10 Replies Latest reply on Aug 8, 2018 3:08 AM by phoffmann

    Network access is denied on distribution task

    GabrielV Rookie

      I'm in the process of creating a template model for our Win 10 deployment.

      During the process, the HII task is failing in the Post-OS instalation and i have it running in the System configuration again when is running ok. But is not assigning the correct video drivers on the Hewlett-Packard machines. on the HP is working ok.

      Because of this issue, i created an distribution package to install video driver at the end of the process.

      The package has been set using UNC and http:// path. In both cases I get "Network access is denied", return code 65.

       

      Task using http:// path

       

      Thu, 02 Aug 2018 15:08:19 ******* sdclient starting to process task *******

      Thu, 02 Aug 2018 15:08:19 Task id to process: 494

      Thu, 02 Aug 2018 15:08:19 Command line: /policyfile="C:\ProgramData\LANDesk\Policies\CP.494.RunNow._2E4ApcVVHvAcPaL0haHnEwpEvW4=.xml"

      Thu, 02 Aug 2018 15:08:19 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:08:19 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:08:19 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=494 -retcode=229392442 -pkgid=210

      Thu, 02 Aug 2018 15:08:20 File ( http://corename/apps/HP820G1/Display Driver/igxpin.exe) is cached locally

      Thu, 02 Aug 2018 15:08:20 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:08:20 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:08:20 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=494 -retcode=229392444 -pkgid=210

      Thu, 02 Aug 2018 15:08:21 About to call DownloadFiles (1 files) with these settings:

      Thu, 02 Aug 2018 15:08:21 m_allowedBandwidthWAN: 25

      Thu, 02 Aug 2018 15:08:21 m_allowedBandwidthLAN: 75

      Thu, 02 Aug 2018 15:08:21 m_discardPeriodSeconds: 604800

      Thu, 02 Aug 2018 15:08:21 m_preserveDirectoryStructure: 1

      Thu, 02 Aug 2018 15:08:21 m_bUseWanBWForPush: 0

      Thu, 02 Aug 2018 15:08:21 m_bSynchronize: 0

      Thu, 02 Aug 2018 15:08:21 Allowed download methods(m_downloadControl):

      Thu, 02 Aug 2018 15:08:21 PeerOneSource

      Thu, 02 Aug 2018 15:08:21 Peer

      Thu, 02 Aug 2018 15:08:21 Source

      Thu, 02 Aug 2018 15:08:21 m_preferredServerControl: AttemptPreferredServer

      Thu, 02 Aug 2018 15:08:23 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:08:23 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:08:23 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=494 -retcode=229392444 "-message=100%" -pkgid=210

      Thu, 02 Aug 2018 15:08:23 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:08:23 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:08:23 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=494 -retcode=229392258 -pkgid=210

      Thu, 02 Aug 2018 15:08:24 ExpandEnvironmentVariables Result: -s -nowinsat -overwrite

      Thu, 02 Aug 2018 15:08:24 LSWD or Executable Client Thread

      Thu, 02 Aug 2018 15:08:24 PackagePath: [http://corename/apps/HP 820G1/Display Driver/igxpin.exe]

      Thu, 02 Aug 2018 15:08:24 Processing generic executable

      Thu, 02 Aug 2018 15:08:24 Launched application 'C:\Program Files (x86)\LANDesk\LDClient\sdmcache\apps\HP 820G1\Display Driver\igxpin.exe' ('-s -nowinsat -overwrite') result 65

      Thu, 02 Aug 2018 15:08:24 Installation result 8DB50041

      Thu, 02 Aug 2018 15:08:24 RunPackageInstall: stop on returncode=8db50041 of package=Intel Video Driver

      Thu, 02 Aug 2018 15:08:24 processing of package is complete, result -1917517759 (0x8db50041 - code 65)

       

       

      Task using UNC path:

       

      Thu, 02 Aug 2018 15:21:45 ******* sdclient starting to process task *******

      Thu, 02 Aug 2018 15:21:45 Task id to process: 495

      Thu, 02 Aug 2018 15:21:45 Command line: /policyfile="C:\ProgramData\LANDesk\Policies\CP.495.RunNow._4xfM8LdpasYrLU2eo2XnczzTQTU=.xml"

      Thu, 02 Aug 2018 15:21:45 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:21:45 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:21:45 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=495 -retcode=229392442 -pkgid=210

