question

DominiqueDUCHEMIN-4668 avatar image
0 Votes"
DominiqueDUCHEMIN-4668 asked HanyunZhu-MSFT commented

Client Push error 2147942405

Hello,

I have several machines giving the error 2147942405 on a Client push...

The Certificate are ok

The Boundaries are ok
The Local Administrators group contains the service account
The Windows Firewall is off
The access through WBEMTEST \\Server_Name\root\cimv2 (from the site server) is working fine

the CCM.log is giving an access error :

Execute query exec [sp_CP_GetNewPushMachines] N'UCP'~
Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097263794, 1~
Execute query exec [sp_CP_GetPushRequestMachine] 2097263794~
Successfully retrieved information for machine VIPPPDG01 from DB
Execute query exec [sp_CP_GetPushRequestMachineIP] 2097263794~
Execute query exec [sp_CP_GetPushRequestMachineResource] 2097263794~
Execute query exec [sp_CP_GetPushMachineName] 2097263794~
Received request: "2097263794" for machine name: "VIPPPDG01" on queue: "Incoming".
Stored request "2097263794", machine name "VIPPPDG01", in queue "Processing".
Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097263794, 1~
======>Begin Processing request: "2097263794", machine name: "VIPPPDG01"
Execute query exec [sp_IsMPAvailable] N'UCP'~
---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x1)~
---> Attempting to connect to administrative share '\\VIPPPDG01\admin$' using account 'AD\svcDGITsccm'~
---> SspiEncodeStringsAsAuthIdentity succeeded!~
---> SspiExcludePackage succeeded!~
---> SspiMarshalAuthIdentity succeeded!~
---> NetUseAdd failed: 1219: dwParamError = 0~
---> NTLM fallback is not enabled
---> The 'best-shot' account has now succeeded 9 times and failed 2 times.
---> Trying each entry in the SMS Client Remote Installation account list~
---> Attempting to connect to administrative share '\\VIPPPDG01\admin$' using account 'AD\svcconfigmgrsrv'~
---> SspiEncodeStringsAsAuthIdentity succeeded!~
---> SspiExcludePackage succeeded!~
---> SspiMarshalAuthIdentity succeeded!~
---> NetUseAdd succeeded!~
---> Connected to administrative share on machine VIPPPDG01 using account 'AD\svcconfigmgrsrv'~
---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x1)~
---> Attempting to make IPC connection to share <\\VIPPPDG01\IPC$> with Kerberos authentication ~
---> SspiEncodeStringsAsAuthIdentity succeeded for IPC$ authentication!~
---> SspiExcludePackage succeeded for IPC$ authentication!~
---> SspiMarshalAuthIdentity succeeded for IPC$ authentication!~
---> NetUseAdd succeeded for IPC$ authentication!~
---> Searching for SMSClientInstall. under '\\VIPPPDG01\admin$\'~
---> Unable to connect to remote machine "VIPPPDG01" using Kerberos with alternate account, error - 0x80004005.
--> NTLM fallback is not enabled, remote machine "VIPPPDG01" is not continuing with client push.
--> NTLM fallback is not enabled, remote machine "VIPPPDG01" is not continuing with client push.
Submitted request successfully
Getting a new request from queue "Incoming" after 100 millisecond delay.
Waiting for change in directory "E:\SCCM\inboxes\ccr.box" for queue "Incoming", (30 minute backup timeout).
Waiting for change in directory "E:\SCCM\inboxes\ccr.box" for queue "Incoming", (30 minute backup timeout).
---> Unable to connect to remote machine "VIPPPDG01.ad" using Kerberos with machine account, error - 0x80070005.*
--> NTLM fallback is not enabled, remote machine "VIPPPDG01.ad" is not continuing with client push.
---> Unable to connect to remote machine "VIPPPDG01" using Kerberos with machine account, error - 0x80070005.
--> NTLM fallback is not enabled, remote machine "VIPPPDG01" is not continuing with client push.
---> Deleting SMS Client Install Lock File '\\VIPPPDG01\admin$\SMSClientInstall.UCP'~
Execute query exec [sp_CP_SetLastErrorCode] 2097263794, -2147024891~
Stored request "2097263794", machine name "VIPPPDG01", in queue "Retry".
Execute query exec [sp_CP_SetPushRequestMachineStatus] 2097263794, 2~
Execute query exec [sp_CP_SetLatest] 2097263794, N'05/19/2021 15:08:44', 14~
<======End request: "2097263794", machine name: "VIPPPDG01".
<======End request: "2097263794", machine name: "VIPPPDG01".



Not sure where to check next?
no log on the client ...

Thanks,
Dom





mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
1 Vote"
HanyunZhu-MSFT answered

@DominiqueDUCHEMIN-4668

Thanks for posting in Microsoft Q&A forum.

The error code 2147942405 means Access Denied, which is same as the error code 0x80070005 shown in the log you provided.

Firstly, it is suggested to check whether the clients are in trusted AD forest. Because Kerberos in Windows relies on AD for mutual authentication.

Or we can try to enable "Allow connection fallback to NTLM" in the Client Push Installation Properties, so that if the site can't authenticate the clients by using Kerberos, it will retry the connection by using NTLM.
Go through this path: CM consoln > Administration > Site Configuration > Sites > Right-click the site that you want to configure and select Client Installation Settings > select Client Push Installation > in the General tab > select Allow connection fallback to NTLM.
98105-ntlm.png

For more details about client push installation, please refer to this article: https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-to-windows-computers


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




ntlm.png (71.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DominiqueDUCHEMIN-4668 avatar image
0 Votes"
DominiqueDUCHEMIN-4668 answered HanyunZhu-MSFT commented

Hello,

The servers are within our unique forest AD (Active Directory)
Same as the MEMCM environment

I recheck NTLM (was previously removed)
retrying the client push

Certificate verified
Boundaries verified

Thanks,
Dom

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@DominiqueDUCHEMIN-4668 , Thanks for your update! What about the current status of the problem? Is the problem solved? Do you need any further assistance? Look forward to hearing from you.

Thanks for your time.

Best regards,
Alan

0 Votes 0 ·