1 2 Previous Next 22 Replies Latest reply on Oct 28, 2015 6:54 AM by TKremer

    Weired Problem updating AD Object while provisioning

    TKremer

      Hi around,


      after a long Time trying and fiddling i got AMT Provisioning to run in our environment.


      We use Server 2012 R2 with the latest Intel SCS Tool and the Intel Add on for SCCM 2012.
      I provisioned some clients and it worked well.
      Now i tried to Full unconfigure a client due to a password change and reconfigure it using the acuconfig-batch file with the updated Password.
      The Password was also updated in the SCS Profile we use to provision.
      The Unconfigure worked but trying to reconfigure i get the following error:

       

      2015-09-23 14:05:54: Thread:6072(ERROR) : ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1254: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

       

      It looks like a simple AD Problem so i checked the service account we use for provisioning. It has actually full controll of the OU and the object so i can't figure out what could produce the Access denied.
      I tried to provision a new client and got the same error.
      The object is created in the AD OU but something seems to go wrong afterwards.

      I tried to reuse the old password but it brought no result.


      Has anyone had a problem like this and can point in a helpful direction?
      Thanks
      Thomas

        • 1. Re: Weired Problem updating AD Object while provisioning
          brunodom

          Thomas,

          Make sure that "Always use the OS host name for the New AD object" is not market in "Active Directory Integration" section in profile.

           

          Screenshot 2015-09-04 22.00.33.png

          • 2. Re: Weired Problem updating AD Object while provisioning
            TKremer

            Hi Bruno,
            thank you for the answer.
            The 'Always use the OS Host Name...' Button is not checked in the used Provisioning Profile.

            Do you have another idea for this case?

             

            Thanks

            Thomas

            • 3. Re: Weired Problem updating AD Object while provisioning
              TKremer

              I found the cause of the Problem while searching the Object-Attributes.

               

              When creating the AD Object it creates a User-Account and not a Machine Account, therefore it can't set some of the attributes.

              Now i will have to search why it is suddenly creates User/Accounts instead of the Machine/Accounts.

               

              Thanks for your help.

              • 4. Re: Weired Problem updating AD Object while provisioning
                DonZoomik

                We have been running SCS for quite a while now but the same issue popped up last week.

                SCS server has Full privileges on AMT Computer accounts and I can't track any changes to have caused this. RCS seems to fail to update AMT Computer's password...?

                 

                brunodom: we did have this option enabled. Disabling and retrying configuration seems to have no effect.

                 

                I filtered domain controller event logs and I can see that Computer account's password is successfully reset. In fact I can see no related failures.

                Log Name:      Security
                Source:        Microsoft-Windows-Security-Auditing
                Date:          23.09.2015 16:34:06
                Event ID:      4724
                Task Category: User Account Management
                Level:         Information
                Keywords:      Audit Success
                User:          N/A
                Computer:      DOMAINCONTROLLER.internal.domain.com
                Description:
                An attempt was made to reset an account's password.

                Subject:
                Security ID:  DOMAIN\SCSSERVER$
                Account Name:  SCSSERVER$
                Account Domain:  DOMAIN
                Logon ID:  0x110D519B

                Target Account:
                Security ID:  DOMAIN\COMPUTER$iME
                Account Name:  DOMAIN$iME
                Account Domain:  COMPUTER

                 

                Very strange...

                 

                From RCSlog.log on SCS server:

                2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 411: Step into UpdateADObjectPassword

                2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::GetAMTadObject Line: 1508: Step in GetAMTadObject

                2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal  Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 480: padsUser->SetInfo 0

                2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal error Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 494: An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

                2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 521: Step out UpdateADObjectPassword

                2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::CreateADObject Line: 394: Step out CreateADObject

                2015-09-24 10:06:41: Thread:16264(ERROR) : COMPUTERNAME.internal.domain.com, Category: Configure Profile Source: ADUtils.cpp : ADUtils::BindCreateADObject Line: 309: AD object creation failed. An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

                2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: Operation Error Source: Src\ConfigThread.cpp : ConfigThread::runConfigure Line: 674: An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

                2015-09-24 10:06:41: Thread:16264(DETAIL) : COMPUTERNAME.internal.domain.com, Category: Delete Key Pairs Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::DeleteKeyPairs Line: 4345:

                2015-09-24 10:06:41: Thread:16264(DETAIL) : COMPUTERNAME.internal.domain.com, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::RemoveKeyFromStore Line: 5174: WS-Management call  RemoveKeyFromStore (AMT_PublicPrivateKeyPair.Delete) ok

                2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: End function: Status Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::SetupConfigureAMT Line: 896: 0xc0003a99

                2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ConfigAMT request failed.  Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::handleStatusAfterRun Line: 221: An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).  (0xc0003a99).

