Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12029 SMS_MP_CONTROL_MANAGER 1/11/2010 4:51:40 PM 3924 (0x0F54)
Http verification .sms_aut (port 80) failed with no header received SMS_MP_CONTROL_MANAGER 1/11/2010 4:51:40 PM 3924 (0x0F54)
How to Handle:
Within IIS, a virtual directory is added under the default website during the Management Pointinstallation. The virtual directory is called “SMS_MP” (without the quotes). This virtual directoryis how the advanced clients are able to communicate with the MP and ultimately via theISAPI’s convert the data transmitted to the MP to files and information for insertion into the SMS database.
Need to mention that the MPControl is a self-checking component of the Management Point. In case it’s giving error messages first you need to check if the functionality is working at all.
A good test would be to check if a given client talking to that MP can send up HW inventory (you can check in resource explorer) AND if the client can get policy (policy spy on the client)
In order to send a Full HW Inventory you need to fire this vbs on the client and the trigger a HW Inventory cycle
Dim oLocator
Set oLocator = CreateObject("WbemScripting.SWbemLocator")
Dim oServices
Set oServices = oLocator.ConnectServer( , "root\ccm\invagt")
' Delete the specified InventoryActionStatus instance
x = "{00000000-0000-0000-0000-000000000001}"
oServices.Delete "InventoryActionStatus.InventoryActionID=""" & x & """"
If the functionality is ok, most likely only the self tests are wrong. In this case you need to check with the MP troubleshooter or with the URL’s. The cause could most likely be network related
If the functionality is wrong we need to check
IIS (Does WWW run? IISRESET)
IIS permissions (clients have anonymous access? Is the IUSR and the IWAM account locked?)
DCOM
The SMS Management Point and SMS Agent Host service consist of several COM objects. TheSMS Agent Host service usually runs under the context of LocalSystem, so increased DCOMsecurity does not often cause a problem for the Advanced Client. The SMS Management Point, however, runs under the identity of the IWAM account, so any additional restrictions on DCOMsecurity can prevent the MP from functioning. If the MP does not start under the IWAM identitiy, but uses either a copy of this account or an entirely new account, then default permissions may not be enough to start the MP.
SQL (Has the MP account a “clear way” through the OS and SQL permissions to the SQL tables? Use SMS groups on the site servers!!)
Status Message Codes in IIS
If the client’s request does appear in the web service log, the next field to look for is the status code. The three digit return code of an http request will consist of two parts. The first digit will indicate the general status.
General Status Codes in IIS
First Digit General Status
2xx Success
3xx Redirection
4xx Client Error
5xx Server Error
The second two digits will give a more descriptive explanation of the status. In some
instances, such as a 401 or 403 error code, there will be a sub code, such as 401.1 or 403.4
A complete list of IIS status codes can be found in the following article:
294807, “HOW TO: Turn Off the Internet Explorer 5.x and 6.x "Show Friendly HTTP Error
Messages" Feature on the Server Side”
http://support.microsoft.com/default.aspx?scid=KB;EN-US;294807
URLScan
UrlScan version 2.5 is a security tool that restricts the types of HTTP requests that Internet Information Services will process. By blocking specific HTTP requests, the UrlScan security toolhelps prevent potentially harmful requests from reaching the server.URLSCan is an ISAPI filter that was designed to block extremely long or incorrectly formatted
web requests, which are common means of expoiting buffer overflows. It also can block avariety of verbs and commands in web requests that can exploit security holes orconfiguration errors.
