Q207826: Only default Remote Execution credentials are used on windows 2008

Symptoms

Where the device is on Windows 2008 and a valid account is entered in the password store called <PasswordStoreAccount> below you will see an error such as:
error opening Service Manager
failed to open service manager using account '<PasswordStoreAccount>'
Connection to \ipc$&quot>\\&ampltDeviceName&ampgt\ipc$ closed successfully

No accounts allowed us to open the service manager on the target device
RPC algorithm complete (intermediate error code: -1, lastError contains: [RPCCommand]|[OpenSCManagerFailed]|Access is denied.
This suggests that Windows 2008 is not accepting valid credentials to perform remote execution.
However if you add valid credentials to the default account (The Distribution Scheduled Task User) then remote execution succeeds and that is the true test to identify this issue.

 

Cause

The Logon event is generated when a user account is authenticated for a connection, its not an interactive logon event its just created by the remote OpenSCManager() call. The logoff event is generated when a logon session is destroyed. In this issue the logon session for the default credentials is not being destroyed until the remote execution thread completes and closes.
The result of this is that the thread is unable to switch to the next set of credentials and so the next OpenSCManager() connection, with the second set of credentials, does not get opened.
On Windows Server 2003 the thread closes the first OpenSCManager() session then reconnects with new credentials while Server 2008 does not.

 

Resolution

Since version 9.0 Deployment Manager no longer uses ipc$ to open the service manager but the LogonUser API which works with Windows Server 2008.

 

Workaround

If you are not able to upgrade to a current RMS version, then attached to this article is an updated version of mgsresa.exe that has been changed to use the LogonUser API on earlier versions of Deployment Manager. You should extract mgsresa.exe from the relevant zip archive and then move it to your \Program Files\ManageSoft\Remote Execution folder (after backing up your existing version of mgsresa.exe.
The above workaround will need to be carried out on all distribution servers as well as the administration server (ensure you use the correct file version for the product installed on the machine)

Comments

Powered by Zendesk