SCOM Agent installation / upgrade with account in Protected Users

Bauzone, Jonathan 1 Reputation point
2021-02-22T18:18:15.003+00:00

Hello,

I have a question about SCOM Push Agent install / upgrade.
Have you already try to install SCOM Agent with an account in the group Protected Users ?
When, i check in the log i see one event with NTLMv2 authentication :
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 128

And with an account member of Protected users the push install agent failed with Access Denied.

Have you any solution for this issue ?
Thanks in advance.

Best Regards,

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,438 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,101 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. CyrAz 5,181 Reputation points
    2021-02-22T19:01:35.273+00:00

    Well, accounts that are members of Protected Users can't logon using NTLM authentication so that explains the issue (cf. https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group#domain-controller-protections-for-protected-users )
    Now the question is "why it using NTLM instead of Kerberos", and that could be for any number of reasons... Maybe the solution to that post could help you : https://social.technet.microsoft.com/Forums/en-US/576a0edc-9a03-4504-b089-47de3a091a20/scom-2016-pushing-agents-without-ntlm-?forum=operationsmanagerdeployment

    0 comments No comments

  2. System Center guy 686 Reputation points
    2021-02-23T04:47:18.337+00:00

    Accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:

    • Authenticate with NTLM authentication.
    • Use DES or RC4 encryption types in Kerberos pre-authentication.
    • Be delegated with unconstrained or constrained delegation.
    • Renew the Kerberos TGTs beyond the initial four-hour lifetime.

    In view of this, there is why you will see error on NTLM with access Denied.
    You may consider using another user account has administrative privileges on the targeted computers.

    Roger

    0 comments No comments

  3. Bauzone, Jonathan 1 Reputation point
    2021-02-23T17:14:03.57+00:00

    Thanks for your answers, I know when user is in Protected Users can't logon using NTLM.
    But My question is why Push SCOM Client using NTLMv2, it's by design ?

    The Operations Manager Server cannot process the install/uninstall request for computer ServerName.domain.local due to failure of operating system version verification.

    Operation: Agent Install
    Install account: Domain\UserName
    Error Code: 80070005
    Error Description: Access is denied.
    Thanks in advance ;)


  4. BAUZONE Jonathan 1 Reputation point
    2021-03-08T07:57:03.537+00:00

    hi all, we have checked on others SCOM environment, same result... Agent Push uses NTLM, not compatible with Protected Users ;)
    Have a good Day and thanks Everybody.

    0 comments No comments