Solved

SCCM Admin Console Not Using Packet Privacy

Posted on 2011-09-29
13
3,761 Views
Last Modified: 2013-11-21
Alright, this has been mind boggling for me.

I have SCCM installed on a server and I am using a remote admin console.  Before I upgraded to SCCM SP2, I had not issues.

I upgraded the server to SP2, then my remote admin console could not see advertisements.  I found that I had to run the SP2 install on my admin machine to be able to upgrade the console to sp2 and the advertisements would appear.  Low and behold, it worked.

Now, a day after the install, just like the last time, the remote admin console cannot see the status messages.  Everything else works perfectly fine.  After much investigation, it seems that the remote admin console is no longer using Pkt_Privacy when it tries to run a query against the \\sccm\root\sms\site_OFC namespace.  OFC being my site code.

How I tracked this down is on the server, an error shows up in the event log saying the access denied, not using Pkt_Privacy.

So, on my remote admin machine, I run wbemtest and connect to the WMI path above and try to enumerate the classes.  Access denied... UNLESS, on the connection window, I select the radio button for Pkt_Privacy, then it works fine.

Doing this, it tells me that the SP2 console upgrade broke something.  I have tried uninstalling and re-installing many times and many different ways, even a fresh install from the SP2 upgrade files and not even installing the original first.

I have also checked all of the DCOM permissions, followed the MS article on how to troubleshoot the admin console and did the long reset of the WMI tree.

So, I guess my question is, how do I get this remote admin console to start using Pkt_Privacy?

I didn't see a category for MS Systems Center products so, I chose what I thought may make sense.

Error on the server:

Event Type:      Error
Event Source:      WinMgmt
Event Category:      None
Event ID:      5605
Date:            9/27/2011
Time:            3:02:14 PM
User:            N/A
Computer:      SCCM
Description:
Access to the root\sms\site_OFC namespace was denied. The namespace is marked with RequiresEncryption but the client connection was  attempted with an authentication level below Pkt_Privacy. Re try the connection using Pkt_Privacy authentication level.  

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:cefranklin
  • 8
13 Comments
 
LVL 8

Expert Comment

by:MarkieS
ID: 36903398
"WMI normally runs in a shared service host and shares the same authentication as other processes in the host. If you want to run the WMI process with a different level of authentication, run WMI with the winmgmt command with the /standalonehost switch and set the authentication level for WMI generally. For more information, see Maintaining WMI Security."

Does this sound like any use?  http://msdn.microsoft.com/en-us/library/aa393618.aspx

I would also suggest you apply all Microsoft patches and .Net installs to your Remote Console.

Sorry this isn't any "direct" assistance, only suggestions.
0
 
LVL 2

Author Comment

by:cefranklin
ID: 36906005
That didn't help as it only changed my WMI security level.  Also, the article says it does not work on Windows Server 2003.

I am still leaning towards the statusviewer.exe is the culprit not using Pkt_Privacy.
0
 
LVL 2

Author Comment

by:cefranklin
ID: 36925426
I went back into DCOM and added Everyone to the computer and the WMI and SMS stuff.  No change.  Double checked the SMS Admin group and I was in it and so was my machine. No change so I added Everyone full control to everything I could think of/find and no change.

I am going to say this is a Microsoft "feature"?
0
 
LVL 2

Author Comment

by:cefranklin
ID: 37030970
Well, no answer to this question.  I called MS and their suggestion was to re-install the whole dang system. No thanks, I can deal and just remote desktop into the SCCM server if I want to view messages...
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Author Comment

by:cefranklin
ID: 37055369
Please state your reason for accepting your own comment as the solution.

Because no one else answered it.  I will just RDP into the server :(
0
 
LVL 2

Author Comment

by:cefranklin
ID: 37642032
For anyone else looking for resolution to this, I ended up re-installing the whole shebang and that did not fix the problem. Don't waste your time on MS solution.
0
 
LVL 2

Author Comment

by:cefranklin
ID: 37762106
Alright, just to update this for anyone else who finds this,...

