KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q307434: SMS: SMSCliToknAcct& Lockout with Software Installation Account

Article: Q307434
Product(s): Microsoft Systems Management Server
Version(s): 2.0,2.0 SP1,2.0 SP2,2.0 SP3
Operating System(s): 
Keyword(s): kbsms200 kbsms200bug kbSoftwareDist
Last Modified: 06-AUG-2002

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Systems Management Server versions 2.0, 2.0 SP1, 2.0 SP2, 2.0 SP3 
-------------------------------------------------------------------------------

SYMPTOMS
========

If you use a Systems Management Server (SMS) 2.0 Software Installation account
to install packages on a Microsoft Windows 2000 Professional-based workstation,
the package may not run correctly and the domain SMSCliToknAcct& account may
become locked out. The Advertisement status shows an error for the advertised
program. The status message contains this text:

  An error occurred while preparing to run the program for advertisement
  "<XXXnnnnn>" ("<packagename>" - "<programname>"). The
  operating system reported error 1317. The specified user does not exist.

CAUSE
=====

The local workstation's SMSCliToknAcct& account credentials are being used
to request authentication for the specified Software Installation account. These
credentials are not valid for the domain account of the same name. If account
lockout is enabled, the account is locked out. If the account is locked out,
advertised programs that specify the Software Installation account do not run.
This problem is related to the symptoms that are described in the following
Microsoft Knowledge Base article:

  Q235205 SMS: Advertised Program Does Not Run with 10003 Status Message

This problem was corrected in SMS 2.0 Service Pack 3, but only in a Microsoft
Windows NT 4.0-based domain. This problem exhibits the same symptoms in a
Windows 2000 Active Directory-based environment, although the symptoms occur
under different circumstances. (See the "More Information" section for
additional details).

RESOLUTION
==========

A supported fix is now available from Microsoft, but it is only intended to
correct the problem that is described in this article. Only apply it to systems
that are experiencing this specific problem. This fix may receive additional
testing. Therefore, if you are not severely affected by this problem, Microsoft
recommends that you wait for the next SMS service pack that contains this fix.

To resolve this problem immediately, contact Microsoft Product Support Services
to obtain the fix. For a complete list of Microsoft Product Support Services
phone numbers and information about support costs, visit the following Microsoft
Web site:

  http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

NOTE: In special cases, charges that are ordinarily incurred for support calls
may be canceled if a Microsoft Support Professional determines that a specific
update will resolve your problem. The usual support costs will apply to
additional support questions and issues that do not qualify for the specific
update in question.

The English version of this fix should have the following file attributes or
later:

  Date         Time   Version         Size     File name      Platform
  --------------------------------------------------------------------
  01-Mar-2001  19:20  2.00.92.09      394,970  Apasetup.exe   i386
  01-Mar-2001  19:20  2.00.1493.3192   77,168  Progrm32.dll   i386
  01-Mar-2001  18:55  2.00.1493.3187  288,624  Smsapm32.exe   i386
  01-Mar-2001  19:20                       67  Compversmsapm32.ini
  01-Mar-2001  19:20  2.00.92.09      656,115  Apasetup.exe   Alpha
  01-Mar-2001  19:20  2.00.1493.3192  128,272  Progrm32.dll   Alpha
  01-Mar-2001  18:55  2.00.1493.3187  385,296  Smsapm32.exe   Alpha
  01-Mar-2001  19:20                       67  Compversmsapm32.ini 

The English Service Pack 3 International Client Pack 1 (ICP1) version of this fix
should have the following file attributes or later:

  Date         Time   Version         Size     File name      Platform
  --------------------------------------------------------------------
  12-Apr-2001  19:20  2.00.92.09      394,971  Apasetup.exe   i386
  01-Mar-2001  19:20  2.00.1493.3192   77,168  Progrm32.dll   i386
  01-Mar-2001  18:55  2.00.1493.3187  288,624  Smsapm32.exe   i386
  12-Apr-2001  19:20                       67  Compversmsapm32.ini
  12-Apr-2001  19:20  2.00.92.09      656,123  Apasetup.exe   Alpha
  01-Mar-2001  19:20  2.00.1493.3192  128,272  Progrm32.dll   Alpha
  01-Mar-2001  18:55  2.00.1493.3187  385,296  Smsapm32.exe   Alpha
  12-Apr-2001  19:20                       67  Compversmsapm32.ini

The English Service Pack 3 ICP4 version of this fix should have the following
file attributes or later:

  Date         Time   Version         Size     File name      Platform
  --------------------------------------------------------------------
  14-Apr-2001  19:20  2.00.92.09      394,967  Apasetup.exe   i386
  01-Mar-2001  19:20  2.00.1493.3192   77,168  Progrm32.dll   i386
  01-Mar-2001  18:55  2.00.1493.3187  288,624  Smsapm32.exe   i386
  14-Apr-2001  19:20                       67  Compversmsapm32.ini
  14-Apr-2001  19:20  2.00.92.09      656,118  Apasetup.exe   Alpha
  01-Mar-2001  19:20  2.00.1493.3192  128,272  Progrm32.dll   Alpha
  01-Mar-2001  18:55  2.00.1493.3187  385,296  Smsapm32.exe   Alpha
  14-Apr-2001  19:20                       67  Compversmsapm32.ini

NOTE: Because of file dependencies, the most recent hotfix or feature that
contains the above files may also contain additional files.