      Thu, 02 Aug 2018 15:21:46 File (\\xxxxxxxx\apps\HP 820G1\Display Driver\igxpin.exe) is cached locally

      Thu, 02 Aug 2018 15:21:46 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:21:46 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:21:46 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=495 -retcode=229392444 -pkgid=210

      Thu, 02 Aug 2018 15:21:46 About to call DownloadFiles (1 files) with these settings:

      Thu, 02 Aug 2018 15:21:46 m_allowedBandwidthWAN: 25

      Thu, 02 Aug 2018 15:21:46 m_allowedBandwidthLAN: 75

      Thu, 02 Aug 2018 15:21:46 m_discardPeriodSeconds: 604800

      Thu, 02 Aug 2018 15:21:46 m_preserveDirectoryStructure: 1

      Thu, 02 Aug 2018 15:21:46 m_bUseWanBWForPush: 0

      Thu, 02 Aug 2018 15:21:46 m_bSynchronize: 0

      Thu, 02 Aug 2018 15:21:46 Allowed download methods(m_downloadControl):

      Thu, 02 Aug 2018 15:21:46 PeerOneSource

      Thu, 02 Aug 2018 15:21:46 Peer

      Thu, 02 Aug 2018 15:21:46 Source

      Thu, 02 Aug 2018 15:21:46 m_preferredServerControl: AttemptPreferredServer

      Thu, 02 Aug 2018 15:21:48 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:21:48 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:21:48 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=495 -retcode=229392444 "-message=100%" -pkgid=210

      Thu, 02 Aug 2018 15:21:49 The nostatus flag has NOT been set.

      Thu, 02 Aug 2018 15:21:49 Core name 'xxxxx.xxxxxxxx' obtained from the registry

      Thu, 02 Aug 2018 15:21:49 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=495 -retcode=229392258 -pkgid=210

      Thu, 02 Aug 2018 15:21:50 ExpandEnvironmentVariables Result: -s -nowinsat -overwrite

      Thu, 02 Aug 2018 15:21:50 LSWD or Executable Client Thread

      Thu, 02 Aug 2018 15:21:50 PackagePath: [\\corename\apps\HP 820G1\Display Driver\igxpin.exe]

      Thu, 02 Aug 2018 15:21:50 Processing generic executable

      Thu, 02 Aug 2018 15:21:50 Launched application 'C:\Program Files (x86)\LANDesk\LDClient\sdmcache\apps\HP 820G1\Display Driver\igxpin.exe' ('-s -nowinsat -overwrite') result 65

      Thu, 02 Aug 2018 15:21:50 Installation result 8DB50041

      Thu, 02 Aug 2018 15:21:50 RunPackageInstall: stop on returncode=8db50041 of package=Intel Video Driver

      Thu, 02 Aug 2018 15:21:50 processing of package is complete, result -1917517759 (0x8db50041 - code 65)

       

       

      Core name and domain name have been removed form attached logs before posting here.

       

      We are using Endpoint Manager v2017.3.2

       

      Any bit of extra info would be much appriciated.

      Thank you

        • 1. Re: Network access is denied on distribution task
          phoffmann SupportEmployee

          Not a "technical reply" - just something I noticed, since I can't edit your post for some reason.

           

          You left an instance of a full / legitimate network path / server name in the log-extract. I'd suggest editing / changing it... it's here (in the HTTP-log):

           

          Thu, 02 Aug 2018 15:08:19 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=494 -retcode=229392442 -pkgid=210

          Thu, 02 Aug 2018 15:08:20 ... HERE ...

          (...)

          Ah - and there's a 2nd one (UNC log):

           

          Thu, 02 Aug 2018 15:21:45 Sending task status, cmd line -coreandip=xxxxx.xxxxxxxx -taskid=495 -retcode=229392442 -pkgid=210

          Thu, 02 Aug 2018 15:21:46 File (HERE) is cached locally

          (...)

          • 2. Re: Network access is denied on distribution task
            phoffmann SupportEmployee

            Couple of things in scatter-shot fashion

             

            1. Is your HTTP share properly set up / configured (i.e. "not an application")? See here for a starting point:
              1. How to set up an HTTP share for a Preferred Package Share

             

            • Generally, use FQDN's rather than shortnames (noticed your UNC example has a shortname path, whereas your HTTP example has an FQDN).
            • Begin with HTTP. UNC tends to require authentication which can cause complications (especially with cross-domain things) ... you may be better of configuring / using preferred servers for such setups, as you can specify credentials to access shares with.