Upgrade to SP1, install the SP1 console on remote admin station. Start both consoles, close them, then re-open them and clear the option files "File > Options > Delete the data"

Do the same thing with SP2.  I think you will have to redo the permissions on your System container to add your sccm machine for full control and select advanced > this folder and all subfolders.
0
 
LVL 2

Author Comment

by:cefranklin
ID: 37832657
Sigh, alright, now it's not working again. Yay.
0
 
LVL 2

Accepted Solution

by:
cefranklin earned 0 total points
ID: 37833324
Found something that works! Finally. Adapted from here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03048784&lang=en&cc=us&taskId=101&prodSeriesId=341291&prodTypeId=15351

SUPPORT COMMUNICATION - CUSTOMER ADVISORY
Document ID: c03048784

Version: 1

Advisory: HP Systems Insight Manager - A WMI Event 5605 Is Triggered on HP ProLiant Servers Running Windows Server 2008 R2 Cluster Nodes With HP Systems Insight Manager and WMI Mapper
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.
Release Date: 2011-10-07

Last Updated: 2011-10-07


--------------------------------------------------------------------------------

DESCRIPTION
When HP Systems Insight Manager (HP SIM) Version 6.x (or earlier) is used to manage a Windows Server 2008 R2 cluster using WMI Mapper versions 2.6.4.3, 2.7.0.0, 2.7.1.0, or 6.3 located on either the CMS or on a proxy node, the application log of the cluster in the Windows Event Viewer displays Warning Events for WMI with Event ID 5605 as shown in the example below. The error message reads as follows:

The root\MSCluster namespace is marked with the RequiresEncryption flag. Access to this namespace might be denied if the script or application does not have the appropriate authentication level. Change the authentication level to Pkt_Privacy and run the script or application again.

This issue occurs because WMI Mapper uses the authentication level "Packet" for a connection to WMI; however, it uses the authentication level "Packet Privacy" while fetching data. Therefore, every time WMI Mapper connects to the root/mscluster namespace in a cluster, this warning message will be logged in the Event viewer.

The warning messages are triggered under any of the following circumstances:

When HP SIM is in discovery of a cluster
When Cluster Manager is running from the HP SIM user interface
When daily identification tasks are enabled for the cluster
When the hardware status is polled every 30 minutes by default, or a time interval configured by the user
SCOPE
Any HP ProLiant server with HP Systems Insight Manager 6.x (or earlier), HP Insight Control Management Software Version 6.x (or earlier), WMI Mapper 2.6.4.3, 2.7.0.0, 2.7.1.0, or 6.3, and Windows Server 2008 R2 running a failover cluster.

RESOLUTION
The issue will be corrected in a future release of HP SIM and WMI Mapper. This advisory will be updated when more information is available.

This event can safely be ignored, and this notification does not cause any issues with functionality when the error states that a lower privileged access to the WMI namespace root/mscluster may be denied.

As a workaround, reduce the privilege of the root\mscluster namespace by performing the following steps:

Begin at Start -> Run -> wbemtest.exe on the cluster node.


Click on Connect and enter "root\mscluster" on the top-most tab and click Connect.
COMMENTS: For SCCM, you will connect to root\sms\site_<LocationCode>


Click on "Open Class" button and type:

"__SystemSecurity"

This will open up an object browser for the "__SystemSecurity" class.


In the object browser click on the button "Instances," there should be only a single instance such as "__SystemSecurity=@".


Double-click on this instance, this will open up another object browser for the instance, under the "Qualifiers" section.


Change "RequiresEncryption" to FALSE. Save the object and exit wbemtest.

-------------------------------------------------------

This worked for me, now, if I reboot and it doesn't stick, I guess I will have to modify the superclass and save it lol.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 77
Wireshark 7 54
Event ID: 7023 / Source: Service Control Manager 4 51
Use of Training Budget 12 68
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Technology opened people to different means of presenting information, but PowerPoint remains to be above competition. Know why PPT still works today.
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now