STATUS
======

Microsoft has confirmed that this is a problem in the Microsoft products that
are listed at the beginning of this article. This problem was first corrected in
the Systems Management Server 2.0 Service Pack 4 Hotfix Rollup Package (HRP).

For additional information about the SMS 2.0 SP4 HRP, click the article number
below to view the article in the Microsoft Knowledge Base:

  Q323206 SMS: List of Bugs Fixed in the Systems Management Server 2.0 SP4 HRP

MORE INFORMATION
================

This problem occurs under the following conditions:

- Windows 2000 Active Directory is implemented.

- The Active Directory mode is either Mixed or Native.

- Multiple domain controllers exist in the software installation account's
  domain.

Smsapm32.exe performs the following actions up to and including the call to
NetUserGetLocalGroups, which causes this problem to occur:

- If the client is a workstation, a call is made to the Win32 NetGetAnyDcName
  function to return a domain controller in the domain in which the workstation
  has a machine account.

- A Network Abstraction Layer (NAL) connection that uses the SMS Client
  Connection account is made to the domain controller that is returned in the
  NetGetAnyDcName call. In a Windows NT 4.0-based domain, this works because
  the future call to NetUserGetLocalGroups also attempts to use this domain
  controller to enumerate the indirect groups.

- A call is made to the Win32 NetWkstaGetInfo funtion to return the domain in
  which the user is logged on.

- If the workstation account domain and the users account domain are the same,
  a call to the Win32 NetUserGetLocalGroups function is made.

- The NetUserGetLocalGroups function is then called, which is a backwardly
  compatible function in Windows 2000, which uses directory service calls to
  return the indirect groups from the domain. The function makes a call to
  DsGetAnyDcName to obtain a domain controller on which to make the indirect
  group enumeration. In certain circumstances, the domain controller that is
  returned from NetGetAnyDcName and the domain controller that is returned from
  DsGetAnyDcName can differ. If this occurs, and the user does not have a
  session to a domain controller returned from DsGetAnyDcName,
  NetUserGetLocalGroups attempts to create a session to this domain controller.
  The current logon credentials are used (SMSCliToknAcct&) at this point in
  the session setup attempt.

The hotfix that is described in this article changes the behavior of Smsapm32.exe
so that when a software installation account is specified, Advertised Programs
Manager (APM) switches the user context from the SMSCliToknAcct& account to
the software installation account before performing the calls that are listed
earlier in this article and while the intended program runs. APM then reverts to
SMSCliToknAcct& after the program has run.

NOTE: With this behavior change from Smsapm32.exe version 2.00.1493.3187, if you
use a Software Installation account that is defined as a local account (with no
domain specified), programs that use the Software Installation account might not
work. This could occur because a local account may not have the necessary domain
rights when it calls the Win32 functions that are listed in this article.

How to Install the Hotfix
-------------------------

Apply this fix on all of the primary and secondary sites in the SMS hierarchy. To
install the fix, use one of the following methods.

How to Use the Hotfix Installer:

NOTE: You can use this method only on i386-based computers.

1. Copy the hotfix folder structure to a local folder on your site server or to
  a share on your network. The I386 and Alpha subfolders are required; you must
  also download them from the Microsoft FTP site. It is important to keep the
  folder structure intact. The Q307434.exe file is a Microsoft Windows
  Installer file that updates specific files on your site server.

2. Log on to your site server by using an account with administrator privileges.

3. On the site server, quit the SMS Administrator console.

4. Run the Q307434.exe file and follow the instructions in the wizard. The
  Systems Management Server services are stopped and restarted as part of the
  installation process.

How to Manually Install the Hotfix:

1. Copy the update program file (Q307434.exe) and platform folders to a new
  folder. The folder structure must be such that the program file is located
  one folder "above" the platform folders.

2. Quit the SMS Administrator console and stop all SMS services in Control
  Panel. If the SMS_SITE_BACKUP service is running, stop it also.

3. Copy the Apasetup.exe file from the hotfix <Platform> folder to the
  <Drive>:\Sms\Inboxes\Clicomp.src\Smsapm32\<Platform> folder on
  the SMS site server.

4. Replace the Compver.ini file in the
  <Drive>:\Sms\Inboxes\Clicomp.src\Smsapm32 folder with the
  Compversmsapm32.ini file from the hotfix I386 or Alpha source folder (both
  files are the same) after renaming the file to Compver.ini.

5. Copy the Smsapm32.exe file from the hotfix <Platform> folder to the
  <Drive>:\Sms\Bin\<Platform> folder.

6. Restart the SMS Site services on the site server.

Additional query words: prodsms CliTokn Lockout

======================================================================
Keywords          : kbsms200 kbsms200bug kbSoftwareDist 
Technology        : kbSMSSearch kbSMS200 kbSMS200SP1 kbSMS200SP2 kbSMS200SP3
Version           : :2.0,2.0 SP1,2.0 SP2,2.0 SP3
Issue type        : kbbug
Solution Type     : kbfix

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.