question

JonathanBAUZONE-4020 avatar image
0 Votes"
JonathanBAUZONE-4020 asked ·

SCOM Agent installation / upgrade with account in Protected Users

Hello,

I have a question about SCOM Push Agent install / upgrade.
Have you already try to install SCOM Agent with an account in the group Protected Users ?
When, i check in the log i see one event with NTLMv2 authentication :
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128

And with an account member of Protected users the push install agent failed with Access Denied.

Have you any solution for this issue ?
Thanks in advance.

Best Regards,

windows-active-directorymsc-operations-manager-general
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CyrilAzoulay avatar image
0 Votes"
CyrilAzoulay answered ·

Well, accounts that are members of Protected Users can't logon using NTLM authentication so that explains the issue (cf. https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users )
Now the question is "why it using NTLM instead of Kerberos", and that could be for any number of reasons... Maybe the solution to that post could help you : https://social.technet.microsoft.com/Forums/en-US/576a0edc-9a03-4504-b089-47de3a091a20/scom-2016-pushing-agents-without-ntlm-?forum=operationsmanagerdeployment

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RogerXue-3369 avatar image
0 Votes"
RogerXue-3369 answered ·

Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:

  • Authenticate with NTLM authentication.

  • Use DES or RC4 encryption types in Kerberos pre-authentication.

  • Be delegated with unconstrained or constrained delegation.

  • Renew the Kerberos TGTs beyond the initial four-hour lifetime.

In view of this, there is why you will see error on NTLM with access Denied.
You may consider using another user account has administrative privileges on the targeted computers.

Roger

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JonathanBAUZONE-4020 avatar image
0 Votes"
JonathanBAUZONE-4020 answered ·

Thanks for your answers, I know when user is in Protected Users can't logon using NTLM.
But My question is why Push SCOM Client using NTLMv2, it's by design ?

The Operations Manager Server cannot process the install/uninstall request for computer ServerName.domain.local due to failure of operating system version verification.


Operation: Agent Install
Install account: Domain\UserName
Error Code: 80070005
Error Description: Access is denied.
Thanks in advance ;)

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, it's not. SCOM uses whatever mechanism is available to open an SMB connection to copy the .msi file and then uses RPC to start the install.
Did you read the old technet forum thread I provided above? It explains this and has a pretty uncommon resolution... maybe you're facing the same issue.

0 Votes 0 ·