7 Replies Latest reply on Jun 6, 2017 11:22 AM by phoffmann

    Unable to deploy software when selecting "Run as a specified user"

    JStevenson Apprentice

      Hi all,

       

      We have a problem with our LANDESK set up which we have ignored because we have never needed it and everything else seems to work okay but now we actually need to use it I need to find a solution.

       

      We have software we need to deploy but it has to be installed with a specific user account - It will not install with Local System or Current User. Reasoning why is convoluted so I won't go into that.

       

       

      Problem is, If I try to deploy the software with a specified user, it always fails.

      I have done some tests and it is not just this software. It is anything. Any distribution package I make where I chose to specify a user account to run it, fails.

      I have tried many different accounts which I know to be correct and to have administrator rights on the target device.

       

      The software physically makes it to the target device(s) - I can see it in the sdmcache folder, so there is no problem there. It is when it tries to run the package - whether it be an exe, msi or batch. It doesn't matter.

       

      The scheduled task fails - Batch Files give the return code 16386, executable give Return code 16450

       

      Regardless, the logs give the following error;

       

      Batch

      Exe

       

      From what I can see, there is a problem with our certificates. The schedule task is failing because it cannot unencrypt the password I have given on the client device??? That is what I am assuming. I have no idea how to go about resolving it though.

       

      Has anyone had a similar issue. I am going to log with the Ivanti support but wanted to share with you all too in case any of you had any ideas.

        • 1. Re: Unable to deploy software when selecting "Run as a specified user"
          phoffmann SupportEmployee

          Not stumbled across this issue myself, but this may help along a little bit / may get requested by support anyway.

           

          Step 1 - turn on maximum verbosity on logging client-side -- How to enable Xtrace Diagnostic Logging

           

          You'll probably be most interested in the SDCLIENT log and/or the SDISTBAT related stuff.

          If the stuff in there doesn't make a lot of sense to you - worry not. Support & co should be able to make sense out of it.

           

          <And when I say "debug logging", I do mean it - it'll get VERY chatty ... ignore the stuff that doesn't make sense. Oh and - "read from the bottom up" ... you don't care about "the bits that work" after all >

           

          Step 2 - What version / minor patch level are you on? Currently, 2016.3 has a "focussed release" (the "limited testing" phase) of SU3 which support can make available to you. May help - may not (not seen this as a problem, so can't check).

           

          Step 3 - You COULD try something simple (debug-wise) as running a separate BAT-file as "a specific user" where the bat-file purely does the following:

          whoami >> C:\ZZ_Whoami.log

           

          ... just to confirm / test that:

          - The batch runs.

          - You catch for sure the user context it runs as

          - You store the file / output to some "low security/priviledge" location (I've done C:\ here - but that can be obviously changed).

           

          May help move this forward a little bit I hope .

          1 of 1 people found this helpful
          • 2. Re: Unable to deploy software when selecting "Run as a specified user"
            JStevenson Apprentice

            Thanks for the suggestion phoffmann.

             

            Unfortunately I have not had much luck with this.

             

            I have a batch file I'm using to test which creates a folder on the C:\ drive and then creates a txt document in that folder.

             

            The batch file gets downloaded onto the target device but then it fails as before. It doesn't even look like LD is trying to run it. I cannot see anything in the logs on the server or client. All I can find is the Task Log which has the following.

             

            Tue, 30 May 2017 13:38:16 ******* sdclient starting to process task *******

            Tue, 30 May 2017 13:38:16 Task id to process: 7170

            Tue, 30 May 2017 13:38:16 Command line: /policyfile="C:\ProgramData\LANDesk\Policies\CP.7170.RunNow._tTPb8LcEx9g8P1Mp&#471PXjeItmpw=.xml"

            Tue, 30 May 2017 13:38:16 The nostatus flag has NOT been set.

            Tue, 30 May 2017 13:38:16 Core name '{THECORE}' obtained from the registry

            Tue, 30 May 2017 13:38:16 Sending task status, cmd line -coreandip={THECORE} -taskid=7170 -retcode=229392442 -pkgid=880

            Tue, 30 May 2017 13:38:17 IsFileInCache: Cache2.GetFilePrevCountEx failed - path=http://{THECORE}/SWD/Empty/MDTest.bat

            Tue, 30 May 2017 13:38:17 File (http://{THECORE}/SWD/Empty/MDTest.bat) is not in cache

            Tue, 30 May 2017 13:38:17 The nostatus flag has NOT been set.

