RE: SMS 2.o SP5 and XP-SP2 errors

From: Keith P. Rutledge [MSFT] (keithrut_at_online.microsoft.com)
Date: 09/24/04 

Date: Fri, 24 Sep 2004 15:18:08 GMT

There are two primary causes for this and they are documented on two
different web
pages, so I am including the URLs and the text (with some editing) for easy
access:

 Here is the relevant section from the Microsoft Systems Management Server
2003
Clients FAQ (see the last item, “Windows XP SP2).”
<http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq03.msp
x>

"SMS Administrator console: Windows Firewall has three settings: On, On
with no
exceptions, and Off. When you select the Don’t allow exceptions check box,
the SMS
Administrator console cannot connect to any SMS site database from the
Windows XP
client. This is by design. If Windows Firewall is set to On (recommended),
the SMS
Administrator console cannot display all of the items in the console tree
until you
add the program unsecapp.exe and the port TCP 135 to the list of programs
and
services on the Exceptions tab of Windows Firewall."

You can test this by simply setting the Firewall to Off. If the Admin
console works
at that point, you can enable and configure the firewall as follows:

1. Click "Start", open "Control Panel" and launch "Windows Firewall".
2. From the "General" tab in the "Windows Firewall" applet, ensure that
Windows Firewall is enabled ("On"), and the "Don't allow exceptions"
setting is <not> selected.

3. To unblock the network connection for the SMS Administrator console,
from the "Exceptions" tab, click the "Add Program" button.
4. From the "Add a Program" dialog box, click the "Browse" button, then
open the following filename: <%windir%>\system32\wbem\unsecapp.exe
5. Scope can be defined as necessary by clicking the "Change scope"
button, then click "OK" to add the unsecapp.exe program to the
exception list.

6. The program must now be enabled. In the list of "Programs and
Services", locate the "unsecapp.exe" program that was just added and
place a check mark next to it.
7. Click the "Add Port" button.
8. From the "Add a Port" dialog box, type "135" (without the quotation
marks) for "Port number", ensure that "TCP" is the protocol selected,
and type a "Name", for the exception, such as "<SMS Administrator
Console>" (without the quotation marks).
9. Scope can be defined as necessary by clicking the "Change scope"
button, then click "OK" to add the port to the exception list.

10. The port setting must now be enabled. In the list of "Programs and
Services", locate the exception that was just added, such as < "SMS
Administrator Console" (without the quotation marks)> and place a check
mark next to it.
11. Click "OK" to save changes and close the "Windows Firewall" applet.

In certain situations, adding the program unsecapp.exe and the port TCP 135
to the
list of programs and services on the Exceptions tab of Windows Firewall is
not
sufficient. You might also require:

1. Anonymous remote access rights in DCOM, and

2. You might need to change the security policy for the client computer so
that
Local Policies\Security Options\Network Access: Let Everyone permissions
apply to
anonymous users is set to Enabled. This security policy can be set through
Active
Directory Group Policy or local security policy.

*** You should only make these changes if adding the program unsecapp.exe
and the
port TCP 135 to the exceptions list does not resolve the problem.

BOTH STEPS MUST BE DONE FOR THIS TO WORK!

-- STEP ONE:

To allow anonymous remote access in DCOM:

1. From the Start menu, click Run and type Dcomcnfg.exe.
 
2. In Component Services, click Console root, click Component Services,
click
Computers, and then click My Computer. On the Action menu, click Properties.
 
3. In the My Computer Properties dialog box, on the COM Security tab, in
the Access
Permissions section, click Edit Limits.
 
4. In the Access Permissions dialog box, grant Anonymous Logon allow Remote
Access.
 

-- STEP TWO:
Change the security policy for the client computer so that Local
Policies\Security
Options\Network Access: Let Everyone permissions apply to anonymous users
is set to
Enabled. This security policy can be set through Active Directory Group
Policy or
local security policy.

1. Open Secpol.msc at the Run line.
2. Security setting >> Local Polices >> Security Options
3. enable -- Network access: Let Everyone permissions apply to anonymous
users.

Best Regards,

Keith Rutledge, MCSE NT4/2000
Microsoft Online Support Engineer
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.