[mssms] SCCM client - Not Approved [kdhjsdfs3]

From: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] On Behalf Of Nick Aquino
Sent: Monday, April 06, 2009 1:35 PM
To: mssms@lists.myitforum.com
Subject: RE: [mssms] SCCM client - Not Approved

Anyone working with NLB Management points? Our clients will not approve if we use NLB, but if we use stand-alone-management point, it works just fine.

-----------------------------

OKAY..... so we rebuilt our development environment just because we planned to anyway. This time, we started out small and worked our way up. Here's what we did:

-We installed a central site server and gave it a management point role. We assigned clients and they approved.

-We then installed the primary site server, attached it to the central, and installed the primary site server as the default management point for the primary site. All clients we installed auto-approved.

-We installed our two separate management point servers, configured the NLB cluster, and made the cluster the default management point (FQDN). Clients will not auto-approve.

What gives? We changed nothing in our site other than the management point setup and clients will not approve automatically now.

SMS_MP_CONTROL_MANAGER shows 5447 errors

MP has rejected a policy request from GUID:4A333CC5-2E31-4F6C-AF4B-6B03C47C03EC because it was not approved. The operating system reported error 2147942405: Access is denied.

Anyone... Help?

>>> On 3/18/2009 at 9:19 AM, in message <356476328_208988040@PE3-4-myitforum.orcsweb.com>, "Chris Stauffer" <cstauffer@myitforum.com> wrote:

I say just humor me and put in the accont and see what happens. if it doesnt work you didnt loose anything.

All i'm saying is every site i have built (10 in all now) i had to add that account before it would auto approve.

Thanks,
Christopher Stauffer <><
Enterprise SMS Admin
MCTS ConfigMgr 2007
MCP SMS 2003
Email: CStauffer@myitforum.com
Blog: http://myitforum.com/cs2/blogs/cstauffer/

From: "Michael mott" <mmott@med.umich.edu>
Sent: Wednesday, March 18, 2009 8:24 AM
To: "mssms@lists.myitforum.com" <mssms@lists.myitforum.com>
Subject: RE: [mssms] SCCM client - Not Approved

Hey finally, an answer I can agree with. So what exactly is needed to get approval thru?

Mike Mott

Contractor for Otterbase

>>> On 3/18/2009 at 6:01 AM, in message <344683593_208691786@PE3-4-myitforum.orcsweb.com>, "Meringer, Torsten (ext)" <torsten.meringer.ext@siemens.com> wrote:

I agree that the approval process is not documented very well, but you don't need a network access account for it to work.

Von: admin@lists.myITforum.com [mailto:admin@lists.myITforum.com] Im Auftrag von Chris Stauffer
Gesendet: Freitag, 13. März 2009 20:28
An: mssms@lists.myitforum.com
Betreff: Re: [mssms] SCCM client - Not Approved

It is not documented. atleast not that i have found. but every site that we built if it didnt have that account the clients would not auto approve.

It also will not auto approve existing clients only clinet that where installed after adding the account.

Thanks,
Christopher Stauffer <><
Enterprise SMS Admin
MCTS ConfigMgr 2007
MCP SMS 2003
Email: CStauffer@myitforum.com
Blog: http://myitforum.com/cs2/blogs/cstauffer/

From: "Nick Aquino" <naquino@med.umich.edu>
Sent: Friday, March 13, 2009 3:08 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] SCCM client - Not Approved

We have been looking at this for the past day or so. I put MY credentials in the network access account under the computer client agent, and it still seems to be an issue with the clients showing as "not approved".

Is there microsoft documentation on the prerequisite of having to have a network access account setup? I do not have one in my personal lab and auto-approval works just fine.

>>> On 3/13/2009 at 2:55 PM, in message <-1933960171_246549075@PE3-4-myitforum.orcsweb.com>, "Chris Stauffer" <cstauffer@myitforum.com> wrote:

you need to add a Network access account under Computer Client agent

Then auto approvals will work.

