CA Configuration Automation

Expand all | Collapse all

failed to connect to WMI, denied access different domain.

  • 1.  failed to connect to WMI, denied access different domain.

    Posted Sep 08, 2015 08:25 AM

    Hello, I am running CCA AUTOMATION from a server within my domain, I'm doing the Discovery with a domain account, using these credentials to run the WMI query, in my internal domain everything works fine, I can connect to WMI make the readings and complete the discovery.

     

     

    However we have some servers in our DMZ that are not members of the domain in Windows Server 2008 to perform Discovery with usernames and passwords the external domain I get the access denied menssagen as the log below:

     

     

    CCA-ND-8038: Connection to WMI namespace failed. Error code = [0x80070005] and error message = [Access is denied.]

     

     

    CCA-ND-8193: Connecting to WMI namespace [\\ 10.52.145.149 \ ROOT \ CIMV2] using Username = [Gateway Service Log On As User]

    CCA-ND-8038: Connection to WMI namespace failed. Error code = [0x800706cc] and error message = [The endpoint is a duplicate.]

    CCA-ND-8037: Connecting to WMI namespace [\\ 10.52.145.149 \ ROOT \ CIMV2] using Windows credentials username = [\ Administrator]

     

     

    Already realized the following settings:

     

     

        Properly configured firewall rules

        User and Domain Password (Administrator)

        The user has access to explicit namespace and sub WMI namespace and DCOM granted specifically for remote connections.

     

     

       

     

     

    Does anyone have any idea what I need to do to fix this?



  • 2.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 08, 2015 09:08 AM

    Hi,

     

    The next best steps is to see what error you are getting with WBEM (if any).

     

    Tech Tip: How to Test WMI Connection via WBEM

     

    One other thing to keep in mind is I see you mentioned all Firewall rules are set, I just want to ensure that both types of communications have been sent.  With WMI, the Host sends the request via WMI on port 135, but the response from the target uses RPC on any port randomly 1024 and above.  Most DMZ configurations will block this, and it really should be for security reasons.  To get around this, you can configure the return response port of each of the target machines and then use that port for all your communications; of course the more machines, the more configurations that need to be done (or if you can push down a single config).  All of that has been mentioned is strictly Microsoft \ WMI, not CCA.



  • 3.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 08, 2015 09:22 AM

    Hi thanks for the answer!

     

     

    So I set up port 1024 or above to receive WMI request response requested through my CCA server?

     

     

    Check if my understanding is correct:

     

     

    CCA SERVER release port 135 for requests on the target machine (ok)

     

     

    The answer to release the port 1024 or above, correct?



  • 4.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 09, 2015 09:07 AM

    This Is Correct:

    CCA SERVER release port 135 for requests on the target machine (ok)

    The answer to release the port 1024 or above, correct?

     

    However:

    For security reasons, especially in the DMZ, you dont want to open so many ports.  You can define that single port as mentioned above(How To: https://support.microsoft.com/en-us/kb/154596) OR create a rule for JUST the Protocol (RPC) from Target to Source

     

    Keep in Mind:

    This may only be one of the many possible reasons why WMI may not communicate properly.  To make sure, after each configuration change, do a test with the WBEM



  • 5.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 09, 2015 09:43 AM

    Good day!

     

     

         We have already defined a single port 24158 still without success.

     

     

         No longer make settings however all failed, the machine that the CCA SERVER menu is installed is on the network domain 10.96 (domain.intranet) the client machine is at 10:52 network (domain.cliente), I'm running out of options here the tool works perfectly in internal network but on the external network continue to receive the error:

     

     

     

     

    CCA-ND-8038: Connection to WMI namespace failed. Error code = [0x80070005] and error message = [Access is denied.]

    CCA-ND-8193: Connecting to WMI namespace [\\ 10.52.145.149 \ ROOT \ CIMV2] using Username = [Gateway Service Log On As User]

    CCA-ND-8038: Connection to WMI namespace failed. Error code = [0x800706cc] and error message = [The endpoint is a duplicate.]