            Tue, 30 May 2017 13:38:17 Core name '{THECORE}' obtained from the registry

            Tue, 30 May 2017 13:38:17 Sending task status, cmd line -coreandip={THECORE} -taskid=7170 -retcode=229392444 -pkgid=880

            Tue, 30 May 2017 13:38:18 About to call DownloadFiles (1 files) with these settings:

            Tue, 30 May 2017 13:38:18 m_allowedBandwidthWAN: 50

            Tue, 30 May 2017 13:38:18 m_allowedBandwidthLAN: 75

            Tue, 30 May 2017 13:38:18 m_discardPeriodSeconds: 604800

            Tue, 30 May 2017 13:38:18 m_preserveDirectoryStructure: 1

            Tue, 30 May 2017 13:38:18 m_bUseWanBWForPush: 0

            Tue, 30 May 2017 13:38:18 m_bSynchronize: 0

            Tue, 30 May 2017 13:38:18 Allowed download methods(m_downloadControl):

            Tue, 30 May 2017 13:38:18 PeerOneSource

            Tue, 30 May 2017 13:38:18 Peer

            Tue, 30 May 2017 13:38:18 Source

            Tue, 30 May 2017 13:38:18 m_preferredServerControl: AttemptPreferredServer

            Tue, 30 May 2017 13:38:31 Updating system environment variable LDMS_PREFERRED_SERVER: {THECORE}

            Tue, 30 May 2017 13:38:34 The nostatus flag has NOT been set.

            Tue, 30 May 2017 13:38:34 Core name '{THECORE}' obtained from the registry

            Tue, 30 May 2017 13:38:34 Sending task status, cmd line -coreandip={THECORE} -taskid=7170 -retcode=229392444 "-message=100%" -pkgid=880

            Tue, 30 May 2017 13:38:34 The nostatus flag has NOT been set.

            Tue, 30 May 2017 13:38:34 Core name '{THECORE}' obtained from the registry

            Tue, 30 May 2017 13:38:34 Sending task status, cmd line -coreandip=RYRIS130.sussex.nhs.uk -taskid=7170 -retcode=229392444 "-message=100%" -pkgid=880

            Tue, 30 May 2017 13:38:34 The nostatus flag has NOT been set.

            Tue, 30 May 2017 13:38:34 Core name '{THECORE}' obtained from the registry

            Tue, 30 May 2017 13:38:34 Sending task status, cmd line -coreandip=RYRIS130.sussex.nhs.uk -taskid=7170 -retcode=229392258 -pkgid=880

            Tue, 30 May 2017 13:38:36 ExpandEnvironmentVariables Result:

            Tue, 30 May 2017 13:38:36 Batch file Client Thread

            Tue, 30 May 2017 13:38:36 PackagePath: [http://{THECORE}SWD/Empty/MDTest.bat]

            Tue, 30 May 2017 13:38:36 MakeHTTPRequest: POST: http://{THECORE}:443/landesk/managementsuite/core/ServerAuthentication/serverauthentication.asmx

            Tue, 30 May 2017 13:38:37 ERROR: Invalid client cert to get password.

            Tue, 30 May 2017 13:38:37 An error occured launching sdistbat (-1918091198)

            Tue, 30 May 2017 13:38:37 Bat file output :

            Tue, 30 May 2017 13:38:37 Installation result 8DAC4002

            Tue, 30 May 2017 13:38:37 RunPackageInstall: stop on returncode=8dac4002 of package=Test

            Tue, 30 May 2017 13:38:37 processing of package is complete, result -1918091262 (0x8dac4002 - code 16386)

            • 3. Re: Unable to deploy software when selecting "Run as a specified user"
              phoffmann SupportEmployee

              I've edited your preious response a little bit - purely anonymising any references to your Core server FQDN with -- {THECORE} -- because putting FQDN'ed server names on a publically accessible log tends to be a bad idea.

               

              I'll try to have a play about see if I can run into this...

               

              Hmmm ... what version & patch level are you guys on? That way, I can at least try to make sure that I'm comparing apples to apples (or as near as I have snapshots at any rate).

              • 4. Re: Unable to deploy software when selecting "Run as a specified user"
                JStevenson Apprentice

                Oh yeah thank you. I was meant to remove that before I posted but easily get distracted in the office.

