Microsoft System Center 2012 R2 Configuration Manager More…Less
Symptoms
You have a computer that has the Microsoft System Center 2012 R2 Configuration Manager client installed. If the computer is running the System Center 2012 R2 Configuration Manager version of the SMS Agent Host service (ccmexec.exe), the computer may eventually run out of network ports and be unable to establish new network connections when the following conditions are true:
-
The client computer is frequently disconnected from its management point.
-
The client computer is restarted infrequently.
-
A gradual increase in the handle count of the ccmexec process is observed.
-
A pattern that resembles the following is recorded in the CCMNotificationAgent.log file on the client computer.
Note This log example is truncated for readability and shows only the repeated patterns.
Receive signin confirmation message from server, client is signed in.
Connection is reset
Failed to receive buffer from server with err=0x80090304.
Failed to receive expected response from server with error 80090304.
Sleep 38 seconds to restart client…
…
Receive signin confirmation message from server, client is signed in.
Connection is reset
Failed to receive buffer from server with err=0x80090304.
Failed to receive expected response from server with error 80090304.
Sleep 48 seconds to restart client…
Resolution
Hotfix information
A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a «Hotfix download available» section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
Prerequisites
Restart information
You do not have to restart the computer after you apply this hotfix.
Note We recommend that you close Configuration Manager Administration Console before you apply this hotfix package.
Hotfix replacement information
This hotfix does not replace any previously released hotfix.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Bgbclientendpoint.dll |
5.0.7958.1512 |
314,536 |
18-Dec-2014 |
02:00 |
x64 |
Configmgr2012ac-r2-kb3048767-x64.msp |
Not applicable |
7,725,056 |
18-Dec-2014 |
02:00 |
Not applicable |
Bgbclientendpoint.dll |
5.0.7958.1512 |
249,000 |
18-Dec-2014 |
02:00 |
x86 |
Configmgr2012ac-r2-kb3048767-i386.msp |
Not applicable |
6,238,208 |
18-Dec-2014 |
02:00 |
Not applicable |
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the «Applies to» section.
References
Learn about the terminology that Microsoft uses to describe software updates.
Need more help?
- Remove From My Forums
-
Question
-
I have Server 2012 R2 with SCCM 2012 R2. Everything worked fine at the beginning of last week. Now no clients will download patches; they all hang at ‘downloading 0% complete’. I do not know what changed to cause this. Each machine has a a ccmnotificationagent.log
file full of errors related to BGB, towit*Failed to connect to server with IPV4 addess with error 10061
*Failed to signin bgb client with error = 80004005
* ERROR URL=http://server.fqdn/bgb/handler.ashx?RequestType=Login, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
*Failed to post login with error code 87d0027e
*Failed to signin bgb client with error = 87d0027e
Help appreciated.
Ben JohnsonWY
Answers
-
The port that was blocked is open now and clients are signing in, but there is a new pair of errors now:
*failed to receive buffer from server with err=0x80090304
*failed to receive expected response from server with error 80090304
I’ll start another thread for the downloading problem.
Tks.
Ben JohnsonWY
-
Edited by
Thursday, April 24, 2014 7:05 PM
typo -
Proposed as answer by
Garth JonesMVP
Saturday, March 14, 2015 3:09 PM -
Marked as answer by
Garth JonesMVP
Monday, February 1, 2016 7:01 PM
-
Edited by
Edy
Well-Known Member
-
#2
are those computers in the OU you set in your AD system discovery?
-
#3
Hi,
If you check on the All Systems device collection, can you find the machine?
-
Thread Starter
-
#4
Hi,
If you check on the All Systems device collection, can you find the machine?
appear, however.
Client type: None
client: No
Site code: S01
but on the client station the configuration manager is installed and has all the settings set
-
Thread Starter
-
#5
are those computers in the OU you set in your AD system discovery?
yes, they are.
-
#6
appear, however.
Client type: None
client: No
Site code: S01but on the client station the configuration manager is installed and has all the settings set
On the client, go to «%WINDIR%CCMLogs» and check the LocationServices.log and ClientLocation.log files, if you can share it with us also.
-
Thread Starter
-
#7
On the client, go to «%WINDIR%CCMLogs» and check the LocationServices.log and ClientLocation.log files, if you can share it with us also.
i´m receiving following messages from CcmNotificationAgent.log
Failed to get MDM_ConfigSetting instance, 0x80041010 BgbAgent 21/08/2019 17:25:54 7036 (0x1B7C)
Failed to get MDM_ConfigSetting instance, 0x80041010 BgbAgent 21/08/2019 17:25:54 7036 (0x1B7C)
Failed to receive buffer from server with err=0x80090304. BgbAgent 21/08/2019 17:25:54 7036 (0x1B7C)
Failed to receive expected response from server with error 80090304. BgbAgent 21/08/2019 17:25:54 7036 (0x1B7C)
below logs
-
ClientLocation.log
67.9 KB
· Views: 2
-
LocationServices.log
185.4 KB
· Views: 3
Last edited: Aug 22, 2019
-
#8
Try to restart the SMS Host Agent service and check ccmexec.log file.