    CCA-ND-8037: Connecting to WMI namespace [\\ 10.52.145.149 \ ROOT \ CIMV2] using Windows credentials username = [xxxx \ xxxx]

     

     

    I'm waiting....



  • 6.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 09, 2015 10:26 AM

    Forgetting CCA|NDG for a moment, lets focus on strickly Windows.

    Do you get any error when running the wbemtest tool?  If so, what ?



  • 7.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 09, 2015 11:05 AM

    Through the WBEMtest I get the same error ..

     

     

    Number: 0x80070005

    Facility: Win32

    Description: Access is denied.



  • 8.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 09, 2015 12:28 PM

    Thanks for confirming,

     

    From here, I would make sure that the user within the WMI Query has sufficient rights on the target, in particularity, DCOM

    Give the user Remote Launch and Remote Activation permissions in dcomcnfg. Right-click My Computer-> Properties Under COM Security, click "Edit Limits" for both sections. Give the user you want remote access, remote launch, and remote activation. Then go to DCOM Config, find "Windows Management Instrumentation", and give the user you want Remote Launch and Remote Activation

     

    Or if UAC is enabled on the Target, that may do it as well (In a workgroup, the account connecting to the remote computer is a local user on that computer. Even if the account is in the Administrators group, UAC filtering means that a script runs as a standard user)

    If so, to solve the problem, UAC filtering for local accounts must be disabled by creating the following DWORD registry entry and setting its value to 1:

              [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] LocalAccountTokenFilterPolicy

     

    And of course the basic reason, incorrect username / password

     

    If still have issues, you can search for 0x80070005 WMI and should get quite a few fixes that can be implemented



  • 9.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 09, 2015 12:58 PM

    First thank you for the attention you have given to my problem !!

     

     

         I performed all the settings as reported, but without success, made a comparison of the environmental settings in the tool works for the environment I'm having problems and the settings are exactly the same except for the firewall rules of course, this leads me to suspect which can be something related to my organization's security policies.

     

     

        Everything you can imagine I've done since deleting registry key to move in hostname files on the machine where the server is installed CCA, it is more than 15 days in this situation.

       

         Do you know if these Access Denied messages may be being originated from a similar policy or something?



  • 10.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 10, 2015 10:18 AM

    HI,

     

    I sent you a private message yesterday to give me a call when you get a chance to discuss this further



  • 11.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 10, 2015 11:20 AM

    Hi,

    I think we found the problem .....

    Looking at the following log:

     

    Error 09/10/2015 11:59:46 Security-Kerberos 3 None


    The Kerberos error message was received:

      on logon session Domain01 \ Usercca01

      Client Time:

      Server Time: 14: 59: 46.0000 09.10.2015 Z

      Error Code: 0x18 KDC_ERR_PREAUTH_FAILED

      Extended Error:

      Client Realm:

      Client Name:

      Server Realm: DOMAIN.INTRANET

      Server Name: ***** / DOMAIN.INTRANET

      Target Name: ***** /DOMAIN.INTRANET@DOMAIN.INTRANET

      Error Text:

      File: and

      Line: D3F

      Error Data is in record data.

     

    I will request the security organization that this does not tell Usercca01 User authentication before the Keberos, I will request this authentication in AD.



  • 12.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 10, 2015 11:52 AM

    Nice, please let us know how it turns out



  • 13.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 15, 2015 11:37 AM

    Hi

     

    Have you solved this issue?  If so, can you please let us know exactly what was done.  If not, do you require any additional assistance on this?



  • 14.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 15, 2015 11:54 AM

    Hello Friend!!!

        We are still having problems, perform the installation of NDG in the DMZ , but denied access messages continue .....
        I believe that there is anything in my DMZ that makes it impossible to read through WMI components more specific to the path \ root \ cimv2

        My English is not very good this is the reason it has not yet connected .....