                 

                We are currently running 2016.3 - Unpatched at the moment. Version 10.1.0.168

                • 5. Re: Unable to deploy software when selecting "Run as a specified user"
                  phoffmann SupportEmployee

                  OK - So here's what I've done:

                   

                  Step 1 - Create a simple batch file that both ECHO's the current username it's running as -- and picks up a registry value relevant "to each user" from HKCU.

                   

                  Here's my Batch file (Running this on a Windows 10 client, and the "OneDrive" path is convenient in that it contains usernames) -- the batch is called "MyNameIs.bat":

                  ECHO Running MYNAMEIS!

                  ECHO I am running as == %username%

                  ECHO Setting Variables...

                  @ECHO OFF

                  set key="HKCU\Environment"

                  set value=OneDrive

                  @ ECHO ON

                  ECHO Running Registry Query!

                  reg query %key% /v %value%

                   

                  Step 2 - I've scheduled 3 copies of that very same batch file against a Win 10 client. The only difference is the user context in which it runs.

                  Run 1 -- as the default "Local System" account. (This "Failed" on account of a non-0 exit code, which I'lle explain in a second...)

                  Run 2 -- as the "Logged on user" account.

                  Run 3 -- as a (different) specified user account.

                   

                  Log from running it as the default (local system account) -- can be found under "C:\Program Files (x86)\LANDesk\LDClient\Data\" - with the log name being "sdclient_task####.log" where the #### depends on the Task ID.

                   

                  Here's the log from the run as Local System (I have debug logging enabled):

                  LOGFri, 02 Jun 2017 15:29:02 sdclientlib.dll batchfilehandler.cpp(196) Bat file output :

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>call "MyNameIs.bat" 

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Running MYNAMEIS!

                  Running MYNAMEIS!

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO I am running as == KAYOLINGAZ$

                  I am running as == KAYOLINGAZ$

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Setting Variables...

                  Setting Variables...

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Running Registry Query!

                  Running Registry Query!

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>reg query "HKCU\Environment" /v OneDrive

                   

                   

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>"C:\Program Files (x86)\LANDesk\LDClient\sdistbat.exe" /setbatchstatus=1

                   

                  LOGFri, 02 Jun 2017 15:29:02 sdclientlib.dll sdclient.cpp(2942) Installation result 8DB50001
                  LOGFri, 02 Jun 2017 15:29:02 sdclientlib.dll PolicyHistory.cpp(175) CPolicyHistory::LoadHistoryDaysToKeep: No task history maintenance to perform, registry settings for task history maintenance mode is '-1'
                  LOGFri, 02 Jun 2017 15:29:02 sdclientlib.dll sdclient.cpp(2077) RunPackageInstall: stop on returncode=8db50001 of package=MyNameIs - Default Local System

                  VRBOSE Fri, 02 Jun 2017 15:29:02 sdclientlib.dll sdclient.cpp(1794) Clearing the active task id

                  LOGFri, 02 Jun 2017 15:29:02 sdclientlib.dll sdclient.cpp(1804) processing of package is complete, result -1917517823 (0x8db50001 - code 1)

                   

                  Things to note

                  • "Kayolingaz" is the name of my Win 10 device, so hence the user context is correct as "KAYOLINGAZ$" in this case.
                  • The Batch "fails" on account of failing to query the registry value (because it doesn't exist for HKLM). The non-0 return code could be fixed up ... but I figured I'd keep it in there as a sensible "watch out" lesson.

                   

                  Now - on to running as a forced different user context (AdminBob) - which fails for the same reason (key doesn't exist because I never logged on to that device as AdminBob):

                  LOGFri, 02 Jun 2017 15:52:17 sdclientlib.dll sdistbat_api.h(92)
                  LOGFri, 02 Jun 2017 15:52:17 sdclientlib.dll batchfilehandler.cpp(196) Bat file output :

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>call "MyNameIs.bat" 

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Running MYNAMEIS!

                  Running MYNAMEIS!

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO I am running as == AdminBob

                  I am running as == AdminBob

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Setting Variables...

                  Setting Variables...

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Running Registry Query!

                  Running Registry Query!