Edy
Well-Known Member
-
#9
check C:WindowsCCMLogsClientIDManagerStartup
-
#10
its happening in our SCCM 1902
-
Thread Starter
-
#11
hi, i´m discovered a problem. Some Machines had the same GUID. after executing the following steps:
net stop ccmexec
certutil–delstore SMS SMS
rename c:windowsSMSCFG.INI TO c:windowsSMSCFG.INI.old
net start ccmexec
The problem was solved. thanks for all replies.
Hi folks,
In the absence of a few staff members, I’ve been handed a third line call concerning SCCM and have little to no knowledge of it and don’t know how to resolve the issue. I would be grateful if someone could assist?
We have a virtual server client waiting on Windows updates to be deployed, with status ‘Downloading 0% complete’. The same set of updates have been successfully deployed to other clients, however on this one it seems to be stuck. I’ve had a look at the logs in the following directory (C:WindowsCCMLogs ) and picked up on ‘failed’ messages in different logs:
CcmNotificationAgent.log
=====================
Failed to receive buffer from server with err=0x80090304. BgbAgent 21/11/2015 18:19:34 5132 (0x140C)
Failed to receive expected response from server with error 80090304. BgbAgent 21/11/2015 18:19:34 5132 (0x140C)
Sleep 33 seconds to restart client… BgbAgent 21/11/2015 18:19:34 5132 (0x140C)
Critical Battery: [FALSE] BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
Connection Standy: [FALSE] BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
Network allowed to use: [TRUE] BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
Access point is SLKBRHSCCM01.SANDLNK.NET. (SSLEnabled = 0) BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
CRL Checking is Enabled. BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
Both TCP and http are enabled, let’s try TCP connection first. BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
Connecting to server with IP: 172.31.96.235 Port: 10123
BgbAgent 21/11/2015 18:20:07 5132 (0x140C)
Failed to connect to server with IP v4 address with error 10061. Try next IP…
BgbAgent 21/11/2015 18:20:13 5132 (0x140C)
Failed to signin bgb client with error = 80004005. BgbAgent 21/11/2015 18:20:13 5132 (0x140C)
Connecting to server with IP: 172.31.96.235 Port: 10123
BgbAgent 21/11/2015 18:21:13 5132 (0x140C)
Failed to connect to server with IP v4 address with error 10060. Try next IP…
BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Failed to signin bgb client with error = 80004005. BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Fallback to HTTP connection. BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
[CCMHTTP] ERROR: URL=http://SLKBRHSCCM01.SANDLNK.NET/bgb/handler.ashx?RequestType=LogIn, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = «GUID:B19A5C9E-764F-4907-A851-5B8755FC9AF8»;
DateTime = «20151121152126.864000+000»;
HostName = «SLKBRHSCCM01.SANDLNK.NET»;
HRESULT = «0x87d0027e»;
ProcessID = 5172;
StatusCode = 999;
ThreadID = 5132;
};
BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Successfully sent location services HTTP failure message. BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Failed to post Login with error code 87d0027e. BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Failed to signin bgb client with error = 87d0027e. BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
Sleep 99 seconds to restart client… BgbAgent 21/11/2015 18:21:26 5132 (0x140C)
CIDownloader.log
===============
CCIDownloader::StartJob CIDownloader 20/11/2015 16:05:27 16180 (0x3F34)
CIDownloader job empty. CIDownloader 20/11/2015 16:05:27 16180 (0x3F34)
CCIDownloader::DeleteJob for job {A4F686F4-FE39-4487-942F-7B9699051143} CIDownloader 20/11/2015 16:05:27 16180 (0x3F34)
CIDownloader job deleted. CIDownloader 20/11/2015 16:05:27 16180 (0x3F34)
CCIDownloader::CreateJob CIDownloader 20/11/2015 16:05:28 14960 (0x3A70)
CCIDownloader::StartJob CIDownloader 20/11/2015 16:05:28 14960 (0x3A70)
CIDownloader job empty. CIDownloader 20/11/2015 16:05:28 14960 (0x3A70)
CCIDownloader::DeleteJob for job {3E729667-9C46-48CC-A24B-4AF2C59DB4A3} CIDownloader 20/11/2015 16:05:28 14960 (0x3A70)
