1 2 Previous Next 25 Replies Latest reply on Dec 9, 2016 8:26 AM by phoffmann

    Installing LDClient on Servers with IIS Websites

    Justus.Niemeyer Apprentice

      Hello,

       

      I am having issues with deploying agents to servers that have IIS installed. The initial install seems to complete without error. However, when I try to request an inventory scan/deploy software/etc., I get an error "The remote computer refused the network connection." I researched this error (including copying certificates from the Core, etc.), but didn't come up with anything.

       

      The one commonality between all of these servers is IIS is hosting a website on the servers. When I check the Event Viewer log, I find about 7 errors each time I try to run the scan. The errors all point to "serviceHost.exe" with the faulting module "ntdll.dll."

       

      I'm thinking there must be some permissions issues happening once IIS gets installed. Maybe some certificate conflicts? I've been researching, but I don't see this has been reported. Any help/recommendations would be appreciated.

       

      Thanks,

       

      Justus

        • 1. Re: Installing LDClient on Servers with IIS Websites
          Justus.Niemeyer Apprentice

          I should mention this happens on around 15 of our servers. All have IIS. No other issues to speak of.

          • 2. Re: Installing LDClient on Servers with IIS Websites
            phoffmann SupportEmployee

            IIS shouldn't cause problems (that I'm aware of) - but a couple of things you could help specify / clarify:

             

            • What version (and patch level) of LANDesk Management Suite are you talking about (i.e. - 9.5 SP1) ?
            • What OS are the "clients' here (I.e. Windows 2012 R2) ?

             

            The first place you want to look at is going to be the SERVICEHOST.LOG (which you'll find here -- "C:\ProgramData\LANDesk\Log\") -- that is the log for the part of the client that listens for "incoming orders" and handles authentication.

             

            So for instance, a "successful authentication & remote execution" would look like so (I've added a few annotations so things are clearer):

            -- service is starting up as a request is coming in. Lists the client-name, port and IP.

            Mon, 21 Nov 2016 10:39:00 456: Service Host Started, Host KAYOLINGAZ.fantasia.org:9594, Peer 192.168.110.165, IP Address 192.168.110.155

            Mon, 21 Nov 2016 10:39:00 456: Public key path C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs

            -- An anonymous connection is being attempted - this will be failing shortly due to lack of authentication.

            Mon, 21 Nov 2016 10:39:00 456: Anonymous connection established

            Mon, 21 Nov 2016 10:39:00 456: Request Received "POST /services/exec HTTP/1.1"

            Mon, 21 Nov 2016 10:39:00 456: Unauthorized client access of "C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\services\exec.dll" was rejected (level 1, current auth 0).

            Mon, 21 Nov 2016 10:39:00 456: EOF encountered parsing HTTP headers, client closed connection.

            Mon, 21 Nov 2016 10:39:00 456: Service host has finished

            -- Cert-based authentication is being attempted now, via a certificate - "cc9be1d8.0" in this case.

            Mon, 21 Nov 2016 10:39:00 5016: Service Host Started, Host KAYOLINGAZ.fantasia.org:9594, Peer 192.168.110.165, IP Address 192.168.110.155

            Mon, 21 Nov 2016 10:39:00 5016: Public key path C:\Program Files (x86)\LANDesk\Shared Files\cbaroot\certs

            -- Authentication about to be successful

            Mon, 21 Nov 2016 10:39:00 5016: X509 Authentication via cc9be1d8

            Mon, 21 Nov 2016 10:39:00 5016: Request Received "POST /services/exec HTTP/1.1"

            -- Now that Authentication was successful, the Core can actually tell the client what command-line it wants the client to run.

            -- In this case, the command line is -- "C:\Program Files (x86)\LANDesk\LDClient\PolicySync.exe" -taskid=1

            Mon, 21 Nov 2016 10:39:00 5016: Exec: Exec: Launch request <"C:\Program Files (x86)\LANDesk\LDClient\PolicySync.exe" -taskid=1> (sync 0, timeout 2147483647)

            Mon, 21 Nov 2016 10:39:00 5016: EOF encountered parsing HTTP headers, client closed connection.

            Mon, 21 Nov 2016 10:39:00 5016: Service host has finished

             

             

            NOTE - this is with DEFAULT logging ... you can add additional logging by enabling verbose/debug logging. How to do that can be found in this article here - How to enable Xtrace Diagnostic Logging . That gets a lot more "chatty" but can help if there's odd stuff as well.

             

            Another article that may be useful to you is this one - How to troubleshoot Agent Discovery - it's possible that there's some network config or so on those boxes that kills off our comms to it?

             

            Essentially, you need to break down the problem into the following questions / answers:

             

            1. Does the Core actually REACH the client (are there entries in the SERVICEHOST.LOG at all)? If no, then there's some sort of blocking going on - firewall, etc.
            2. If the core reaches the client, can it AUTHENTICATE with it properly (that is something you should see happen in the log, as per my example above).
            3. Assuming authentication is fine, does the command start? This SHOULD happen and you might have to look at a separate log (depending on what the command is that is being launched).
            4. ... What about other logs being updated (sort by date)? For instance, if you are launching a SoftDist task, is there anything interesting in the "PolicySync.exe.log" and/or the "PolicySync.log" files? (This assumes that you're on LANDesk Management Suite 9.6 or newer).