Thanks,
Christopher Stauffer <><
Enterprise SMS Admin
MCTS ConfigMgr 2007
MCP SMS 2003
Email: CStauffer@myitforum.com
Blog: http://myitforum.com/cs2/blogs/cstauffer/

From: "Michael mott" <mmott@med.umich.edu>
Sent: Friday, March 13, 2009 2:33 PM
To: mssms@lists.myitforum.com
Subject: Re: [mssms] SCCM client - Not Approved

We are also wondering if we need a Network Access account for this? The client push works fine, client gets assigned, and HINV and SINV flow up, but no approval.

Where should we be looking here?

Mike Mott

Contractor for Otterbase

>>> On 3/13/2009 at 2:22 PM, in message <-1935994062_246497553@PE3-4-myitforum.orcsweb.com>, "Nick Aquino" <naquino@med.umich.edu> wrote:

**UPDATE - After some troubleshooting and tweaks, hardware inventory is now flowing up, although the time stamp is still an hour in the past.

>>> On 3/13/2009 at 1:56 PM, in message <-1937547156_246457326@PE3-4-myitforum.orcsweb.com>, "Michael mott" <mmott@med.umich.edu> wrote:

I would like to help, but its my problem too....

Mike Mott

Contractor for Otterbase

>>> On 3/13/2009 at 12:05 PM, in message <-1944195390_246287108@PE3-4-myitforum.orcsweb.com>, "Nick Aquino" <naquino@med.umich.edu> wrote:

Client shows as 'Not Approved'

SCCM 2007 SP1 R2 (MIXED MODE)

Central site server (Windows 2003 Ent, SP2) - Site Code DM1
Primary site server (Windows 2003 Ent, SP2) - Site Code DM2
Primary Database Server (Windows 2003 Ent, SP2) <-----------------ONLY CLIENT (Assigned to DM2)
Management Point and Software Update Point NLB Cluster
    ComponentServer01 (MP and SUP) = (Windows 2003 Ent, SP2)
    ComponentServer02 (MP and SUP) = (Windows 2003 Ent, SP2)

There is another development SCCM infrastructure in the same domain. Both infrastructures are NOT using any boundaries.

SMS_MP_CONTROL_MANAGER on both component servers reports Error 5447:
        MP has rejected a policy from GUID:<insert guid here> because it was not approved.
        The operating system reported error 2147942405: Access is denied.

On the Central Site server (DM1), the SMS_INVENTORY_DATA_LOADER is reporting error 682:
        GUID was rejected because the file was signed but the authentication key did not match the recorded key for this client.

On the client, the LocationServices log reports that "The 'Certificate Store' is empty in the registry, using the default store name 'MY'."
        It has the proper "default management point" listed in the log (Our NLB).

In the console, the client shows up as 'Not Approved'. We have hardware inventory at the primary level, but as you can see in the inventory data loader log on the central site, the inventory is being rejected.

We have the site set to approve all clients from the trusted domain. We've tried both checking the setting that says "only config manager clients will be assigned to this site" and unchecking it; no change.

We tried adding a service account in the computer client agent settings that has full rights on all of site servers and clients involved.

Everything we've found online that speaks of the Approval settings seem to elude the checkbox and the approval settings for the site mode. It hasn't helped us.

Another interesting thing to note is that the hardware inventory shows last hardware scan date of 3/13/2009 10:17 AM. The machine's inventoryagent.log shows the inventory was sent at 11:17am. All of the 5 servers involved are in the Eastern Standard Time Zone (-5) and all clocks show the same, correct time.

Again, we are in mixed mode, running our Management points and SUPs in an NLB that has had it's SPN registered. Before we added this client, all system statuses were showing the green check-box for about a day (we wanted to let it settle before we added test clients). There is another SCCM development infrastructure in place on the same domain, but both are not using boundaries at all.

-Nick-

Nick Aquino