Well, accounts that are members of Protected Users can't logon using NTLM authentication so that explains the issue (cf. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users )
Now the question is "why it using NTLM instead of Kerberos", and that could be for any number of reasons... Maybe the solution to that post could help you : https://social.technet.microsoft.com/Forums/en-US/576a0edc-9a03-4504-b089-47de3a091a20/scom-2016-pushing-agents-without-ntlm-?forum=operationsmanagerdeployment
SCOM Agent installation / upgrade with account in Protected Users
Hello,
I have a question about SCOM Push Agent install / upgrade.
Have you already try to install SCOM Agent with an account in the group Protected Users ?
When, i check in the log i see one event with NTLMv2 authentication :
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128
And with an account member of Protected users the push install agent failed with Access Denied.
Have you any solution for this issue ?
Thanks in advance.
Best Regards,
4 answers
Sort by: Most helpful
-
CyrAz 5,181 Reputation points
2021-02-22T19:01:35.273+00:00 -
System Center guy 686 Reputation points
2021-02-23T04:47:18.337+00:00 Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:
- Authenticate with NTLM authentication.
- Use DES or RC4 encryption types in Kerberos pre-authentication.
- Be delegated with unconstrained or constrained delegation.
- Renew the Kerberos TGTs beyond the initial four-hour lifetime.
In view of this, there is why you will see error on NTLM with access Denied.
You may consider using another user account has administrative privileges on the targeted computers.Roger
-
Bauzone, Jonathan 1 Reputation point
2021-02-23T17:14:03.57+00:00 Thanks for your answers, I know when user is in Protected Users can't logon using NTLM.
But My question is why Push SCOM Client using NTLMv2, it's by design ?The Operations Manager Server cannot process the install/uninstall request for computer ServerName.domain.local due to failure of operating system version verification.
Operation: Agent Install
Install account: Domain\UserName
Error Code: 80070005
Error Description: Access is denied.
Thanks in advance ;) -
BAUZONE Jonathan 1 Reputation point
2021-03-08T07:57:03.537+00:00 hi all, we have checked on others SCOM environment, same result... Agent Push uses NTLM, not compatible with Protected Users ;)
Have a good Day and thanks Everybody.