Remote Controlling an agent workstation may fail with the following errors
You do not have remote control rights
"Unable to establish a secure session with the remote computer (-5)."
This can occur when using any Remote Control security type in Management Suite 8.7.
The failure can occur when using Domain Groups (sometimes called a Nested Group) in the LANDesk Management Suite group on the Core Server or the Remote Control Operators group on the agent workstation.
In order to see if a user is in a Domain Group, a user with Domain access is needed. By default the LANDesk COM+ objects are set to use LANDeskCOMPlus user which is a local account on the core. It cannot query the domain for security group membership information.
On the Core Server, if the LANDesk1 COM+ application identity does not have permission to enumerate groups on the domain, the following will be seen in the UserValidatorErrlog.txt that is located in the ManagementSuite directory:
ERROR on 10/31/2008 12:13:11 PM with user CALDOR\Administrator, and core vm88:
GetGroupUsers() : NetGroupGetUsers failed with an ERROR_LOGON_FAILURE code. IIS may not have permission to query the domain for group information.
Regardless of who is logged into the Management Console, the user credentials logged into Windows on the Remote Controlling workstation are the credentials that are passed to the core server/target machine. If the user logged into Windows on the Remote Controlling workstation does not have the remote control rights, the error above will be returned and along with a prompt for credentials.
These errors can be resolved in different ways. Review the resolutions below and determine the resolution best suited for your environment.
Configure COM+ to use a Domain User
On the Core Server, open Administrative Tools | Component Services.
In Component Services, browse to Component Services | Computers | My Computer | COM+ Applications | LANDesk.Note: These same steps must also be performed against the LANDesk1 COM+ Application.
Right-click the object and click on Properties.
Select the Identity tab.
Change the LANDeskComPlus user to a valid domain user.Note: A valid domain user is one that has read access to Active Directory. The user account must be in the format Domain\UserName. Again, both COM+ Applications LANDesk and LANDesk1 should be modified.
After making this change, reboot the Core Server or Rollup Core Server.
Add the User to the Remote Control operators group Explicitly
If using NT Security Type, make sure that the user logged into the Operating System on the remote controlling workstation or the viewer workstation is in the Remote Control operators group on the client.
Add the User to the Management Suite Group Explicitly
Add any remote control user accounts explicitly to the LANDesk Management Suite group on the Core Server.
Logon to Windows as a user that has the remote control rights
Logon to the Remote Controlling Workstation as a User with Remote Control Rights
Log into the OS with a user that has Remote Control rights.Note: This is needed because Remote Control authenticates with the user logged into the Windows Operating System, not the user logged into LANDesk Console.