              This may help:

             

            ... with HTTP, you can also check the IIS-logs on the relevant package server. Questions essentially amount to:

            • Do you see ANYTHING from "client-IP" in the first place (if not, chances are you have DNS issues).
            • What does the error code mean (could be bad MIME type configuraiton, or it's trying to EXECUTE the file, rather than download it because it's set up as a www-service/site rather than a package share).

              ... and go from there. UNC is a lot more painful to troubleshoot, so I'd suggest looking at HTTP-based stuff first (at least you have vaguely truthful & sometimes helpful IIS logs) .
            • Watch out - IIS logs are *NOT* being written to in real-time ... so you might have to wait a few seconds (/minutes, in some cases) until Windows feels like writing out the next block of log entries...
            • Watch out #2 - IIS logs (by default) are logged in GMT ... so be mindful of that & calculate up to your actual timezone (this is for consistency if you have IIS-servers across the world).

             

            ... finally, you can enable additional debug-logging (could have useful info in it) about the download side of things by following the steps here -- How to enable Xtrace Diagnostic Logging -- ... you should get the relevant log entries added to your SDCLIENT-log, that may help you out with a bit of a clearer picture.

             

            And some last minute additions:

            • 3. Re: Network access is denied on distribution task
              GabrielV Rookie

              Hi phoffmann,

              Thank you very much for pointing the missed network path.

               

              Regarding the http:// path, 99% of the time, I'm using http:// path, because i noticed is more stable than UNC. All the system accounts we are using for distribution tasks and replication are defined as: domainname/username.

               

              The core server is defined using FQDN.

              The machine I'm trying to deploy the video driver is not joined to the domain.

              I had zero issues in the past deploying diffrent packages on non joined machines, especialy the one I'm trying to dpeloy the video driver.

               

              It could be something related to this specific package or switches that I'm using ?

               

              Aplogies for asking, but I'm trying to understand why keeping same settings and same machine, all the packages are working except this one ?

              I managed only once to deploy it successfuly, after I included in the OS deployment template and is failing.

              After this, I triyed to deploy it as separate task and is keep failing.

              • 4. Re: Network access is denied on distribution task
                phoffmann SupportEmployee

                Nothing wrong with asking for clarification.

                 

                "In principle" -- if it works on a machine (domained or not), it should work on any other machine too ... unless it has to interact with domain-y stuff / network-y stuff that could cause the install to fail.

                 

                So for instance if we'd run "setup.exe -server SomeDomainServer" and your non-domained device either couldn't resolve or authenticate to "SomeDomainServer" then yes - that'd explain why things are going awry. By that same token though, you SHOULD be able to duplicate this "failing install" when running it by hand.

                 

                The files should all still be present on the non-domained device (under "(...)\LDCLIENT\SDMCACHE\(... path of your server shares)\" ) ... so you should have "problems with the install itself" rather than "problesm accessing the files" (especially over HTTP), shy of having DNS issues (in which case, try replacing the server-name with an IP-address).

                 

                If you're having issues with actually downloading / grabbing the files from the client ... run Wireshark (on both ends - the client & the server) ... there's various "fun" situations where network traffic can get swallowed up somewhere (often with "allegedly helpful" things like Web Caching appliances who often cause havoc with software dist stuff) .

                 

                So - you're doing this during the provisioning stage? You MAY find that what your actual problem is, is something along the lines of "needing a reboot" or so (or some other Windows-process doing "things" in the background) -- if so, you may find that something as simple as adding a "5 minute wait" or "reboot + wait" to "get the device settled" might be the trick.

                 

                Drivers can require some weird voodoo at times... (and they SHOULDN'T ... in this day & age ... *grmbl*).

                • 5. Re: Network access is denied on distribution task
                  GabrielV Rookie

                  I checked the LDCLIENT\SDMCACHE\APPS on the client side and the package is present, so the downloading part is working. Also deployed the task via Portal manager and is downloading ok.

                  The task has been set (in all tests) for Download and execute.(same as all the other packages).

                  As you suggested, I replaced the server name with IP address and is the same behaiviour.

                  All the packages are using a system account that has admin rights on all machines and for testing, I changed this setting to use local user and prompt if user does not have sufficient rights. It promped but still failing.

                  As good practice, I'm always test the packages to make sure they are running ok, before I add them in the OS deployment template.

                   

                  From what you advised me and what I tried, I think I narrow down the issue.

                  I seems that on this specific non joined domain machine, the service account (domain_name\system_account) does not work.