        I keep trying ...



  • 15.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 15, 2015 12:50 PM

    A few things to try,

     

    Can you connect FROM TARGET TO TARGET using WBEMTest ?  Meaning can you connect locally via WMI.  This will help determine if it is a Network (within DMZ) or the server

     

    I should have confirmed this but is your NDG Server inside the DMZ?  If the above is successful, then try installing a NDG server within the DMZ (on the same side of the Target). and see if you can connect that way.  Also, this might be the better overall solution.

    Keep a NDG server in DMZ and open firewall ports from CCA Server\Grid Node to talk to that NDG, instead of each target machine



  • 16.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 15, 2015 01:11 PM

    That's where this my friend , I can not connect through the WBEMtest , everything leads to believe that these servers are shielded , there is something that blocks reading through WMI


    I believe that the first step would be to connect through WBEMtest ...



  • 17.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 15, 2015 02:54 PM

    Fernando,

     

     

    since the domain is different, it would have to create a network profile as a test with an IP of a target server from the DMZ and associate a credential vault that has a local user with administrator profile in this DMZ server?

    Remember that the target server must be with the active WMI and DCOM services and their permissions for the user who will be tested.

    Make a WMI connection test in the credential vault and see if it is done successfully the test button informing the target server.

    I went through a similar situation and worked with me.

    Sorry, my English is bad.



  • 18.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 15, 2015 02:58 PM

    Also check that the local firewall windows server is authorized WMI and DCOM.



  • 19.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 15, 2015 03:09 PM

    Here we have a corporate firewall ....

    We create a local user with administrator access and a domain however unsuccessfully ....



  • 20.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 16, 2015 10:41 AM

    Good day!

        Oa personal message stopped receiving access denied message , however we are now getting the following error : Error: 800706CC : The endpoint is a duplicate , to check the error on the source server through the event viewer visualize the following log:

    DCOM got error " 2147944140 " from the computer SERVER001 When Attempting to activate the server:
    { 8BC3F05E - D86B - 11D0 - A075-00C04FB68820 }


        Would know tell me the error reason ?



  • 21.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 16, 2015 11:08 AM

    It seems that just looking at it locally, correct me if I am wrong, but if you cannot connect locally via WBEM, nothing else matter; need to focus on security policies for that box.



  • 22.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 16, 2015 11:20 AM

    ADNAN HAFEEZULLAH

        I'm trying to connect through a server that is in the DMZ, which will be our future NDG as indicated support at CA.

        Note : When trying to collect the information to a user whose password is incorrect I get access denied message .



  • 23.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 16, 2015 11:36 AM

    I took a researched and seems to be something related to antivirus ....



  • 24.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 21, 2015 10:18 AM

    Morning,

     

    Was it confirmed that the Antivirus was in fact the issue preventing a valid  WMI Connection \ Response?



  • 25.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 25, 2015 08:05 AM

    Hi Oliveira,

     

    Was the antivirus the real issue for the WMI connections \ authentications?



  • 26.  Re: failed to connect to WMI, denied access different domain.

    Posted Sep 25, 2015 08:21 AM

    Good day!

     

     

        Finally got, we decided to perform all validations again, as I am new in this part must have missed any tips which was proposed ....

     

     

         For the resolution,

     

     

    1 - We installed the NDG component in the DMZ.

     

     

    2 - configure service NDG in the DMZ to make it work with an administrator user and not a local system user.

     

     

    3 - I checked again all firewall rules to make sure I was all right.

     

     

    After this worked perfectly .....

     

     

    Now I'm performing Discovery of WebSphere and already I came across a problem in version 6 WebShphere not get information when performing the Discovery already in WebSphere 8 yes .....



  • 27.  Re: failed to connect to WMI, denied access different domain.

    Broadcom Employee
    Posted Sep 25, 2015 10:16 AM

    Sounds Great for the WMI\NDG

     

    For the Websphere, can you please start a new thread and provide some examples\details; thanks