CIDownloader job deleted. CIDownloader 20/11/2015 16:05:28 14960 (0x3A70)
CCIDownloader::CreateJob CIDownloader 20/11/2015 16:05:28 16180 (0x3F34)
CCIDownloader::StartJob CIDownloader 20/11/2015 16:05:28 16180 (0x3F34)
CIDownloader job empty. CIDownloader 20/11/2015 16:05:28 16180 (0x3F34)
CCIDownloader::DeleteJob for job {F5C813CC-B0F4-4496-8574-4614C0115374} CIDownloader 20/11/2015 16:05:28 15428 (0x3C44)
ContentTransferManager.log
=======================
CCTMJob::UpdateLocations — Received empty location update for CTM Job {24FACEEA-9CC7-48D4-AC4D-88F37CA451EF} ContentTransferManager 22/11/2015 08:56:38 11984 (0x2ED0)
CTM job {24FACEEA-9CC7-48D4-AC4D-88F37CA451EF} suspended ContentTransferManager 22/11/2015 08:56:38 11984 (0x2ED0)
CCTMJob::UpdateLocations — Received empty location update for CTM Job {239BEF6D-F162-4E62-80C7-CA563AEFA8DC} ContentTransferManager 22/11/2015 08:56:38 22496 (0x57E0)
CTM job {239BEF6D-F162-4E62-80C7-CA563AEFA8DC} suspended ContentTransferManager 22/11/2015 08:56:38 22496 (0x57E0)
CCTMJob::UpdateLocations — Received empty location update for CTM Job {7AC8B73C-60D8-4369-A8A2-C54E9AEBE0E4} ContentTransferManager 22/11/2015 08:56:38 22496 (0x57E0)
CTM job {7AC8B73C-60D8-4369-A8A2-C54E9AEBE0E4} suspended ContentTransferManager 22/11/2015 08:56:38 22496 (0x57E0)
CCTMJob::UpdateLocations — Received empty location update for CTM Job {FCDC4631-6EC2-4524-837F-E3C00ACC83D7} ContentTransferManager 22/11/2015 08:56:38 21356 (0x536C)
CTM job {FCDC4631-6EC2-4524-837F-E3C00ACC83D7} suspended ContentTransferManager 22/11/2015 08:56:38 21356 (0x536C)
LocationServices.log
=================
Calling back with empty distribution points list LocationServices 22/11/2015 08:56:38 13596 (0x351C)
Unable to retrieve AD site membership LocationServices 22/11/2015 08:56:38 21356 (0x536C)
Calling back with empty distribution points list LocationServices 22/11/2015 08:56:38 21356 (0x536C)
Unable to retrieve AD site membership LocationServices 22/11/2015 08:56:38 11984 (0x2ED0)
Calling back with empty distribution points list LocationServices 22/11/2015 08:56:38 11984 (0x2ED0)
Unable to retrieve AD site membership LocationServices 22/11/2015 08:56:38 22496 (0x57E0)
Calling back with empty distribution points list LocationServices 22/11/2015 08:56:38 22496 (0x57E0)
Thanks in advance!
Common Windows Security Errors
Description of Security Errors 80090302, 8009030D, 8009030E, 80090304, 80090308, 80090325, 80090326, 80090327, 80090331, 8009035D, 8009030F, 80090321
Date Entered: 06/10/2015 Last Updated: 04/09/2018
Errors
0x80090302
Possible Solutions
This can be done on any of the components that support SSL by using the SSLEnabledProtocols configuration setting. As an example setting the Icharge component to use TLS 1.2 would look like this
Please note the documentation linked above is specifically for the current .NET Editions. For other editions or older versions please reference the help file included with the product.
0x8009030D
Possible Solutions
Using OpenSSL, the certificate can be converted with the command:
openssl pkcs12 -export -passout pass:»» -in cert_key_pem.txt -out cert_key_out.pfx -name «My Certificate»
Then change the SSLCertStoreType to PFXFile in your code, before setting the SSLCertSubject.
0x8009030E
Possible Solutions
0x80090304
- This error may to be related to Windows rejecting weak security. Microsoft KB 3061518 explains the issue. To summarize the article, simply set the ClientMinKeyBitLength DWORD value at the following location to 00000200 .
After a restart, if this corrects the issue, then it is an indication that the server’s certificate uses a DHE Key length that is too small and should be updated.
0x80090308
Possible Causes
0x80090325
The SSL client certificate specified in the request was not accepted by the server. During the SSL handshake the issuer certificates of the SSL client certificate are not included. In Linux the OpenSSLCADir configuration setting must be set to the directory where the hash files exist so the chain is included. In Windows the issuer certs must be in the Personal store. In Java, the issuer certificates are read from the PEM file.
