How to Troubleshoot Ivanti EPM Remote Control

Version 11

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.x



    The following are errors that may be received when trying to remote control.


    • You do not have remote control rights.

    • Credentials Required.

    • Unable to establish a secure session with the remote computer (-5).

    • Unable to find the remote control web service on [CORENAME].

    • Receive Failed: -1 unable to locate the remote computer.

    • Not a member of the HDAllowed group.

    • "No TCP Agent Found" may be in connection messages.

    • You must provide a valid console user name, password, or domain.

    • The currently logged-in user does not have rights to access the remote computer. You must provide the user name password, and domain of an account that is authorized to control the remote computer.

    • Unable to send a request to remote computer.



    General Tips

    1. Ensure the user is part the LANDesk Management Suite group.
    2. Verify that the Console is patched to the same level as the Core, (even if installed after the Core was updated).
    3. Verify that the LANDesk Management Agent is running on the machine.  If it is not running or will not start, run the cba8inst.msi file in c:\program files\LANDesk\ldclient.
    4. Set SecurityType to 0 (Local Template).
    5. Attempt to browse http://{Agent Nameor_IP_Address}:9595
    6. Attempt to Telnet to 9535 on the Agent.  If you cannot Telnet to this port shut down any firewalls, and / or run ICFConfig-V4.exe to open those ports in the Windows Firewall.
    7. On the Agent create a text file titled isswuser32.log in the C:\Program Files\LANDesk\LDClient directory, attempt Remote Control, check it for errors. Verify that the Remote Control Viewer is not to set to use “Enable old agent compatibility (pre 8.5 agents)” in Tools > Options. Note: RC-11047587.2 addresses this issue.
    8. Verify that the Agent is only in Gateway mode only if the Management Gateway is being used.
    9. Verify that only .NET 1.1 is installed on the Core Server, if .NET 2.0 or 3.0 is installed in 8.7 verify that the Default Website is set to use .NET 1.1 and move to step 8.  If in a version prior to 8.7 uninstall other .NET versions and move to step 8.  Note: If .NET 3.0 has been installed on a Core Server and removed it will need to be reinstalled for 8.7 to function properly, this has not been tested in versions previous to 8.7.
    10. On the Core Server run from a command prompt; %windir%\\framework\v.1.1.4322\aspnet_regiis.exe –i.
    11. Restart IIS.
    12. Re-push Agent.
    13. Attempt to browse in IIS https://Core_Server_Name/LANDesk/ManagementSuite/Core/SSL/remotecontrol/RemoteControlService.asmx from both the core and from the machine when Remote Control is being performed.
    14. Attempt to browse in IIS https://Core_Server_Name/landesk/managementsuite/core/ssl/information/databaseinformation.asmx from both the core and from the machine when Remote Control is being performed.
    15. If the Console does not show the Remote Control Icon when choosing an Agent for Remote Control, run C:\Program Files\LANDesk\LDClient\issuser.exe /resident on the client.


    Windows NT Security / Local Template

    1. Verify that the User (that is logged on to Windows, not the Console) is part of the Remote Control Operators group (synonymous with HDAllowed) on the Agent and LANDesk Management Suite group on the Core Server.


    Certificate Based Security

    1. Verify that the user (that is logged on to Windows, not the Console) performing Remote Control is part of the LANDesk Management Suite group on the Core Server.
    2. Set Component Services | Computers | My Computer | COM+ Applications | LANDesk and LANDesk1 > Right-Click> Choose Properties> Advanced Tab > Server Process Shutdown> Leave Running When Idle.
    3. Create an SSL AppPool (for instructions on how to create this see Optimizing IIS 6.0, available from KB Article #3076.
    4. Check %windir%\system32\inetsrv\w3wp.exe.log for errors.

    Integrated Security:

    1. Perform same tasks as with Certificate Based Security.
    2. Specify Domain Administrator Credentials in Component Services | Computers | My Computer | COM+ Applications | LANDesk and LANDesk1 > Right-Click> Choose Properties> Identity Tab> This User.
    3. Verify on the Client that the LANDesk Remote Control Service is running.  If the service is not running, run C:\program files\LANDesk\LDClient\issuser.exe /resident.
    4. Verify that the ASP.Net Web service Extensions are set to Allowed in IIS.
    5. Check the Binding certificate in IIS and make sure it's set to Landesk Secure Token Server for 9.6 and for 9.5 make sure it pointed to the most current .0 file.


    Help in Finding the Problem

    To help troubleshoot the exact problem, use Processmon.exe from Sysinternals to tell exactly why the specified user was being blocked.  This utility can show which permissions were being denied to the following site:




    Once it is known which permissions were denied, compare the NTFS permissions from a working Core Server with the Core Server you are working on.  For example, you may noticed that the management suite\landesk folder did not have the LANDesk Management Suite group added to the Security portion of the folder.  Once that group is added, that particular cause of this issue would be resolved.