             

            ... I'd say let's start with that and go from there.

            • 3. Re: Installing LDClient on Servers with IIS Websites
              phoffmann SupportEmployee

              As an addendum, neither SERVICEHOST.EXE nor NTDLL.DLL are "ours" - so you may have a symptom here rather than a cause ... could be related, might not.

               

              - What Is svchost.exe and Why Is It Running?

              - ntdll.dll - What is ntdll.dll?

               

              ... it's possible that those things cause us / your servers problems, but it's not "our binaries".

               

              Also, check what ports your www-servers are operating on - the key port for us (initially) here is 9594, as that's what CBA8 is listening on.

              • 4. Re: Installing LDClient on Servers with IIS Websites
                Justus.Niemeyer Apprentice

                Hey phoffmann,

                 

                Thanks for your reply. Unfortunately, I am not able to locate that log you mentioned. There are other logs within that folder, but no servicehost.log. Is this indicative of a known issue?

                 

                As far as communication goes, I can verify Windows Firewall is off, Antivirus is turned off, they are on the same network segment, there is no physical firewall between them... Nothing that should be blocking communication whatsoever.

                 

                The web server that I'm working with as a test machine (most are Production) is using only port 80 for its website.

                 

                Also, totally understand ntdll isn't your issue if that's the problem. I'd certainly limit this to being a one-off issue if it wasn't persistent across different operating systems with IIS being the similarity. I've also run chkdsk to make sure the OS files weren't corrupt, etc.

                 

                I want to add we have IIS machines that are running completely fine with LanDesk installed. They are able to manually kick on Inventory Scans and successfully deploy software updates.

                 

                My only other thought is maybe there is a certificate issue since the message "The remote computer refused the network connection" makes it seem as though the server is refusing to answer to the Core. Our packet captures don't show any SSL/TLS negotiation though, so that may not be a good guess either.

                • 5. Re: Installing LDClient on Servers with IIS Websites
                  phoffmann SupportEmployee

                  It's not so much indicative of a "known issue" as I wonder whether there's a problem with the CBA8 on the box.

                   

                  So ... simple check ... does your box in question *HAVE* a "LANDesk(R) Management Agent" service in the first place? And - is it started? That'd make the most sense to me at this point ... no service == no log.

                   

                  The path / process it points to should be - "C:\Program Files (x86)\LANDesk\Shared Files\residentagent.exe"

                   

                  So - if that's the case (i.e. - you don't have a LANDesk Management Agent on that box for some reason), here's a couple of ways of trying to fix that. Try the following:

                  • Run "residentagent.exe /register" from the "C:\Program Files (x86)\LANDesk\Shared Files\"-directory (service may need a manual start after it's registered).
                  • Uninstall & reboot & Re-install the LANDesk agent (and probably reboot again) (less a fan of that in this case, since we're talking servers, and I don't know how much liberty you have with reboots on those)

                   

                  • You can also try (and this is harkening back a long time) the following - Running "RAINSTALL /INSTALL" or "RAINSTALL /INSTALL /FORCE" from the core's LDLOGON directory.

                   

                  I'd hope that the first suggestion I'm giving you should register the CBA properly ... once that's done, you should be able to start the service up fine.

                   

                  As an aside - this is the sort of thing that Agent Health can help with automatically (at this point, we're still trying to find what the issue *IS* in the first place though), as that can automatically try to heal a broken agent. An introduction training to agent health with a video to it can be found here:

                  - [Tech Brief On-Demand Webinar 2016] Agent Health in LANDESK Management Suite 2016

                   

                  Hope that helps?

                  • 6. Re: Installing LDClient on Servers with IIS Websites
                    Justus.Niemeyer Apprentice

                    Wow, tons of good information here. Thanks for taking the time to help!

                     

                    That said, unfortunately (?) the Landesk(R) Management Agent (CBA8) is already installed, registered, and Started on the machine in question.

                     

                    And, just to double-check everything and make sure I'm not wasting your time, I went back to C:\ProgramData\LANDesk\Log and still, there is no SERVICEHOST.LOG.

                     

                    I'll watch the video you posted as well. I just wanted to give you a quick response to the first part of your answer.

                     

                    Thanks,

                     

                    Justus

                    • 7. Re: Installing LDClient on Servers with IIS Websites
                      phoffmann SupportEmployee

                      Ah wait ... check the SERVICEHOST.LOG at this location - "C:\ProgramData\LANDesk\Log\" ... must've had my copy/paste cache messed up while juggling too many things.

                       

                      A blonde moment on my side .