0x80090326
Possible Solutions
0x80090327
This usually means that the server requires SSL client authentication and a new certificate is specified. Check the SSLStatus Event for details.
0x80090331
Most commonly, especially with Windows XP/Windows Server 2003, the client is probably old and doesn’t support the newer ciphers required by the server. Here is a list of ciphers supported in XP.
0x8009035D
Possible Solutions
0x8009030F or 0x80090321
These errors are known to occur on Windows 8.1 and Windows Server 2012 R2 when using TLS 1.2 and one of the following cipher suites:
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
The aforementioned versions of Windows have a bug in their internal security implementations which, under very specific circumstances, can produce either the 0x80090321 (SEC_E_BUFFER_TOO_SMALL) error or the 0x8009030F (SEC_E_MESSAGE_ALTERED) error.
Due to the nature of the issue, we cannot provide a direct fix. However, you can work around these errors by doing one of the following things:
- Use our internal security API by passing the string «UseInternalSecurityAPI=True» to the Config() method. Our internal security API does not rely on the Windows security APIs, so it is not affected by the bug.
- Disable the two cipher suites mentioned above
- Disable support for TLS 1.2
- Upgrade your machine to a newer version of Windows
Источник
Ошибка При Проверке Подлинности Код 0x80090304 Windows xp
Во первых, обновите все свои устройства в » Центре обновления Windows«, которые подключаются через удаленный доступ. Во вторых, проверьте специальные патчи обновления, которые устраняли уязвимость в RDP, их можно посмотреть на официальном сайте Microsoft CVE-2018-0886, и обновите свои Windows 10/7, Server, RT, LTSB для всех ПК. Тем самым вы обновите CredSPP.
Произошла ошибка проверки подлинности RDP
Нажмите Win + R и введите gpedit.msc, чтобы открыть редактор групповых политик. В политиках перейдите «Конфигурация компьютера» > «Административные шаблоны» > «Система» > «Передача учетных данных» > справа найдите » Защита от атак с использованием криптографического оракула» (Oracle Remediation) и нажмите по этой политике два раза мышкой, чтобы открыть свойства.
Электроника, Смартфоны и аксессуары
- Запустите теперь командную строку от имени администратора и введите gpupdate /force , чтобы обновить политики и применения вступили в силу. Проверьте устранена ли ошибка проверки подлинности RDP, если нет, то перезагрузите ПК.
После того, как я удалил обновление KB4103718 и перезагрузил компьютер, RDP подключение стало работать нормально. Если я правильно понимаю, это только временное обходное решение, в следующем месяце приедет новый кумулятивный пакет обновлений и ошибка вернется? Можете что-нибудь посоветовать?
Произошла ошибка проверки подлинности
Вы абсолютно правы в том, что бессмысленно решать проблему удалением обновлений Windows, ведь вы тем самым подвергаете свой компьютер риску эксплуатации различных уязвимостей, которые закрывают патчи в данном обновлении.
Ошибка При Проверке Подлинности Код 0x507 Rdp Windows Xp|ошибка При Проверке Подлинности Код 0x507 Windows Xp|ошибка При Проверке Подлинности Код 0x80090304 xpОшибка RDP «An authentication error has occurred» может появляться и при попытке запуска RemoteApp приложений.
После установки обновления KB4103718 на моем компьютере с Windows 7 я не могу удаленно подключится к серверу через удаленный рабочий стол RDP. После того, как я указываю адрес RDP сервера в окне клиента mstsc.exe и нажимаю «Подключить», появляется ошибка:
Также нужно в политике » Требовать использования специального уровня безопасности для удаленных подключений по протоколу RDP » (Require use of specific security layer for remote (RDP) connections) выбрать уровень безопасности (Security Layer) — RDP .
Произошла ошибка проверки подлинности
В своей проблеме вы не одиноки. У пользователей английской версии Windows при попытке подключится к RDP/RDS серверу появляется ошибка:
В Windows 7 эта опция называется по-другому. На вкладке Удаленный доступ нужно выбрать опцию » Разрешить подключения от компьютеров с любой версий удаленного рабочего стола (опасный) / Allow connections from computers running any version of Remote Desktop (less secure)»
Указанная функция не поддерживается.
Отключение NLA для протокола RDP в Windows
Вы абсолютно правы в том, что бессмысленно решать проблему удалением обновлениq Windows, ведь вы тем самым подвергаете свой компьютер риску эксплуатации различных уязвимостей, которые закрывает данное обновление.
Для применения настроек RDP нужно обновить политики gpupdate force или перезагрузить компьютер.
