ServersClient Connection Account Lockout

Client Connection Account Lockout





by Dana Daugherty

Client Connection Account Lockout — I know there has been
quite a lot of information available on this issue. In this
article, I have attempted to compile information from a few Q
articles and my own experience with with problem. Also, in the
Solution section there is a plan for rotating connection
accounts that might just help to prevent this problem from
reoccurring in your SMS implementation. 

In this article, Dana Daugherty has compiled information from various Microsoft Knowledgebase articles and his own experience with the issue of Client Connection Account Lockouts to offer a solution that just might help to prevent the problem from occurring in your SMS implementation.

Windows NT/2K workstations rely on the Client Connection
Account to access the Client Access Point (CAP). They need
this account due to the use of different user contexts. The
default account that is automatically created when the site is
installed is SMSClient_xxx (where xxx is the
site code). This account has no special rights apart from
Domain User privileges. By default the “account never expires”
check box is selected in User Manager For Domains. In the
SMS  Site Hierarchy xxx Connection Accounts Client
group you should see this account SMSClient _xxx.

The Problem

If all NT/2K machines at a particular site experience the
following symptoms they most likely are experiencing a client
connection account lockout: they don’t receive current data in
Systems Management, Sites tab, after depressing Update
Configuration; they don’t receive SMS Advertised Programs; and
they eventually disappear after 60 days unless travel mode is
turned on. Lines similar to the following will appear in the
client’s CCIM32.log file:

Warning - could not read files from site TB1
(#2147942405) $$
Warning -
CNALPathEx::GetAccessiblePath returned error 2147942405
$$
CClientSiteCfgArray -
Can't get accessible path for site TB1 config info
$$
CCIM32 - Retry in 60
minutes $$

and

Client will be considered an orphan after 2001/07/30
10:17.56 $$

The above would be a description of an orphaned SMS
client. 

The Cause

This condition occurs for many different reasons,
including: 

  • When a site is rebuilt (for example, you install a new
    site to replace a failed site).
  • When a site is restored from backup.
  • When the SMSClient_xxx account password is
    changed.
  • When the SMSClient_xxx account is deleted.

This situation illustrates the 3rd bullet above. There is
only 1 client connection account for the site. Joe Blow shuts
his workstation down before leaving for a much needed
vacation. While he is gone, the client connection account
password is changed. Joe blow returns from Tahiti, turns his
machine on, and the SMS client attempts to connect to its CAP
with an old password. The account is locked out and no NT/2K
client can contact the CAP or receive an Advertised
Program. 

Instances that fall under the other bullets listed above
also change the account or password in some way giving us the
same result — a locked out account. 

Domains with more restrictive NT Security Policies will
most likely experience client account lockouts more
often.  

 

The Solution

If the client connection account
for one of your sites is locked out do the following:

Add 2 new accounts to the Domain. Let’s call them
SMSClient_xxx001 and SMSClient_xxx002. In
the SMS  Site Hierarchy xxx Connection Accounts
Client group you must add the new accounts and passwords,
exactly as you did in User Manager For Domains.On the next 23
hour Client Configuration Installation Manager (CCIM) cycle
the client will be unlocked. To test andor speed up the
process run SMSLS.bat or manually run CCIM using the Update
Configuration button in Systems Management Site tab.

The action to take in order to prevent this from
reoccurring depends on its cause and your NT security account
policies. All sites should have 3 client connection accounts
using some naming convention like SMSClient_xxx001.
This will allow you to perform maintenance, if necessary
without causing further trouble. For example in the situation
above, Joe Blow’s machine is shut down. You need to change a
password due to NT account policies. You can change the
password on 1 account and still have 2 valid accounts
available. This should solve the problem for most SMS
implementations. 

For Domains with password restriction policies, especially
Maximum Password Age you may need to develop an account
rotation plan. If you have SMSClient_xxx001,
SMSClient_xxx002 and SMSClient_xxx003 as
valid accounts on your domain, each created 2 weeks apart.
Add SMSClient_xxx004 a few days prior to the expiration
of SMSClient_xxx001. Then delete
SMSClient_xxx001. Don’t forget to add the new
account to SMS  Site Hierarchy xxx Connection
Accounts Client group You will always have 3 valid accounts
on your domain. This is a bit of a pain but it’s better than
the alterative — orphaned workstations.

 

More Information

For More information on the Client Account Lockout issue or
orphaned SMS clients, please take a look at the following Tech
Net articles from Microsoft:

http://support.microsoft.com/support/kb/articles/Q236/0/52.ASP

http://support.microsoft.com/support/kb/articles/Q237/7/59.ASP

Latest Posts

Related Stories