Tuesday, May 15, 2018

SCCM CWmi::Connect() failed to connect in a Pull DP . Error = 0x800706BA is a kerberos problem this time


I already have these 0x800706BA problem.

In this case, I already verify rights, Wmi...and try some uninstall-re-install that sometimes works.
But nothing in my distmgr.log always Wmi error "connect failed"



Distmgr.log file lines

~DPID 2864 - NAL Path ["Display=\\COMPUTERNAME.domain.net\"]MSWNET:["SMS_SITE=XXX"]\\COMPUTERNAME.domain.net\ , ServerName = COMPUTERNAME.domain.net, DPDrive = , IsMulticast = 0, PXE = 0, RemoveWDS = 0 
PullDP ["Display=\\COMPUTERNAME.domain.net\"]MSWNET:["SMS_SITE=XXX"]\\COMPUTERNAME.domain.net\ is marked Uninstalled 
Translated server name COMPUTERNAME.domain.net to domain.net\COMPUTERNAME.domain.net.~ 
CWmi::Connect() failed to connect to \\COMPUTERNAME.domain.net\root\CIMv2. Error = 0x800706BA STATMSG: ID=2391 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=MYSEC.domain.net SITE=XXX PID=2816 TID=5984 GMTDATE=Mon Apr 30 14:07:20.860 2018 ISTR0="["Display=\\COMPUTERNAME.domain.net\"]MSWNET:["SMS_SITE=XXX"]\\COMPUTERNAME.domain.net\" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\COMPUTERNAME.domain.net\"]MSWNET:["SMS_SITE=XXX"]\\COMPUTERNAME.domain.net\" 
DPConnection::ConnectWMI() - Failed to connect to COMPUTERNAME.domain.net. 
user(NT AUTHORITY\SYSTEM) runing application(SMS_DISTRIBUTION_MANAGER) from machine (MYSEC.domain.net) is submitting SDK changes from site(XXX) ~
Failed to install DP files on the remote DP. Error code = 1722 
STATMSG: ID=2370 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=MYSEC.domain.net SITE=XXX PID=2816 TID=5984 GMTDATE=Mon Apr 30 14:07:20.938 2018 ISTR0="["Display=\\COMPUTERNAME.domain.net\"]MSWNET:["SMS_SITE=XXX"]\\COMPUTERNAME.domain.net\" ISTR1="COMPUTERNAME.domain.net" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\COMPUTERNAME.domain.net\"]MSWNET:["SMS_SITE=XXX"]\\COMPUTERNAME.domain.net\" ~
Will try again after 20 minutes ... 


I first verify using my user and mysecondmp$ computer (using psexec -s)
Result: no problem.

I test on another computer on same Lan.
Result:No problem too

below some powershell test:
$Computername = "COMPUTERNAME" 
$Computername3 = "COMPUTERNAME3" 
Get-WmiObject -ComputerName $Computername -Class win32_operatingsystem 
Get-WmiObject -ComputerName $Computername3 -Class win32_operatingsystem
To understand why SCCM does not connect correctly, I must understand what SCCM request. So, direction ApiMonitor to find wmi request (System Administration / Windows Management Instrumentation to check) Below a screenshot in
# Time of Day Thread Module API Return Value Error Duration 210 4:35:28.559 AM 162 baseutil.dll IWbemLocator::ConnectServer ( "\\COMPUTERNAME.domain.net\root\CIMv2", NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, "Kerberos:COMPUTERNAME$@domain.net", NULL, 0x000000a6a6075348 ) -2147024891 0x80070005 = Access is denied. 0.0531446 
# Time of Day Thread Module API Return Value Error Duration 211 4:35:28.700 AM 162 baseutil.dll IWbemLocator::ConnectServer ( "\\COMPUTERNAME.domain.net\root\CIMv2", NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, "Kerberos:COMPUTERNAME$@domain.net", NULL, 0x000000a6a6075348 ) -2147024891 0x80070005 = Access is denied. 0.0286299 
# Time of Day Thread Module API Return Value Error Duration 212 4:35:28.731 AM 162 baseutil.dll IWbemLocator::ConnectServer ( "\\COMPUTERNAME.domain.net\root\CIMv2", NULL, NULL, NULL, WBEM_FLAG_CONNECT_USE_MAX_WAIT, "Kerberos:domain.net\COMPUTERNAME.domain.net", NULL, 0x000000a6a6075348 ) -2147023174 0x800706ba = The RPC server is unavailable. 0.0239232  


Now I know what is problematic request, I can do it in powershell:
$Computername = "COMPUTERNAME" 
ping $Computername 
$NameSpace = "root\CIMv2" 
$WbemLocator = New-Object -ComObject "WbemScripting.SWbemLocator" $WbemServices = $WbemLocator.ConnectServer($ComputerName, $Namespace) 
$WbemServices = $WbemLocator.ConnectServer($ComputerName, $Namespace,"","","","",128) 
$WbemServices = $WbemLocator.ConnectServer($ComputerName, $Namespace,"","","","Kerberos:$($ComputerName)`$@domain.net",128)   

