Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

Weired Problem updating AD Object while provisioning

TKrem1
New Contributor I
6,672 Views

Hi around,

 

after a long Time trying and fiddling i got AMT Provisioning to run in our environment.

 

We use Server 2012 R2 with the latest Intel SCS Tool and the Intel Add on for SCCM 2012.

 

I provisioned some clients and it worked well.

 

Now i tried to Full unconfigure a client due to a password change and reconfigure it using the acuconfig-batch file with the updated Password.

 

The Password was also updated in the SCS Profile we use to provision.

 

The Unconfigure worked but trying to reconfigure i get the following error:

2015-09-23 14:05:54: Thread:6072(ERROR) : ACU Configurator, Category: Exit Source: Src\ActivatorMain.cpp : wmain Line: 1254: ***********Exit with code 75. Details: Failed to complete remote configuration of this Intel(R) AMT device. An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

It looks like a simple AD Problem so i checked the service account we use for provisioning. It has actually full controll of the OU and the object so i can't figure out what could produce the Access denied.

 

I tried to provision a new client and got the same error.

 

The object is created in the AD OU but something seems to go wrong afterwards.

I tried to reuse the old password but it brought no result.

 

Has anyone had a problem like this and can point in a helpful direction?

 

Thanks

 

Thomas
21 Replies
Bruno_Domignues
Employee
3,199 Views

Thomas,

Make sure that "Always use the OS host name for the New AD object" is not market in "Active Directory Integration" section in profile.

0 Kudos
TKrem1
New Contributor I
3,199 Views

Hi Bruno,

 

thank you for the answer.

 

The 'Always use the OS Host Name...' Button is not checked in the used Provisioning Profile.

Do you have another idea for this case?

Thanks

Thomas

0 Kudos
TKrem1
New Contributor I
3,199 Views

I found the cause of the Problem while searching the Object-Attributes.

When creating the AD Object it creates a User-Account and not a Machine Account, therefore it can't set some of the attributes.

Now i will have to search why it is suddenly creates User/Accounts instead of the Machine/Accounts.

Thanks for your help.

0 Kudos
MSoom
Beginner
3,199 Views

We have been running SCS for quite a while now but the same issue popped up last week.

SCS server has Full privileges on AMT Computer accounts and I can't track any changes to have caused this. RCS seems to fail to update AMT Computer's password...?

brunodom: we did have this option enabled. Disabling and retrying configuration seems to have no effect.

I filtered domain controller event logs and I can see that Computer account's password is successfully reset. In fact I can see no related failures.

Log Name: Security

 

Source: Microsoft-Windows-Security-Auditing

 

Date: 23.09.2015 16:34:06

 

Event ID: 4724

 

Task Category: User Account Management

 

Level: Information

 

Keywords: Audit Success

 

User: N/A

 

Computer: DOMAINCONTROLLER.internal.domain.com

 

Description:

 

An attempt was made to reset an account's password.

Subject:

 

Security ID: DOMAIN\SCSSERVER$

 

Account Name: SCSSERVER$

 

Account Domain: DOMAIN

 

Logon ID: 0x110D519B

Target Account:

 

Security ID: DOMAIN\COMPUTER$iME

 

Account Name: DOMAIN$iME

 

Account Domain: COMPUTER

Very strange...

From RCSlog.log on SCS server:

2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 411: Step into UpdateADObjectPassword

2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::GetAMTadObject Line: 1508: Step in GetAMTadObject

2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 480: padsUser->SetInfo 0

2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal error Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 494: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::UpdateADObjectPassword Line: 521: Step out UpdateADObjectPassword

2015-09-24 10:06:41: Thread:16264(DETAIL) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ADInterfaceInternal Source: ADInterfaceInternal.cpp : ADInterfaceNamespace::ADInterfaceInternal::CreateADObject Line: 394: Step out CreateADObject

2015-09-24 10:06:41: Thread:16264(ERROR) : COMPUTERNAME.internal.domain.com, Category: Configure Profile Source: ADUtils.cpp : ADUtils::BindCreateADObject Line: 309: AD object creation failed. An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: Operation Error Source: Src\ConfigThread.cpp : ConfigThread::runConfigure Line: 674: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

2015-09-24 10:06:41: Thread:16264(DETAIL) : COMPUTERNAME.internal.domain.com, Category: Delete Key Pairs Source: vProConfigurationInternal.cpp : vProConfigurationNamespace::vProConfigurationInternal::DeleteKeyPairs Line: 4345:

2015-09-24 10:06:41: Thread:16264(DETAIL) : COMPUTERNAME.internal.domain.com, Category: AMTCommunicator Source: WSMANCommunicator.cpp : AMTInterfaceNamespace::WSMANCommunicator::RemoveKeyFromStore Line: 5174: WS-Management call RemoveKeyFromStore (AMT_PublicPrivateKeyPair.Delete) ok

2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: End function: Status Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::SetupConfigureAMT Line: 896: 0xc0003a99

2015-09-24 10:06:41: Thread:16264(ERROR) : 72182101-5389-11CB-B9F9-A772781A1EDB, Category: ConfigAMT request failed. Source: Src\Activator_Impl.cpp : RCS_ActivatorService_WMIProviderImpl::handleStatusAfterRun Line: 221: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). (0xc0003a99).