URLScan 2.5 consists of URLScan.dll, the ISAPI filter, and URLScan.ini, the configuration file. The SMS 2003 toolkit has a modified version of the URLScan.ini file that allows theManagement Point ISAPI extensions to pass through. Any previous version of this ini file will cause URLScan to block client communication with the management point. Clients will be able to download packages for advertisements they already know about, but they won’t be able to get policy updates or upload inventory. An incorrect version of URLScan on an SMS MP will show up in the IIS logs as:
2005-02-04 17:03:48 10.128.22.240 GET /ccm_system/request - 80 -
10.128.22.136 ccmhttp 404 0 2
2005-02-04 17:03:48 10.128.22.240 GET /ccm_system/request - 80 -
10.128.22.174 ccmhttp 404 0 2
2005-02-04 17:03:50 10.128.22.240 GET /ccm_system/request - 80 -
10.128.22.148 ccmhttp 404 0 2
NTFS Permissions for IUSR
This section will talk about the standard default NTFS permissions in a typical SMS environment. In a typical SMS environment, you will have a Management Point, a Reporting Point; BITS enabled Distribution Point, and a Server Locator Point. Each of these SMS site components requires a virtual directory within IIS and subsequently NTFS permissions for each of those virtual directories.
Below is the default breakdown for those SMS components for reference.
Management Point (SMS_MP virtual directory)
○ Default path: c:\SMS_CCM\SMS_MP
○ Default NTFS Permissions:
■ Administrators-Full Control
■ Interactive-List Folder Contents
■ IUSR account-List Folder Contents
■ IWAM account-List Folder Contents
■ SYSTEM-Full Control
Management Point (CCM_Incoming virtual directory)
○ Default path: c:\sms\ccm\incoming
○ Default NTFS Permissions:
■ Administrators-Full Control
■ IUSR account-Special:
□ Traverse Folder/Execute File
□ List Folder/Read Data
□ Read Attributes
□ Read Extended Attributes
□ Create Files/Write Data
□ Create Folders/Append Data
□ Delete subfolders and files
□ Read Permissions
■ IWAM account Special:
□ Traverse Folder/Execute File
□ List Folder/Read Data
□ Read Attributes
□ Read Extended Attributes
□ Create Files/Write Data
□ Create Folders/Append Data
□ Delete subfolders and files
□ Read Permissions
■ SYSTEM-Full Control
Management Point (CCM_Outgoing virtual directory)
○ Default Path: c;\SMS\CCM\Outgoing
○ Default Permissions:
■ Administrators-Full Control
■ IUSR Account-Read
■ IWAM Account-Read
■ SYSTEM-Full Control
Management Point (CCM_SYSTEM virtual directory)
○ Default Path: c:\SMS\CCM\ ServiceData\System
○ Default Permissions:
■ Administrators-Full Control
■ Interactive-List folder contents
■ IUSR Account-List folder contents
■ IWAM Account-List folder contents
■ SYSTEM-Full Control
Reporting Point (SMSReporting virtual directory)
○ Default Path: C:\inetpub\wwwroot\SMSReporting_
○ Default Permissions:
■ Administrators-Full Control
■ SMS Reporting Users
□ Read & Execute
□ List Folder Contents
□ Read
■ SYSTEM-Full Control
BITS Distribution Point (SMS_DP_SMSPKGC$)
○ Default Path: C:\SMSPKGC$
○ Default Permissions:
■ Administrators-Full Control
■ Guests
□ Read & Execute
□ List Folder Contents
□ Read
■ Users
□ Read & Execute
□ List Folder Contents
□ Read
Server Locator Point (SMS_SLP virtual directory)
○ Default Path: C:\SMS\BIN\I386\SMS_SLP
○ Default Permissions:
■ Administrators-Full Control
■ Everyone
□ Read & Execute
□ List Folder Contents
□ Read
■ SYSTEM-Full Control
Resetting the Password for IUSR
This section will describe how to perform a manual IUSR reset if the issue arises where the
IUSR becomes out of sync via either a attempted manual removal of IIS or a failed attempt to
reset the password via the AD Users and Computers or local user interface if a member
server.
1. Reset the IUSR Password via the local user reset password option or use AD Users and
Computers if the machine happens to be a domain controller.
2. Reset the IUSR Password in the metabase.xml or metabase.bin file using the Metabase
Explorer tool which can be downloaded from the below URL link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-
b628-ade629c89499&displaylang=en
a. Open metabase explorer on the target machine where the password will be reset.
- A good plan is also to take a network trace from traffic between client – MP and MP – server
No comments:
Post a Comment