Here are some log snippets with server names and site codes editied.

    CAS.LOG

    Location update from CTM for content xxx00043.2 and request {D6BA950D-1DB5-4FDE-8B61-C73A3D4A96A6} ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
    Download location found 0 - http://server1/SMS_DP_SMSPKG$/xxx00043 ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
    Download location found 1 - http://server2/SMS_DP_SMSPKG$/xxx00043 ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
    Download location found 2 - http://server3/SMS_DP_SMSPKG$/xxx00043 ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
    Download request only, ignoring location update ContentAccess 11/01/2015 02:06:57 5392 (0x1510)
    Download started for content xxx00043.2 ContentAccess 11/01/2015 02:06:57 3872 (0x0F20)
    Download failed for content xxx00043.2 under context System, error 0x80070005 ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
    Download failed for download request {D6BA950D-1DB5-4FDE-8B61-C73A3D4A96A6} ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
    Raising event:
    [SMS_CodePage(850), SMS_LocaleID(2057)]
    instance of SoftDistDownloadFailedEvent
    {
     ClientID = "GUID:820D9280-13A5-4295-9250-CF675073FF35";
     DateTime = "20150111020658.235000+000";
     MachineName = "client";
     PackageId = "xxx00043";
     PackageName = "xxx00043";
     PackageVersion = "2";
     ProcessID = 4188;
     SiteCode = "S01";
     ThreadID = 5392;
    };
     ContentAccess 11/01/2015 02:06:58 5392 (0x1510)
    Successfully raised Download Failed event. ContentAccess 11/01/2015 02:06:58 5392 (0x1510)

    ContentTransferManager.log

    Starting CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571}. ContentTransferManager 11/01/2015 06:06:58 6528 (0x1980)
    Created CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} for user S-1-5-18 ContentTransferManager 11/01/2015 06:06:58 6528 (0x1980)
    Created and Sent Location Request '{0D80A8A2-2E69-47E6-9E22-419F6612DB85}' for package xxx00043 ContentTransferManager 11/01/2015 06:06:58 4672 (0x1240)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:58 4672 (0x1240)
    Queued location request '{0D80A8A2-2E69-47E6-9E22-419F6612DB85}' for CTM job '{369AA46C-CF9F-4DD2-AE50-45874D28F571}'. ContentTransferManager 11/01/2015 06:06:58 4672 (0x1240)
    Persisted locations for CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571}:
     (LOCAL) http://server1/SMS_DP_SMSPKG$/xxx00043
     (LOCAL) http://server2/SMS_DP_SMSPKG$/xxx00043
     (LOCAL) http://server3/SMS_DP_SMSPKG$/xxx00043 ContentTransferManager 11/01/2015 06:06:58 6132 (0x17F4)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} (corresponding DTS job {4E1EF8CA-6985-4D42-99F0-3107B7589CA6}) started download from 'http://server1/SMS_DP_SMSPKG$/xxx00043' for full content download. ContentTransferManager 11/01/2015 06:06:58 6132 (0x17F4)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:59 3204 (0x0C84)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} switched to location 'http://server2/SMS_DP_SMSPKG$/xxx00043' ContentTransferManager 11/01/2015 06:06:59 3204 (0x0C84)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:59 6528 (0x1980)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} switched to location 'http://server3/SMS_DP_SMSPKG$/xxx00043' ContentTransferManager 11/01/2015 06:06:59 4672 (0x1240)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} entered phase CCM_DOWNLOADSTATUS_DOWNLOADING_DATA ContentTransferManager 11/01/2015 06:06:59 304 (0x0130)
    CTM job {369AA46C-CF9F-4DD2-AE50-45874D28F571} encountered error 0x80070005 during download ('Error processing manifest.')- The error maps to denied access. ContentTransferManager 11/01/2015 06:06:59 6528 (0x1980)

    Let me know if any other specific log files will give more clues

    Thanks,

    Jim

    Monday, January 12, 2015 2:06 PM
  • Well, there is a one off weird issue that happens on occasion. Try enabling anonymous access to your DP (on the general page) and see if that corrects the client download problem.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, January 12, 2015 2:19 PM
  • Hi Jason,

    I am sure that enabling DP anonymous access will fix the issue as I can see the requests reaching IIS in the logs with a 401.2 response.

    The problem I have is I cannot quickly try that due to a tighly controlled envirnoment where change request/approval will be needed.
    I also do not want anonumous enabled for security reasons especially considering these clients are in a DMZ

    Ideally I would like to understand why the clients are not reverting to using the network access account then to resolve this

    Thanks,

    Jim

    Tuesday, January 13, 2015 8:33 AM
  • Hi Jim,

    Please confirm the option-"Specify the account that accesses network locations" is checked instead of "Use the computer account of the Configuration Manager client" on the Network Access Account tab of Software DIstribution Component Properties.

    Best Regards,

    Joyce

    Tuesday, January 13, 2015 10:45 AM
  • Hi Joyce,

    The option "Specify the account that accesses network locations" is checked

    Tuesday, January 13, 2015 2:08 PM
  • Hi,

    Does anyone else have any suggestions about why the network access account is not being used for DP access from untrusted clients behind a firewall

    Thanks

    Wednesday, January 14, 2015 9:03 AM
  • Enabling anonymous access on the DP is a workaround that generally works for scenarios such as what you've described. Unfortunately, know one (in the community at least) knows why it is sometimes becomes necessary when things were working fine previously. I've run into in my lab before and my seen other on the forums run into also -- I flattened my lab and started over and have never had the issue again as it really should not be the case.

    It's possible some IIS permission has been changed or a policy was applied somewhere that "tightened" or changed default security.

    Have you reviewed the IIS log files on the DP? They may give clues. Alternatively, it's possible your AV is getting in the way on one particular file -- the IIS logs could help you narrow down which file it is having issues with. They will also tell you the account be used which may help you determine what's going on.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Friday, January 16, 2015 8:00 AM
    • Marked as answer by Joyce L Monday, January 19, 2015 10:02 AM
    Wednesday, January 14, 2015 3:34 PM