Но этот гигант не останавливается на достигнутом и собирается догнать своего прямого конкурента CSTRIX, возможностями которого пользуются уже более 15 лет.
Проверка подлинности сети для удаленного компьютера
Компьютер может не подключаться к удаленному рабочему столу еще по нескольким, банальным причинам:
С выходом Windows Server, появилась возможность устанавливать защиту на сетевом уровне. Но, более поздние версии ОС эту возможность не получили. Теперь, при подключении к такому серверу, удаленный компьютер требует проверки подлинности на уровне сети, которую ПК не поддерживает.
Под раздачу попали буквально все, клиентские ОС Windows 7, Windows 8.1, Windows 10 с которых были попытки подключиться к RDS ферме или RemoteApp приложениям работающим на Windows Server 2008 R2 и выше. Если бы вы читали ветки обсуждений в эти дни, то вы бы поняли все негодование людей, особенно с запада.
Источник
FIX: «0x80090304» authentication error when you try to establish an RDP session on a Windows Embedded Compact 7-based device
Symptoms
Consider the following scenario:
You have a Windows Embedded Compact 7-based device.
You have the SendLMResponse registry subkey set as follows:
Registry location: HKEY_LOCAL_MACHINECommSecurityProvidersNTLM
DWORD name: SendLMResponse
DWORD value: 00000001
You try to establish a Remote Desktop Protocol (RDP) session with a server that is running Windows Server 2008 and that has default security settings.
In this scenario, the Windows Embedded Compact 7-based device cannot establish the RDP session, and you receive a 0x80090304 authentication error.
Resolution
Software update information
A supported software update is now available from Microsoft as Windows Embedded Compact 7 Monthly Update May 2013. In the «File information» section, the package file name contains the processor type.
Note This Windows Embedded Compact 7 Monthly Update is available for download from the following Microsoft Download Center website:
Prerequisites
This update is supported only if all previously issued updates for this product have also been installed.
Restart requirement
After you apply this update, you must perform a clean build of the whole platform. To do this, use one of the following methods:
On the Build menu, click Clean Solution, and then click Build Solution.
On the Build menu, click Rebuild Solution.
You do not have to restart the computer after you apply this software update.
Update replacement information
This update does not replace any other updates.
The English version of this software update package has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Files that are included in this update package
Источник
Computers that are running the SMS Agent Host service cannot establish new network connections after frequent network disruptions
Symptoms
You have a computer that has the Microsoft System Center 2012 R2 Configuration Manager client installed. If the computer is running the System Center 2012 R2 Configuration Manager version of the SMS Agent Host service (ccmexec.exe), the computer may eventually run out of network ports and be unable to establish new network connections when the following conditions are true:
The client computer is frequently disconnected from its management point.
The client computer is restarted infrequently.
A gradual increase in the handle count of the ccmexec process is observed.
A pattern that resembles the following is recorded in the CCMNotificationAgent.log file on the client computer.
Note This log example is truncated for readability and shows only the repeated patterns.
Receive signin confirmation message from server, client is signed in.
Connection is reset
Failed to receive buffer from server with err=0x80090304.
Failed to receive expected response from server with error 80090304.
Sleep 38 seconds to restart client.
.
Receive signin confirmation message from server, client is signed in.
Connection is reset
Failed to receive buffer from server with err=0x80090304.
Failed to receive expected response from server with error 80090304.
Sleep 48 seconds to restart client.
Resolution
Hotfix information
A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a «Hotfix download available» section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:
http://support.microsoft.com/contactus/?ws=supportNote The «Hotfix download available» form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Prerequisites
Restart information
You do not have to restart the computer after you apply this hotfix.
Note We recommend that you close Configuration Manager Administration Console before you apply this hotfix package.
Hotfix replacement information
This hotfix does not replace any previously released hotfix.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Источник
RDP Error: The server security layer detected an error (0x80090304) in the protocol stream and the client
I’m trying to use Remote Desktop to log onto a Dynamics 365 AOS server hosted in Azure, using the RDP file and credentials displayed on the environment’s LCS page.
The Dynamics 365 AOS server is a Windows Server 2016 Datacenter Edition box.
When accessing it via a Windows Server 2012 R2 server (i.e. RDPing onto the server, then downloading the DFO365 RDP file from LCS onto that machine and running the RDP client on the «proxy» server) all works, but attempting to access directly from my Windows 7 SP1 machine fails. A colleague, also running Windows 7 SP1 , has exactly the same issue.
My public IP (i.e. as seen by visiting WhatsMyIp) is whitelisted for RDP (via the LCS Maintain > Enable Access ).
Both myself and my colleague had been able to RDP on to this VM until mid last week.