                      • 8. Re: Installing LDClient on Servers with IIS Websites
                        Justus.Niemeyer Apprentice

                        Hmm... Sorry if I'm misreading, but that looks like the same path, right? I still didn't find it there, but I did find SERVICEHOST.LOG at C:\Program Files (x86)\LANDesk\Shared Files. It is empty though

                        • 9. Re: Installing LDClient on Servers with IIS Websites
                          phoffmann SupportEmployee

                          Completely empty?

                           

                          That's very odd .. it should normally be written into the ProgramData location ... and it should have at least "something" in it.

                           

                          OK - so what happens if you open up a browser and enter the following address -- http://{IP_Or_Name_Of_Client}:9595 -- ? You should see something like the below:

                          CBA_Local.jpg

                          That "most direct" mode of knocking at CBA's door serves two things:

                           

                          1 - Checks that CBA is up & running properly (you should see the screen I have -- if you don't, there's a problem)

                          2 - This will force some sort of logging entries ... so once you've done that you DEFINITELY should have log entries in either location.

                           

                          If you still don't, I'd suggest uninstalling & re-installing (with reboots on either side) perhaps / getting support to have a look at the box potentially.

                           

                          CBA doesn't really have that many ways to die off (usually it's stopped) - but it "running and yet not logging anything" is more than a mite peculiar.

                           

                          Give the above a try & let me know what comes back ... it's a very quick test, and should have immediate results .

                          1 of 1 people found this helpful
                          • 10. Re: Installing LDClient on Servers with IIS Websites
                            Justus.Niemeyer Apprentice

                            Unfortunately, it comes back with an error that it cannot display the page. Also unfortunately, there are no records written to ServiceHost.LOG either. The only logging I seem to be getting is within Event Viewer.

                             

                            Faulting application serviceHost.exe, faulting module ntdll.dll. It seems to attempt 3 times.

                             

                            I can try another uninstall-reboot-reinstall-reboot to see if it clears up, but I have tried this before. I'll keep you posted on how that goes. Additionally, I did submit a support request a few days ago (before you responded to this thread), but haven't heard back yet.

                             

                            Thanks again. I'll update after the reinstall.

                            • 11. Re: Installing LDClient on Servers with IIS Websites
                              masterpetz ITSMMVPGroup

                              Hi Justus,

                               

                              as Paul wrote, a lookup on localhost:9595 triggers the servicehost.exe and because there is some kind of incompatibility, your servicehost.exe crashes and can't establish a Connection on port 9595. You can reproduce this on a working device, if you rename servicehost.exe , kill it in the task manager and try the web lookup, you will get a website not found error.

                              You can try to download tcpview from Microsoft, run it and look for port 9595. You should see 3 entries for port 9595 for the residentagent.exe (TCP, UDP, TCPV6). Are These three entries there and is there any other application that might listen on port 9595?

                              And it would be interesting which Server OS are we talking about and which LDMS version do you use. I think you missed these question Paul already asked you...

                               

                              Kind regards

                              Christian

                              • 12. Re: Installing LDClient on Servers with IIS Websites
                                Justus.Niemeyer Apprentice

                                You're right, I did forget to give that information.

                                 

                                The server I'm focused on is Windows 2008 (not R2) x64. I am running 9.6 SP3, though this issue was occurring on SP2 as well. I also have this occurring on 2008 R2 servers, 2012 servers, and 2012 R2 servers. All have IIS installed. But I have roughly 250 working machines, some with IIS, all with the operating systems listed previously. 

                                 

                                I'm still in the process of reinstalling the client. Here is what I have tried so far...

                                 

                                1. I did an Unmanaged Device scan and found the machine

                                2. I deployed the agent to the machine through scheduled task. The task sat in the "Active" state for quite a long time. I noticed it said "The files have been copied to the machine."

                                3. The scheduled task failed stating "The agent setup program started but communication was lost."

                                4. I  am now installing using an executable from my LanDesk server. I'll try your TCPView suggestion once that is finished.

                                • 13. Re: Installing LDClient on Servers with IIS Websites
                                  masterpetz ITSMMVPGroup

                                  For the 3rd Point on your list you could check this link:

                                   

                                  1165 - The agent setup program started but communication is lost

                                   

                                  In short, is the user you set for the LANDESK Scheduler Service on the core able to remote execute the agent installer on the IIS Server? It seems folder creation and copying is permitted but not remote execution.

                                   

                                  Regards

                                  Christian

                                  • 14. Re: Installing LDClient on Servers with IIS Websites
                                    Justus.Niemeyer Apprentice

                                    Well, I fixed it.

                                     

                                    After reinstalling the agent with the .exe, it threw up and error which pointed me to wscfg32.log. From that log, I found the C:\Program Files (x86)\LANDesk\LDClient\vcredist_x86.exe had issues installing. My guess is that the nature of the websites on these specific failing boxes probably already had it installed. I repaired that install using the .exe and also manually installed vcredist_x64.exe and rebooted. After the reboot, Inventory scans are working, software deployments are working, and I'm getting entries in the ServiceHost log in the directory Phil pointed me to originally (in ProgramData.)

                                     

                                    A huge thank you to everyone who helped!

                                     

                                    Thanks,

                                     

                                    Justus

                                    1 2 Previous Next