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>reg query "HKCU\Environment" /v OneDrive

                   

                   

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>"C:\Program Files (x86)\LANDesk\LDClient\sdistbat.exe" /setbatchstatus=1

                   

                  LOGFri, 02 Jun 2017 15:52:17 sdclientlib.dll sdclient.cpp(2942) Installation result 8DB50001
                  LOGFri, 02 Jun 2017 15:52:17 sdclientlib.dll sdclient.cpp(2077) RunPackageInstall: stop on returncode=8db50001 of package=MyNameIs - As ADMINBOB

                  VRBOSE Fri, 02 Jun 2017 15:52:17 sdclientlib.dll sdclient.cpp(1794) Clearing the active task id

                  LOGFri, 02 Jun 2017 15:52:17 sdclientlib.dll sdclient.cpp(1804) processing of package is complete, result -1917517823 (0x8db50001 - code 1)

                   

                   

                   

                   

                   

                   

                  ... and finally (and looking very similarly) - running the batch as the logged on user (AdminBill) - which succeeds:

                  LOGFri, 02 Jun 2017 15:39:41 sdclientlib.dll sdistbat_api.h(92)
                  LOGFri, 02 Jun 2017 15:39:41 sdclientlib.dll batchfilehandler.cpp(196) Bat file output :

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>call "MyNameIs.bat" 

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Running MYNAMEIS!

                  Running MYNAMEIS!

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO I am running as == AdminBill

                  I am running as == AdminBill

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Setting Variables...

                  Setting Variables...

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>ECHO Running Registry Query!

                  Running Registry Query!

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>reg query "HKCU\Environment" /v OneDrive

                   

                  HKEY_CURRENT_USER\Environment

                  OneDriveREG_SZC:\Users\AdminBill\OneDrive

                   

                   

                  C:\Program Files (x86)\LANDesk\LDClient\sdmcache\ldlogon\xx\Packages>"C:\Program Files (x86)\LANDesk\LDClient\sdistbat.exe" /setbatchstatus=0

                   

                  LOGFri, 02 Jun 2017 15:39:41 sdclientlib.dll sdclient.cpp(2942) Installation result DB50000
                  LOGFri, 02 Jun 2017 15:39:41 sdclientlib.dll reboothandler.cpp(31) Rebooting system if needed

                  VRBOSE Fri, 02 Jun 2017 15:39:44 sdclientlib.dll sdclient.cpp(1794) Clearing the active task id

                  LOGFri, 02 Jun 2017 15:39:44 sdclientlib.dll sdclient.cpp(1804) processing of package is complete, result 229965824 (0x0db50000 - code 0)

                   

                   

                   

                  This particular batch succeeds in the last 2 cases, since we actually have a registry value to return!

                   

                  ===============

                   

                  So - in principle "stuff works fine" then. The error you've got, I've not run into myself, but I'm wondering whether you've not authorised the clients under client security perhaps? Check here on the Core:

                   

                  And then check potentially both allowed & blocked devices:

                   

                  ... that'd (logically) make sense to me as being a potential problem, based on your error message about the cert.

                   

                  If it's NOT that, talk to support (and you can get SU3 from them, which is an update post 2016.3) which is what I've used to test with.

                   

                  The purpose of the simple batch test is to have something fail / succeed under controllable circumstances (and you may want to change the registry path / key being tested based on your own expected results).

                   

                  So yeah - chcek the client cert approvals (Note that I *AM* running in an "auto-approve" state because that's screenshots from my controlled lab!)

                   

                  Hope that helps?

                  1 of 1 people found this helpful
                  • 6. Re: Unable to deploy software when selecting "Run as a specified user"
                    JStevenson Apprentice

                    This was extremely helpful thank you. I have managed to resolve the issue.

                     

                    We have always had the "Automatically approve new certificates" ticked so we never really needed to pay much mind to the client certificates tab but I was having a look in here since your suggestion and I discovered a lot of devices I knew to be recently imaged did not have entries. Now I thought it was a standard process during imaging or during agent deployment for devices to register in here. I guess not - There is still something fishy going on which I'll have to dig deeper.

                     

                    I did some testing. I located the certificate for my test device and deleted it - It was an old certificate no longer valid. I then ran the Brokerconfig.exe on my test device as per instructions found here. https://community.ivanti.com/docs/DOC-35476

                     

                    Within moments, my test device had a new certificate showing. I then scheduled my test package and boom, it worked.

                     

                    I tested this on a few other devices and yep it works.

                     

                    I'm not sure why we have devices with no entries in here but I have since discovered the "Create Management Gateway Client Certificate" script and have been deploying that to test groups. Everything coming back positive.

                     

                    I am going to add a step into our provisioning templates to make sure the brokerconfig.exe is run post deployment so hopefully we won't see this again.