By going via the «proxy» server I was able to view the event logs on the remote Dynamics 365 AOS server. Looking at the Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational event log I could see my connection attempts hitting this server, as there were warning messages stating: The server security layer detected an error (0x80090304) in the protocol stream and the client (Client IP: 123.45.67.89 ) has been disconnected. (where 123.45.67.89 matches my public IP address). There are several other information events either side of the warning:
- info The server accepted a new TCP connection from client 123.45.67.89:58177.
- info Connection RDP-Tcp#4 created
- info Interface method called: PrepareForAccept
- info Interface method called: SendPolicyData
- info PerfCounter session started with instance ID 4
- warn The server security layer detected an error (0x80090304) in the protocol stream and the client (Client IP:123.45.67.89) has been disconnected.
- info Interface method called: OnDisconnected
- info The server has terminated main RDP connection with the client.
- info During this connection, server has not sent data or graphics update for 0 seconds (Idle1: 0, Idle2: 0).
- info Channel rdpinpt has been closed between the server and the client on transport tunnel: 0.
- info Channel rdpcmd has been closed between the server and the client on transport tunnel: 0.
- info Channel rdplic has been closed between the server and the client on transport tunnel: 0.
- info The disconnect reason is 14
These events repeat 3 times, implying that MSTSC makes 3 connection attempts before reporting the failure.
Looking around the web I’ve seen mention of some certificate and key issues. I noticed that there are 120,078 files under C:ProgramDataMicrosoftCryptoRSAMachineKeys , including one beginning f686aace6942fb7f7ceb231212eef4a4_ (TSSecKeySet1). I haven’t tried removing or amending any of these though, as don’t know what the impact would be / haven’t seen any explanation of why such fixes should work. My gut is that the sheer volume of files in that directory may be related to the issue.
Question
Does anyone know what may be blocking these connection attempts / what’s required to allow the connections through?
Источник
I have multiple machines that have the client installed but look to have communication issue as the CCMnotificationagent.log
Things I have tried..
-
Reinstalling client
-
Removing the certificate, stoppping the ccmexec service and renaming the SMSCFG to .old restarting the service
-
Making sure that TLS handshake is happening
This is the ccmnotificationagent.log
Any help would be appreciated.
Access point is server.domain.com. (SSLEnabled = 1) BgbAgent 10/27/2022 12:38:45 PM 2540 (0x09EC)
CRL Checking is Disabled. BgbAgent 10/27/2022 12:38:45 PM 2540 (0x09EC)
Both TCP and http are enabled, let’s try TCP connection first. BgbAgent 10/27/2022 12:38:45 PM 2540 (0x09EC)
Connecting to server with IP: x.x.x.x Port: 10123
BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
Handshake was successful
BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
Pass verification on server certificate. BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
NetworkInfo: IPAddress x.x.x.x,fe80::f0ed:c16a:34d8:702e BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
NetworkInfo: IPSubnet x.x.x.x,64 BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
NetworkInfo: AccessMP MP.domain.com BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
NetworkInfo: IsClientOnInternet 0 BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
Update the timeout to 900 second(s) BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
Receive signin confirmation message from server, client is signed in. BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
Updating MDM_ConfigSetting.ClientHealthLastSyncTime with value 2022-10-27T17:38:46Z BgbAgent 10/27/2022 12:38:46 PM 2540 (0x09EC)
GetCurrentlyLoggedOnUser Failed with error code = 800703f0. BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
sBoundaryGroupID: 16777218, BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
sIpAddress: x.x.x.x, BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
sIpSubnet: x.x.x.x, BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
BgbConnector::CheckRebootPending: CreateInstance failed for RebootCoordinator. Reboot coordinator instance will be unavailable. Error = 0x800703fd BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
Successfully sent the first keep-alive message. BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
Updating MDM_ConfigSetting.ClientHealthLastSyncTime with value 2022-10-27T17:38:47Z BgbAgent 10/27/2022 12:38:47 PM 2540 (0x09EC)
Settings update: {bgb enable = 0}, {tcp enabled = 0}, {tcp port = 0} and {http enabled = 0}. BgbAgent 10/27/2022 12:39:10 PM 2312 (0x0908)
Cancel the active connector here, tcp connection will be disconnected immediately while http connection will be timeout eventually. BgbAgent 10/27/2022 12:39:10 PM 2312 (0x0908)
Connection is reset
BgbAgent 10/27/2022 12:39:10 PM 2540 (0x09EC)
Failed to receive buffer from server with err=0x80090304. BgbAgent 10/27/2022 12:39:10 PM 2540 (0x09EC)
Failed to receive expected response from server with error 80090304. BgbAgent 10/27/2022 12:39:10 PM 2540 (0x09EC)
Важное замечание: Если ОС Windows используется в качестве клиента КриптоПро HSM 2.0 и ключ доступа к HSM записан на смарткарте или токене, то не рекомендуется подключение к этой ОС Windows по RDP, поскольку локально подключенные к компьютеру с ОС Windows считыватели смарткарт/токенов не будут доступны в RDP-сессии.