                2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 260: Begin GetAmtByUuid AMTSystem

                2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 236: Begin GetAmtByUuid DBAmt

                2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 340: Begin UpdateAmt

                2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category:  Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 345: End UpdateAmt

                2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category:  Source: Src\RCSServer.cpp : CServiceModule::Log Line: 1289: Finish Configuration; (ERROR) AMT details: UUID: 72182101-5389-11CB-B9F9-A772781A1EDB, FQDN: Empty, IP: 10.0.122.45 . Return code: 0xc0003a99 . Details: An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

                2015-09-24 10:06:41: Thread:16264(ERROR) : WMI Protocol, Category: ConfigAMT Source: C:\TeamCity.BuildAgent\work\ef8d7e613e373c5c\Components\RCSServer\MethodCallData.h : SCS_WMI::WMICallDetails::SendErrorReport Line: 92: Finished operation with Error.   (0xc0001c89). An Active Directory interface internal error occurred.  Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).  (0xc0003a99).

                • 5. Re: Weired Problem updating AD Object while provisioning
                  TKremer

                  Don, could you check your AD Object?

                   

                  I discovered that the acuconfig.exe creates a Computer Object (so it seems) but if you look in the Attribute Editor the Fields

                  PrimaryGroupID Points to (Group_RID_Users)

                  and the sAMAccountType is set to (Normal_User_Account).

                  Also the UserAccountControl is set to 0x220 (Passwd_NotReqd  | Normal_Account) instead of 0x11000 (Workstation_Trust_Account...) like all the other Clients.

                   

                  In our case it seems, that the provisioning is not working with this object type.

                  Why it creates this kinda broken Object Type is still in Question.

                  It would be great to know if you have the same changes in the AD Attribute Editor after updating your computer.

                  • 6. Re: Weired Problem updating AD Object while provisioning
                    DonZoomik

                    The attributes are the same for me.

                     

                    I went over last patch tuesday patch list and this seems suspicious Microsoft Security Bulletin MS15-096 - Important

                    It specifically mentions changes to behavior when creating (and editing?) computer accounts. There are no details though.

                     

                    Intel?

                    • 7. Re: Weired Problem updating AD Object while provisioning
                      TKremer

                      Not sure if Intel can answer this.

                      The Problem occured shortly after the mentioned update was installed to our DC's.

                       

                      Now we have opened a call with Microsoft to verify the problem.
                      Hope we get some answers.

                      • 8. Re: Weired Problem updating AD Object while provisioning
                        ruj

                        Hi

                        We have the same error when trying to provision new devices. We also suspected Update MS15-096 because of the text "he security update addresses the vulnerability by correcting by correcting how machine accounts are created" in the description. Tests in our lab environment showed, that it was the installation of this update on the DCs which caused the issue.

                        Removing MS-15-096 on the RCS server did not solve the problem.

                         

                        Since we still use RCS in version 9.0 we will try updating the server software.

                        • 9. Re: Weired Problem updating AD Object while provisioning
                          brunodom

                          That is right. MS15-096 security bulletin is preventing a computer account of create/delete/update AD objects. There are some workarounds: 1. If you are running with ACUConfig.exe security context with LocalSystem, such as used by SCCM agent, you have to define a domain user account with permission over ADOU to create/delete. 2. In case that you are using RCS as proxy, you should change NETWORK SERVICE to a user domain account, also with permission over ADOU and in case that you are using with SQL Server, also you need to give dbowner role to this account on IntelSCS database.

                           

                          Best Regards!

                          -Bruno Domingues

                          • 10. Re: Weired Problem updating AD Object while provisioning
                            DonZoomik

                            Update to SCS/RCS 10 will not help. I was on 10 already before the probleem started.

                            • 11. Re: Weired Problem updating AD Object while provisioning
                              DonZoomik

                              Do we need both workarounds?

                              Because we already run ACUConfig under custom user account with privileges to AMT Computer account OU.

                              • 12. Re: Weired Problem updating AD Object while provisioning
                                brunodom

                                You only need follow one. In your case that is working with a custom account, you must be sure that profile exported with option "The user running the Configuration":

                                Screenshot 2015-09-28 21.55.11.png

                                • 13. Re: Weired Problem updating AD Object while provisioning
                                  TheHoff

                                  Hi,

                                   

                                  I have been following this thread as we are having the same issue.  Does this mean that remote configuration is broken as a whole due to MS15-096 patch?  We are unable to remotely configure a device using our RCS server.  I uninstalled RCS and re-installed as the service account and we are still getting the AD error.  We are using database mode.  If configure it locally with an exported profile it works fine.  If I run an un-configure job from the console, it does un-configure the device but fails to remove the AD object out of AD.  If un-configure it locally it works and removes the object out of AD.

                                   

                                  Thanks!

                                   

                                  Nick

                                  • 14. Re: Weired Problem updating AD Object while provisioning
                                    TKremer

                                    Hi Bruno,
                                    we have the Intel RCS Service running with a Service Account that has full Rights on the ADOU.

                                    Same user is DBOwner on the IntelSCS database and also we use him with the Acuconfig.exe to provision the clients.

                                    The problem is still there.

                                    1 2 Previous Next