BDD 2007 authentication to distribution share

myITforum.com Community Forum

Home Forums Blogs Live Support chat Search Articles Wiki FAQ Email Lists Register Login My Profile Inbox Address Book My Subscription My Forums

Photo Gallery Member List Search Calendars FAQ Ticket List Log Out

All Forums RSS Feed Subscription:

BDD 2007 authentication to distribution share

View related threads: (in this forum | in all forums)

Logged in as: Guest

Printable Version

All Forums >> [Management Products] >> Operating System Deployment >> BDD 2007 authentication to distribution share

Page: [1]

Message

<< Older Topic Newer Topic >>

BDD 2007 authentication to distribution share - 11/1/2007 11:36:53 AM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

I started noticing a problem yesterday when building a new image with BDD 2007. When the task sequence was running and building the image, my server hosting the distribution share started filling up with bad messages in the security log. Pages of messages like these:

Message 1:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: MININT-AQOM35G
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MININT-AQOM35G
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: x.x.x.x
Source Port: 0

For more information, see Help and Support Center at

Message 2:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Administrator
Source Workstation: MININT-AQOM35G
Error Code: 0xC000006A

It locked out the local administrator account on the server. I provided the Lite Touch wizard with my domain credentials to talk back to the distribution share like I normally do. I also have actions throughout my task sequencer that call %SCRIPTROOT%\ZTIConnect.wsf to authenticate to a UNC share to load software packages from during the loading of the image. These all work great and I assume, use my credentials I entered during the lite touch wizard.

Does anyone know what during the imaging process could be talking back to the server as the local administrator account? Could it be the SMS client trying to talk?

Post #: 1

RE: BDD 2007 authentication to distribution share - 11/1/2007 3:27:20 PM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

A little more on this issue. I started a new build and watched the security log the whole time to see where the trouble begins. As soon as the machine does its first autoadminlogon as local administrator the log starts filling up with failure messages. It looks like when the TSManager first kicks up and runs the lite touch wizard, when it's talking back to the distribution server it's doing so with the local admin credentials first then the domain credentials entered early on during the lite touch wizard. Could I have hosed up the order or something in my task sequence that is not allowing it to use my domain credentials as the primary rather than the local permissions?

(in reply to egiroux)

Post #: 2

RE: BDD 2007 authentication to distribution share - 11/1/2007 3:46:15 PM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

right about the time the error started showing up in the security log, the LiteTouch.log file on teh client contained this:

LTI beginning deployment LiteTouch 11/1/2007 2:12:35 PM 0 (0x0000)
About to run command: "C:\MININT\Tools\X86\TsmBootstrap.exe" /env:SAContinue LiteTouch 11/1/2007 2:12:35 PM 0 (0x0000)
Non-zero return code executing command "C:\MININT\Tools\X86\TsmBootstrap.exe" /env:SAContinue, rc = 1 LiteTouch 11/1/2007 2:13:03 PM 0 (0x0000)
LTI deployment failed LiteTouch 11/1/2007 2:13:03 PM 0 (0x0000)
Property RetVal is now = 1 LiteTouch 11/1/2007 2:13:03 PM 0 (0x0000)

(in reply to egiroux)

Post #: 3

RE: BDD 2007 authentication to distribution share - 11/2/2007 11:34:05 AM

rbennett806

Posts: 1053
Score: 26
Joined: 6/14/2006
Status: offline

So try taking out your added Task Sequence items and see if things run without those errors cropping up on your server. If so, you'll know where your problem is.

(in reply to egiroux)

Post #: 4

RE: BDD 2007 authentication to distribution share - 11/2/2007 11:48:10 AM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

I've done some more testing and narrowed this down a little futher. By watching exactly when the errors start popping up, it looks like it's happening during the AutoAdminLogon process after every reboot in my task sequence, starting with the first AutoAdminLogon after XP installs. I believe when the wizard is trying to re-connect to the deployment share it's causing the problem. Here's an excerpt from my LiteTouch.log:

DeploymentMethod = UNC
Validating connection to \\SERVER\Distribution$
FindFile: The file OSDConnectToUNC.exe could not be found in any standard locations.
Mapped Network UNC Path Z: = \\SERVER\Distribution$
Successfully established connection using supplied credentials.
Validating connection to \\SERVER\Distribution$
Already connected to server SERVER

I believe on the 2nd line where it's testing the connection, it's doing so with the credentals of the current user %COMPUTERNAME%\administrator and not just once, but many times. It then appears to map the drive using the credentials entered early on in the wizard. Going through the event log on the server, it tries the administrator account with the local account password 4 times, then the account locks out, then it tries and fails to authenticate exactly 20 more times. I then see 1 second later in the security log where my domain ID successfully authenticates to the server. This happens every time there is a reboot in the task sequence and the machine starts up and logs back on.