- на страничке не работают пункты меню и отображается строка вида:
-1 -1 0 0 0 0 0 0 false false false
Причина:
Используется браузер отличный от Internet Explorer или в IP адрес HSM 2.0 не добавлен в «Доверенные узлы» и в «Просмотр в режиме совместимости» браузера Internet ExplorerИсточник
Stunnel error 0x80090304 returned by acquirecredentialshandle
Question
we have setup in a test environment one configuration manager R2 on windows 2003 SP2 with internal CA authority. We have entered manually the Root CA hash in the MEBx and have disabled the DHCP as we don’t have a separate DHCP server for the test environment. Currently when we try in band provisioning, we receive the following error in the amtopmgr.log on the configuration manager server:
—————————————————Answers
we have found the problem. It appears that the problems cames from nested groups. As soon as we allow permissions for the computer account of the configuration manager server, instead of the group we had no problems to make the provisioning.
The other problem with the client, which we saw in BIOS was the following:Machine Type: Invalid
System Serial Number: Invalid
UUID: FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFFWe had to update the BIOS with the boot CD image, downloaded from the manufacturer.
After that everything worked as expected.
With best Regards
Kinyes both Hotfixes are installed.
KB960804
KB942841
But that didn’t solved the problem.we have requested a new provisioning certificate from our internal CA and now the error has been changed:
————————————————————————————————————————————-
Set credential on provisionHelper. SMS_AMT_OPERATION_MANAGER 16.4.2009 16:05:13 812 (0x032C)
Try to use provisioning account to connect target machine
. SMS_AMT_OPERATION_MANAGER 16.4.2009 16:05:13 812 (0x032C)
Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server. SMS_AMT_OPERATION_MANAGER 16.4.2009 16:05:13 812 (0x032C)
**** Error 0x2feb924 returned by ApplyControlToken SMS_AMT_OPERATION_MANAGER 16.4.2009 16:05:13 812 (0x032C)
Fail to connect and get core version of machine using provisioning account #0.
SMS_AMT_OPERATION_MANAGER 16.4.2009 16:05:13 812 (0x032C)
————————————————————————————————————————————-
So can anyone help me what can cause this error.Thanks in advance.
The fact that you’re not using DHCP worries me, because we’ve now updated the docs to say that DHCP is required for both out of band and in-band provisioning, in order to set the domain suffix correctly and create an A record in DNS. See the latest prerequisites topic (http://technet.microsoft.com/en-us/library/cc161785.aspx) where we say:
For DHCP, ensure that the DHCP scope options include DNS servers (006) and Domain name (015) and that the DHCP server dynamically updates DNS with the computer resource record.
This clarification came about because of another forum post where they had a very similar error to yours (but earlier version of AMT) — see http://social.technet.microsoft.com/forums/en-US/configmgrgeneral/thread/ba8ded54-9f4b-4425-9768-7b95cd66ac04/. Their issue came down to DHCP/DNS configuration for AMT — so I was wondering, in the log file where it says machine name > . domain suffix > , do you have a DNS record so that this name can be successfully resolved to an IP address?
This posting is provided “AS IS” with no warranties and confers no rights
sorry for the delay in response.
We have setup the ip addresses and suffix manually, so we have disabled the DHCP server on the MEBx and on the Windows. The DNS server resolves correctly the clients machine, so there is no problem.As we can’t reproduce DHCP server in our test environment i ask our PKI team to publish the certificate templates in our real environment. As soon as they publish the templates, we will make the test in the real environment, where we have DHCP server with options 6 and 15 activated and i will let you know if the tests was successfull.
Thanks for your answer and the links.
we have prepared a DHCP server and checked the DNS for the forward (A) and reverse (PTR) DNS records for the client and ConfigMgr site server on a test environment and everything is ok, but the Configuration manager server still can’t made the provisioning.
>>>>>>>>>>>>>>>Provision task begin machine name > . domain suffix > )
Found valid basic machine property for machine > Warning: Currently we don’t support mutual auth. Change to TLS server auth mode.
The provision mode for device machine name > . domain suffix > is 1.
Attempting to establish connection with target device using SOAP.
Found matched certificate hash in current memory of provisioning certificate
Create provisionHelper with (Hash: 9241BCE663AC8F0649349AC8CC34234982EAD)
Set credential on provisionHelper.