                  Even if on the machine, the user account is defined as administrator, does not have rights to install software.

                  I enabled the local Administrator account and changed in the distribution package to use this account.

                  First time I got "Failed to install package" and when I tryed again, I'm still getting "Network Access is Denied".

                  Whatever I try I'm keep getting same consistent message. I presume is a permission issue.

                  • 6. Re: Network access is denied on distribution task
                    phoffmann SupportEmployee

                    ... the local system account "doesn't work" ...?

                     

                    Huh - well that's a new one.

                     

                    You MIGHT get a bit more "what's REALLY happening" if you run a PROCMON of the install ... but yeah, that sounds like a messed up box ... (never heard that one before, so - interesting!).

                     

                    Good investigative work on your side!

                    • 7. Re: Network access is denied on distribution task
                      GabrielV Rookie

                      I had big issues from day 1 with this new tool.

                      As a small background, our infrastructure is heavily locked down due the nature of the business. So usual settings they do not always work in our scenario.

                      Sometimes I have same package that was working for 3-4 month, suddenly does not like the UNC path and it works with http:// path.

                      For this reason, the core server is defined as preferred server 3 times, UNC, HTTP, and FDQN. This setup actually managed the OS deployment issues.

                      What is the most interesting thing is that I have a "old ish" package that was working on non joined domain and now the same package does not working anymore.

                      I'm running out of ideas.

                       

                      never used PROCMON, can you please detail how can i add it in to the distribution package ?

                      • 8. Re: Network access is denied on distribution task
                        phoffmann SupportEmployee

                        As a hint - you shouldn't need HTTP & UNC things separately - we do that automatically (unless you need it for credential-based access).

                         

                        If we fail at accessing an HTTP-based path, we (automatically) try to access the same path as UNC (and vice-versa) ... we've done this HTTP <=> UNC auto-failover for a few versions / years now, as a quality-of-life improvement to folks.

                         

                        I empathise with your situation - locked down environments can lead to all kinds of "fun" artefacts to find out (hint - make sure you're good friends with the networking people, at least that'll spare you SOME surprises in my experience) .

                         

                        As for how to use PROCMON, a good gentleman has detailed its use here:

                        - Understanding Process Monitor

                        - Using Process Monitor to capture system events

                         

                        A few other useful articles (on our site alone, you can find LOADS of stuff on PROCMON & how to use it with a bit of google-fu):

                        - Using ProcMon to View What User a Process/Program Is Running Under

                        - How to configure a Process Monitor trace with  2 provisioining actions in a template

                         

                        for instance.

                        • 9. Re: Network access is denied on distribution task
                          GabrielV Rookie

                          Thanks for your reply.

                          As a quick update, most our packages are msi and few of them are .exe, but all of them have a vb script that is pulling out the install information and write a small log file to confirm that the package was installed correctly.

                          It seems that any distribution package built with Ivanti, does not deploy on non domain joined machine for whatever reason, but if I try to deploy the vbs wrapper the new error is "Sdclient.exe or the installation program was terminated at the client. Return code 1." if the task is set to download and execute and "The system cannot find the file specified" if I set to "Execute from share".

                          • 10. Re: Network access is denied on distribution task
                            phoffmann SupportEmployee

                            OK - so you'll want to troubleshoot the downloading stage.

                             

                            It shouldn't be permissions, since we are (/should be) installed as LOCAL SYSTEM and "don't overly care" about domain vs non-domain since we do cert-based authentication ... but "domain vs non-domain" *DOES* enter the equation when trying to access shares (though HTTP shouldn't be an issue), but CAN be DNS as well.

                             

                            So you may end up wanting to Wireshark things to see "where things go" (also, fun things like "web caching appliances" tend to cause a lot of issues with software dist related activities, so you may want to check if those are in use).

                             

                            Here's a few articles that'll help you with that (the "troubleshooting downloading section"):

                             

                            A "basic" approach would be enabling the debug-logging on both a "functioning" vs "non-functioning" client, and then comparing the two "where things start differeing  / going wrong".

                             

                            Also, do check on the HTTP-server side, in IIS - whether the "non-functioning" client actually DOES try to access that share at all (in the IIS log). You'd need to check it by IP-address. That's not MUCH of an indicator, but at least it'll show you that "yeah, at least it resolves to the right place & tries to access the right thing). There MAY be some useful HTTP-based error (say - 404 or 503) but "I doubt it" since it should just be a package share.