There is no indication of a problem on the new build, just the account getting locked out on the server. One thing I should point out is that when I run the Lite Touch wizard, I'm giving it my own domain ID and password which has administrative rights to the server and access to a separate LAN share that applications get loaded from later in the task sequence. I'm also logged on with my ID from another workstation and connected to the build server watching the logs. Should I be using a separate ID for the lite touch wizard to use to authenticate to the build server?

(in reply to rbennett806)

Post #: 5

RE: BDD 2007 authentication to distribution share - 11/6/2007 1:37:22 PM

jterwelp856

Posts: 53
Score: 1
Joined: 5/20/2003
Status: offline

The local administrator account is also locked out on my build server after every single build. I was able to reproduce using an unmodified task sequence. I am interested in finding a solution to this issue, too.

Jeff

(in reply to egiroux)

Post #: 6

RE: BDD 2007 authentication to distribution share - 11/6/2007 3:29:17 PM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

glad to hear that I'm not the only one. I was about to test with a virgin task sequence but it sounds like you have already done that. I may load MS Deployment on a test machine to see if this is fixed by the new version. The other alternative I thought of would be to rename the local administrator account on the workstation build so that it's not the same name as the local administrator account on the build server.

(in reply to jterwelp856)

Post #: 7

RE: BDD 2007 authentication to distribution share - 11/13/2007 7:58:49 AM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

has anyone else checked the administrator account on their BDD 2007 build server to see if it gets locked out during an image build?

(in reply to egiroux)

Post #: 8

RE: BDD 2007 authentication to distribution share - 11/16/2007 1:55:35 PM

egiroux

Posts: 178
Score: 4
Joined: 4/4/2006
From: Portland, Maine
Status: offline

I just built up an MS Deployment build server and ran a task sequence. This same problem happens in the new vesrion. Must be a "feature". Perhaps its intended to encourage administrators to rename the built-in administrator account.

(in reply to egiroux)

Post #: 9

RE: BDD 2007 authentication to distribution share - 7/17/2008 8:55:46 AM

petemarron

Posts: 1
Score: 0
Joined: 7/17/2008
Status: offline

Anyone resolve the issue??

(in reply to egiroux)

Post #: 10

RE: BDD 2007 authentication to distribution share - 2/23/2009 3:25:47 PM

scarneol

Posts: 135
Score: 0
Joined: 4/24/2003
Status: offline

The problem is that Lite Touch (MDT 2008) still uses various Zero Touch scripts like the ZTIUtility.vbs which searches for the OSDConnectToUNC.exe when making a connection to the DeployRoot (UNC). The ZTIUtility.vbs actually checks 7 different locations ("\", "\Servicing\", "\Tools\", "\USMT\", "\Templates\", "\Scripts\", "\Control\") for the OSDConnectToUNC.exe file which is not used even used in Lite Touch deployments and never should be. Unfortunatly, this script runs every time the computer reboots during the POSTINSTALL phase (All Users Startup Folder) and uses the credentials of the currently logged in user which will be the local Administrator account. Since the local Admin won't have access to the DeployRoot, errors will show up in the Security Event log on the DeployRoot server and cause a slight delay before the script eventually moves on and maps the DeployRoot using the credentials you entered either during the WinPE credentials phase or from the cs.ini/bootstrap.ini. All I did to get around this was edit the ZTI Utility.vbs so it looked like this:

' Try to find OSDConnectToUNC.exe
' iRetVal = FindFile("OSDConnectToUNC.exe", sOSDConnectToUNC) ***Not Required for Lite Touch Deployments;added iRetVal = Failure***
iRetVal = Failure

(in reply to petemarron)

Post #: 11