Try to use provisioning account to connect target machine machine name > . domain suffix >
Fail to connect and get core version of machine machine name > . domain suffix > using provisioning account #0.
Try to use default factory account to connect target machine machine name > . domain suffix >
Fail to connect and get core version of machine machine name > . domain suffix > using default factory account.
Try to use provisioned account (random generated password) to connect target machine machine name > . domain suffix >
Fail to connect and get core version of machine machine name > . domain suffix > using provisioned account (random generated password).
Error: Device internal error. Check Schannel, provision certificate, network configuration, device. (MachineId = 6)
Error: Can NOT establish connection with target device. (MachineId = 6)
>>>>>>>>>>>>>>>Provision task endIt does sound like you’ve checked everything you can within Configuration Manager — especially if you’ve checked the DNS domain suffix in AMT matches the host computer domain suffix, in addition to checking the DNS records. If you configure DHCP after the network interface has closed, this can introduce a timing issue where the DNS domain suffix doesn’t update in AMT — see this blog post for more details: http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/12/09/out-of-band-management-requirements-for-in-band-amt-provisioning-and-dhcp.aspx
There are a couple of suggested reasons for «Error: Device internal error. Check Schannel, provision certificate, network configuration, device» in our troubleshooting docs (http://technet.microsoft.com/en-us/library/cc161803.aspx), which point to the hotfix files being overwritten or DNS/DHCP misconfiguration. However, if you’ve checked these, I recommend you contact Intel for more diagnostics why AMT is rejecting the connection. I’ve just noticed from your original post that you’re running AMT version 4.1.3, and this isn’t one of our supported versions (see http://technet.microsoft.com/en-us/library/cc161963.aspx), so I definitely recommend checking with them in case there are known issues that might be causing this provisioning failure.
In case you’re not aware of this, Intel have an excellent community forum to help support out of band management in Configuration Manager, and they are very helpful/responsive. When it comes to the nitty-gritty details of what AMT is doing and how to configure it, they are the experts because this is their technology. See the Intel vPro Expert Center: Microsoft vPro Manageability — http://communities.intel.com/community/vproexpert/microsoft-vpro.
If you do find a resolution with them, can update this post to help other Configuration Manager customers?
This posting is provided “AS IS” with no warranties and confers no rights
Источник
Stunnel error 0x80090304 returned by acquirecredentialshandle
Question
I have a SCCM R2 Windows 2008 System that has been functioning great! I have setup AMT in the past successfully however I am having difficulty getting our vPro systems Provisioned on SCCM. At this point, none are provisioned. I have all the required pre-req’s in place and i have installed our external GoDaddy cert successfully as well.
The server is attempting to provision the systems, but fais with the following error:
Failed to create SSPI credential with error=0x8009030E by AcquireCredentialsHandle.
Very little information can be found for this specific error code but from what i could find it points to the SSL cert.
I created my CSR to GoDaddy using OpenSSL (openssl.exe) and i I rcvd two files from GoDaddy. My Provisioning «.cer» and their Root Chain. I needed the «.cer» to be in «.pfx» (12) format so I used openssl and created a pfx using my private key that accompanied the initial request when i first generated and then sent the information to GoDaddy. and imported the pfx into SCCM successfully
I’m pretty sure my request was properly formatted (they require 2048 bit now) but i do have my private key so is there a way to attach/import that into the Local Computer Store (where the public key already is) and then export to .pfx to try that?
I have attached a screen shot of the «Start Task» to «End Task»
Has anybody expierenced this before? Any help is appreciated ! THanks!
Answers
Short Answer — The Root CA Chain needs to be included in the PFX file you use for SCCM / WS Man Trans
Answer — This was the first time I used OpenSSL binaries to create the cert request to the 3rd party cert provider. Not a problem. It worked and i rcvd two files back. The .CER file and the Certificate Root Chain. Since I used OpenSSL to create the request, i had to use OpenSSL to convert the CER into a PFX using the Private Key i initially created via OpenSLL. Once you convert the CER into a PFX, you need to import all 3 files (CER, Root Chain, and PFX) into the Local Computer Store. Once its imported, you need to Right Click on the Provisiong Cert (PFX) and select export. There will be an option for «Export all certificates in the chain if possible» or something along the lines of that. Once the export is complete, the PFX file you now exported is the PFX file you will use in SCCM and WSMan Trans.
The problem i had was that I didnt include the cert root chain when converting my CER into PFX using OpenSSL. Once i imported / exported from the Windows Local Computer Store, the gates opened and within 15 min i see them all coming into the AD OU i created and all is well.
For anyone interested, the commands i used to request and subsquently convert the cer into a PFX are as follows:
Источник