Client Connection Account Lockout

By ServerWatch Staff (Send Email)
Posted Jun 20, 2000


by Dana Daugherty

Client Connection Account Lockout -- I know there has been quite a lot of information available on this issue. In this article, I have attempted to compile information from a few Q articles and my own experience with with problem. Also, in the Solution section there is a plan for rotating connection accounts that might just help to prevent this problem from reoccurring in your SMS implementation. 

In this article, Dana Daugherty has compiled information from various Microsoft Knowledgebase articles and his own experience with the issue of Client Connection Account Lockouts to offer a solution that just might help to prevent the problem from occurring in your SMS implementation.

Windows NT/2K workstations rely on the Client Connection Account to access the Client Access Point (CAP). They need this account due to the use of different user contexts. The default account that is automatically created when the site is installed is SMSClient_xxx (where xxx is the site code). This account has no special rights apart from Domain User privileges. By default the "account never expires" check box is selected in User Manager For Domains. In the SMS  Site Hierarchy \ xxx \ Connection Accounts \ Client group you should see this account SMSClient _xxx.

The Problem

If all NT/2K machines at a particular site experience the following symptoms they most likely are experiencing a client connection account lockout: they don't receive current data in Systems Management, Sites tab, after depressing Update Configuration; they don't receive SMS Advertised Programs; and they eventually disappear after 60 days unless travel mode is turned on. Lines similar to the following will appear in the client's CCIM32.log file:

Warning - could not read files from site TB1 (#2147942405) $$<CCIM32><Tue Jan 04 15:19:23.375 2000><thread=112 (0x70)>
Warning - CNALPathEx::GetAccessiblePath returned error 2147942405 $$<CCIM32><Tue Jan 04 15:19:28.613 2000><thread=112 (0x70)>
CClientSiteCfgArray - Can't get accessible path for site TB1 config info $$<CCIM32><Tue Jan 04 15:19:28.623 2000><thread=112 (0x70)>
CCIM32 - Retry in 60 minutes $$<CCIM32><Tue Jan 04 15:19:28.663 2000><thread=112 (0x70)>

and

Client will be considered an orphan after 2001/07/30 10:17.56 $$<CliEx32.dll><Mon Jun 04 19:48:31.422 2001><thread=189 (0xBD)>

The above would be a description of an orphaned SMS client. 

The Cause

This condition occurs for many different reasons, including: 

  • When a site is rebuilt (for example, you install a new site to replace a failed site).
  • When a site is restored from backup.
  • When the SMSClient_xxx account password is changed.
  • When the SMSClient_xxx account is deleted.

This situation illustrates the 3rd bullet above. There is only 1 client connection account for the site. Joe Blow shuts his workstation down before leaving for a much needed vacation. While he is gone, the client connection account password is changed. Joe blow returns from Tahiti, turns his machine on, and the SMS client attempts to connect to its CAP with an old password. The account is locked out and no NT/2K client can contact the CAP or receive an Advertised Program. 

Instances that fall under the other bullets listed above also change the account or password in some way giving us the same result -- a locked out account. 

Domains with more restrictive NT Security Policies will most likely experience client account lockouts more often.  

 

The Solution

If the client connection account for one of your sites is locked out do the following:

Add 2 new accounts to the Domain. Let's call them SMSClient_xxx001 and SMSClient_xxx002. In the SMS  Site Hierarchy \ xxx \ Connection Accounts \ Client group you must add the new accounts and passwords, exactly as you did in User Manager For Domains.On the next 23 hour Client Configuration Installation Manager (CCIM) cycle the client will be unlocked. To test and\or speed up the process run SMSLS.bat or manually run CCIM using the Update Configuration button in Systems Management \ Site tab.

The action to take in order to prevent this from reoccurring depends on its cause and your NT security account policies. All sites should have 3 client connection accounts using some naming convention like SMSClient_xxx001. This will allow you to perform maintenance, if necessary without causing further trouble. For example in the situation above, Joe Blow's machine is shut down. You need to change a password due to NT account policies. You can change the password on 1 account and still have 2 valid accounts available. This should solve the problem for most SMS implementations. 

For Domains with password restriction policies, especially Maximum Password Age you may need to develop an account rotation plan. If you have SMSClient_xxx001, SMSClient_xxx002 and SMSClient_xxx003 as valid accounts on your domain, each created 2 weeks apart. Add SMSClient_xxx004 a few days prior to the expiration of SMSClient_xxx001. Then delete SMSClient_xxx001. Don't forget to add the new account to SMS  Site Hierarchy \ xxx \ Connection Accounts \ Client group You will always have 3 valid accounts on your domain. This is a bit of a pain but it's better than the alterative <grin> -- orphaned workstations.

 

More Information

For More information on the Client Account Lockout issue or orphaned SMS clients, please take a look at the following Tech Net articles from Microsoft:

http://support.microsoft.com/support/kb/articles/Q236/0/52.ASP

http://support.microsoft.com/support/kb/articles/Q237/7/59.ASP

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.