 We can see there is "The RPC server is unavailable" and "Access is denied" on Kerberos line Exception calling "ConnectServer" with "7" argument(s): "The RPC server is unavailable. " At line:1 char:1 + $WbemServices = $WbemLocator.ConnectServer($ComputerName, $Namespace,"","","","K ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ComMethodTargetInvocation Exception calling "ConnectServer" with "7" argument(s): "Access is denied. " At line:1 char:1 + $WbemServices = $WbemLocator.ConnectServer($ComputerName, $Namespace,"","","","K ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ComMethodTargetInvocation




Here when it is OK on computername3

$Computername3 = "COMPUTERNAME3"
ping $Computername3
$NameSpace = "root\CIMv2"
$WbemLocator = New-Object -ComObject "WbemScripting.SWbemLocator"
$WbemServices = $WbemLocator.ConnectServer($ComputerName3, $Namespace)
$WbemServices = $WbemLocator.ConnectServer($ComputerName3, $Namespace,"","","","",128)
$WbemServices = $WbemLocator.ConnectServer($ComputerName3,$Namespace,"","","","Kerberos:$($ComputerName3)`$@domain.net",128)

Here, there is NO error in line Kerberos


To capture network kerberos
https://blogs.technet.microsoft.com/askds/2012/07/27/kerberos-errors-in-network-captures/  https://blogs.technet.microsoft.com/askds/2008/03/06/kerberos-for-the-busy-admin/ 

 //IPv4.DestinationAddress == XXX.XXX.XXX.XXX
IPv4.Address == XXX.XXX.XXX.XXX AND
(
KerberosV5
OR KerberosV5_Struct
OR NLMP
OR NLMP_Struct
OR GssAPI
OR SpnegoNegotiationToken
OR GssapiKrb5
)

but this interesting article give me how to find problem:
https://blogs.msdn.microsoft.com/canberrapfe/2012/01/01/kerberos-troubleshooting/

in my case, this is situation 5
" Remember Kerberos encrypts the system time in with the authentication data. The KDC opens up the encrypted data, checks the time and if its outside the acceptable range you will have problems. The default range is 5 minutes,"

 https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization



I verified this using that powershell:

$utc_remote = Get-WmiObject -Class Win32_UtcTime -ComputerName COMPUTERNAME 
$date_remote = Get-Date -Year $utc_remote.Year -Month $utc_remote.Month -Day $utc_remote.Day -Hour $utc_remote.Hour -Minute $utc_remote.Minute -Second $utc_remote.Second 
$utc_local = Get-WmiObject -Class Win32_UtcTime 
$date_Local = Get-Date -Year $utc_local.Year -Month $utc_local.Month -Day $utc_local.Day -Hour $utc_local.Hour -Minute $utc_local.Minute -Second $utc_local.Second $date_remote.ToString("yyyy/MM/dd HH:mm:ss") $date_Local.ToString("yyyy/MM/dd HH:mm:ss") $DateDiffRemoteLocal = $date_Local - $date_remote Write-Host "$([math]::Round([math]::abs($DateDiffRemoteLocal.TotalMinutes),2)) min"














after updating time using below command line all work correctly
net time /DOMAIN /SET /Y
 


Posted by at
Labels: , , , , , , , , , , ,

5 comments:

Guilherme said...

Just commenting to say thank you! My DP stopped working over the weekend and I've been looking for an explanation all day long! Finally saw your post and that was exactly my problem! Thank you for sharing this!

September 2, 2019 at 6:38 PM
Anonymous said...

Hi Franck

hello from Paris

It can be also old kerberos tickets.
In my last case we reinstalled a standard DP on region, but the CM failed to connnect with usual 0x800706BA error.
All magics failed including time, reboot, FW. Finaly I tried to reset kerberos tickets on the CM executing AS SYSTEM the command
klist /purge

After that, WbemLocator test was OK :)

March 19, 2021 at 1:38 PM
Franck RICHARD said...

Thank you for your comment
Indeed, resetting Kerberos ticket can be the solution.
Now I will explain how to be "AS SYSTEM" as I didn't really explain that in this article. Easier solution is to download psexec
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec then run in "command prompt" with right click "run as administror" (else you will have 'access denied' when you will run psexec). In this 'command prompt' run "psexec -s cmd" with administrator's rights. Now you are user "local system" . You can confirm using command "set username". You should have something like "USERNAME=COMPUTER$" (your computer's name + $). Now you can purge kerberos using klist command.

March 19, 2021 at 3:44 PM
Unknown said...

Good Afternoon,

Thank you very much for this post, it is very helpful.

I have a question, if i understood correctly, i need to run the following commands on the DP server:
klist /purge (with PS Exec)
net time /DOMAIN /SET /Y (With CMD)

Could you please confirm?

When running the net time command, i am getting an error because i dont have enough right to run the commands, can i just set the time manually?

Thank you very much and best regards,

Yamael

October 27, 2021 at 4:23 PM
Anonymous said...

Hello

net time should be ran as administrator (elevated prompt)

also I made typo on klist command, it is only "KLIST purge" without the "/".. sorry

July 28, 2022 at 4:36 PM

Post a Comment

Subscribe to: Post Comments (Atom)