2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 260: Begin GetAmtByUuid AMTSystem

2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::GetAmtByUuid Line: 236: Begin GetAmtByUuid DBAmt

2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 340: Begin UpdateAmt

2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: vProDataAccessorDB.cpp : AMTRepositoryNameSpace::vProDataAccessorDB::UpdateAmt Line: 345: End UpdateAmt

2015-09-24 10:06:41: Thread:16264(DETAIL) : RCS Server , Category: Source: Src\RCSServer.cpp : CServiceModule::Log Line: 1289: Finish Configuration; (ERROR) AMT details: UUID: 72182101-5389-11CB-B9F9-A772781A1EDB, FQDN: Empty, IP: 10.0.122.45 . Return code: 0xc0003a99 . Details: An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

2015-09-24 10:06:41: Thread:16264(ERROR) : WMI Protocol, Category: ConfigAMT Source: C:\TeamCity.BuildAgent\work\ef8d7e613e373c5c\Components\RCSServer\MethodCallData.h : SCS_WMI::WMICallDetails::SendErrorReport Line: 92: Finished operation with Error. (0xc0001c89). An Active Directory interface internal error occurred. Active directory function pDirObject->SetObjectAttributes failed with error -2147024891 (Access is denied.: LDAP Provider: 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0). (0xc0003a99).

0 Kudos
TKrem1
New Contributor I
3,199 Views

Don, could you check your AD Object?

I discovered that the acuconfig.exe creates a Computer Object (so it seems) but if you look in the Attribute Editor the Fields

PrimaryGroupID Points to (Group_RID_Users)

and the sAMAccountType is set to (Normal_User_Account).

Also the UserAccountControl is set to 0x220 (Passwd_NotReqd | Normal_Account) instead of 0x11000 (Workstation_Trust_Account...) like all the other Clients.

In our case it seems, that the provisioning is not working with this object type.

Why it creates this kinda broken Object Type is still in Question.

It would be great to know if you have the same changes in the AD Attribute Editor after updating your computer.

0 Kudos
MSoom
Beginner
3,199 Views

The attributes are the same for me.

I went over last patch tuesday patch list and this seems suspicious https://technet.microsoft.com/library/security/ms15-096 Microsoft Security Bulletin MS15-096 - Important

It specifically mentions changes to behavior when creating (and editing?) computer accounts. There are no details though.

Intel?

0 Kudos
TKrem1
New Contributor I
3,203 Views

Not sure if Intel can answer this.

The Problem occured shortly after the mentioned update was installed to our DC's.

Now we have opened a call with Microsoft to verify the problem.

 

Hope we get some answers.
0 Kudos
Bruno_Domignues
Employee
3,203 Views

That is right. MS15-096 security bulletin is preventing a computer account of create/delete/update AD objects. There are some workarounds: 1. If you are running with ACUConfig.exe security context with LocalSystem, such as used by SCCM agent, you have to define a domain user account with permission over ADOU to create/delete. 2. In case that you are using RCS as proxy, you should change NETWORK SERVICE to a user domain account, also with permission over ADOU and in case that you are using with SQL Server, also you need to give dbowner role to this account on IntelSCS database.

Best Regards!

-Bruno Domingues

0 Kudos
MSoom
Beginner
3,203 Views

Do we need both workarounds?

Because we already run ACUConfig under custom user account with privileges to AMT Computer account OU.

0 Kudos
Bruno_Domignues
Employee
3,203 Views

You only need follow one. In your case that is working with a custom account, you must be sure that profile exported with option "The user running the Configuration":

0 Kudos
NHaul
Beginner
3,203 Views

Hi,

I have been following this thread as we are having the same issue. Does this mean that remote configuration is broken as a whole due to MS15-096 patch? We are unable to remotely configure a device using our RCS server. I uninstalled RCS and re-installed as the service account and we are still getting the AD error. We are using database mode. If configure it locally with an exported profile it works fine. If I run an un-configure job from the console, it does un-configure the device but fails to remove the AD object out of AD. If un-configure it locally it works and removes the object out of AD.

Thanks!

Nick

0 Kudos
TKrem1
New Contributor I
3,203 Views

Hi Bruno,

 

we have the Intel RCS Service running with a Service Account that has full Rights on the ADOU.

Same user is DBOwner on the IntelSCS database and also we use him with the Acuconfig.exe to provision the clients.

The problem is still there.

0 Kudos
Bruno_Domignues
Employee
3,203 Views

You are right! Doing some tests I discovered that it works if user is domain admin, but fail with permissions only on OU and permission to join machines to domain. Working at this moment with Microsoft to discover the best approach. Stay tuned.

Best Regards!

-Bruno Domingues

0 Kudos
AG11
Beginner
3,203 Views

I have the same issue... awaiting a your response from your discussion with Microsoft.

0 Kudos
idata
Employee
3,203 Views

Hi

We have the same error when trying to provision new devices. We also suspected Update MS15-096 because of the text "he security update addresses the vulnerability by correcting by correcting how machine accounts are created" in the description. Tests in our lab environment showed, that it was the installation of this update on the DCs which caused the issue.

Removing MS-15-096 on the RCS server did not solve the problem.

Since we still use RCS in version 9.0 we will try updating the server software.

0 Kudos
MSoom
Beginner
3,198 Views

Update to SCS/RCS 10 will not help. I was on 10 already before the probleem started.

0 Kudos
Bruno_Domignues
Employee
3,198 Views

Actually, there are three possible workarounds (I know that none is acceptable - technically speaking ): 1. Give Domain Admin permission to service account that is creating the object into AD; 2. Do not install MS15-096 patch; 3. remote AD integration from your profile - The definitive solution should be implemented in SCS 11, that we are expecting to be released soon.

Best Regards!

-Bruno Domingues

0 Kudos
VLink
Beginner
3,198 Views

I have had the same problem. Just for the information I have uninstalled discussed patch and everything works as before.

0 Kudos
idata
Employee
3,203 Views

Hello Bruno,

do you have any update? Is there any patch for SCS 10 or new SCS 11 available?

Jan

0 Kudos
Reply