Error 401 while connecting to DP

Hi All,

During a new build of a test machine using Windows 7 SP1 x64, we had a requirement to add the machine to a workgroup instead of domain.

At 1st, it was really easy task, we duplicated the existing and working task sequence and changed the domain information to add to a workgroup instead of a domain and started testing. For our surprise, it failed.

On IIS logs, I could see that client (on a WinPE) tried to download the wim file and fails (access denied). Once fail, it connects using the Network Access Account and download worked fine. it applied the wim file and download extra packages without any issue.

machine was rebooted and installed the client, once done, another reboot and try to install an app and it failed. looking at the datatransfer log we saw access denied (error 401)

CAutoImpersonate::ImpersonateUser
Sending PROPFIND request using URL http://SERVERFQDN:80/SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1
[CCMHTTP] ERROR: URL=http://SERVERFQDN:80/SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = “GUID:6d71065e-446b-4fe3-bcdc-6dbcf576d69b”;
DateTime = “20130924103040.906000+000″;
HostName = “SERVERFQDN”;
HRESULT = “0x87d0027e”;
ProcessID = 1256;
StatusCode = 401;
ThreadID = 1816;
};
Request to http://SERVERFQDN:80/SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1 failed with 401 – Access denied
Successfully sent location services HTTP failure message.
Error sending DAV request. HTTP code 401, status ‘Unauthorized’
GetDirectoryList_HTTP(‘http://SERVERFQDN:80/SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1′) failed with code 0×80070005.

From the IIS log, I can see that the client tried to download the file and it fails, but we dont see an attempt to use the Network Access Account
2013-09-24 08:59:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/PRI00047 – 80 – 10.5.49.33 SMS+CCM+5.0+TS 401 2 5 124
2013-09-24 08:59:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/PRI00047 – 80 – 10.5.49.33 SMS+CCM+5.0+TS 401 1 2148074252 0
2013-09-24 08:59:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/PRI00047 – 80 DOMAIN\NETACCOUNT 10.5.49.33 SMS+CCM+5.0+TS 207 0 0 62
2013-09-24 08:59:36 10.5.20.116 GET /SMS_DP_SMSPKG$/PRI00047/sccm /WIMFILE.wim 80 – 10.5.49.33 SMS+CCM+5.0+TS 401 2 5 0
2013-09-24 08:59:36 10.5.20.116 GET /SMS_DP_SMSPKG$/PRI00047/sccm /WIMFILE.wim 80 – 10.5.49.33 SMS+CCM+5.0+TS 401 1 2148074252 15
2013-09-24 09:23:27 10.5.20.116 GET /SMS_DP_SMSPKG$/PRI00047/sccm /WIMFILE.wim 80 DOMAIN\NETACCOUNT 10.5.49.33 SMS+CCM+5.0+TS 200 0 0 1431345
2013-09-24 09:34:05 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/PRI00002 – 80 – 10.5.49.33 SMS+CCM+5.0+TS 401 2 5 0
2013-09-24 09:34:05 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/PRI00002 – 80 – 10.5.49.33 SMS+CCM+5.0+TS 401 1 2148074252 0
2013-09-24 09:34:05 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/PRI00002 – 80 DOMAIN\NETACCOUNT 10.5.49.33 SMS+CCM+5.0+TS 207 0 0 499
……….
2013-09-24 09:34:26 10.5.20.116 GET /SMS_DP_SMSPKG$/PRI00002/sccm /x64/windowsupdateagent30-x64.exe 80 DOMAIN\NETACCOUNT 10.5.49.33 SMS+CCM+5.0+TS 200 0 0 904
2013-09-24 09:45:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1 – 80 – 10.5.49.33 SMS+CCM+5.0 401 2 5 0
2013-09-24 09:45:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1 – 80 – 10.5.49.33 SMS+CCM+5.0 401 1 2148074252 0
2013-09-24 09:45:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1 – 80 – 10.5.49.33 SMS+CCM+5.0 401 2 5 0
2013-09-24 09:45:36 10.5.20.116 PROPFIND /SMS_DP_SMSPKG$/Content_b8f4d18c-2364-4226-8857-06c0047724eb.1 – 80 – 10.5.49.33 SMS+CCM+5.0 401 2 5 0

We tried the workaround on Kent’s blog (http://blog.coretech.dk/kea/client-push-fails-when-management-point-is-installed-on-windows-2008-server/) by changing the applicationHost.config as well as updating/validating the files on the dp but it did not help

on the IIS, we checked the iis authentication and it was allowing windows authentication..so, this could not be the issue…

After a lot of research, we found that the KB2522623 was not installed and it could be the reason. So, we checked the DLL’s version and we had almost all new..but we decided to try anyway hoping that the installation was going to fail as we had new DLL’s….

For our surprise, it installed fine and the DLL versions did not match of what it should be on the KB page..

anyway..after installing this on the wim file, the deployment in a workgroup worked fine…

email

Written by , Posted .