Automatic Approval of Clients not Working
Despite having the Approval settings in Site Mode set to Automatically approve computers in trusted domains computers are not being automatically approved.In the All Systems collection, a system appears with the following attributesResource Type: SystemDomain: TestDomainSite Code: TestSiteClient: YesApproved: Not ApprovedAssigned: YesBlocked: NoClient Type: AdvancedObsoltete: NoActive: YesThe computers are all joined to the TestDomain and the site systems are configured with a intrantet FQDN of system.testdomain.parentdomain.edu. This is a single site with a single management point, with the database on a remote system.If the approval settings are set Automatically approve all computers, automatic approval works.My questions are, any idea how to fix this and what logs should I be looking at?
March 28th, 2008 11:12pm
What I'd been told by the dev who owned this part of Configuration Manager was very likely that if approval doesn't work for systems that is should work for, then it very likely is that the system did not get authenticated in the domain with Windows Integrated Authentication. The only reasons I know of for systems to not get approved are: * Not a client (we don't approve just discovery records, users, etc). * The client is an SMS 2003 client (don't approve them) * The site is in native mode (no approvals) * No Windows Integrated Authentication * Client is not in a trusted domain in the same forest * FQDN of the MP is not published Unfortunately, I never was able to get from him how to know for sure if it is the lack of Windows Integrated Authentication, or how to fix the environment (not Configuration Manager as it is not our issue). So I don't have anything else to provide to you. Ask your network guys about this to see if they know what Windows Integrated Authentication is - I don't :-(
March 29th, 2008 9:17pm
You were correct, the issue was no Windows Integrated Authentication. Specifically, we have Operations Manager and Configuration Manager running on the same server. We discovered that SQL Reporting Services, also runing on that box, was not functioning correctly, which was running as a domain user. We had two different accounts being accessed using the same SPN. The solution was to create DNS CNAMEs for both Operations Manager and Configuration manager, and add the appropriate SPN (HTTP/cname.domain.com) to the accounts.The following blog outlines the issue fairly well:http://blogs.msdn.com/lukaszp/archive/2008/03/26/solving-the-reporting-services-login-issue-in-the-february-ctp-of-sql-server-2008.aspxIf anyone else is having this problem, I can elaborate on the solution.
April 8th, 2008 7:49pm
Dear Steven, would you help on this? i had the same problems as you. all of the clients show in "all systems" collection, but the filed of "approval" is "not approved". installation suceeded. I configured auto-approve, discovery method of "AD system", MP. how did you solve this problem by FQDN?
August 1st, 2008 8:09am
See my reply in http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3693152&SiteID=17(and please avoid posting the same question more than once. That makes it difficult to keep track of all activities).
August 1st, 2008 11:07am
Steven, please do elaborate on the solution. We've got the same issue (often no automatic approval for new clients, seems to be worse since upgrading SCCM to SP1). At first sight our SPNs are ok though... Thanks, Steven
August 13th, 2008 3:44pm
In our case, automatic approvals never worked, unless we set SCCM to approve every request. If you have SCCM set to approve for trusted domains and it sometimes works, SPNs are not the issue. In our case, we had SCCM and Operations Manager Reporting on the same box. Since both were running under different accounts but with the same URL, a client couldn't determine the correct SPN to use, and hence failed. We ended up having to set up two different host A records, one for SCCM and one for OpsMgr reporting to get things to work. Each had its own seperate SPN registered for the appropriate service account. Hopes this helps.
August 14th, 2008 1:30am
Hi Wally I am having a similar issue. Although in my environment I have my SCCM Primary server in Forest 'A' and my clients are in trusted domains in Forest 'B' and Forest 'C'. Can I take you literally when you say "* Client is not in a trusted domain in the same forest". If that is the case I will not look into this issue any more as my clients not automatically approving would be by design. It's a little confusing as the GUIjust says "...trusted domains" and doesn't stipulate they have to be in the sameforest. Thanks for all you efforts this forum is a gold mine for information. Lee
August 14th, 2008 3:05pm
Nobody can help on this? it has been weeks and I still can't get client push working well.
August 19th, 2008 4:52am
I have SCCM approval issues that arelated to this issue with no windows intergrated Authentication for sseveral clients. Can you tell me how I can fix that in AD or on the clients ? Thanks, Gary
March 11th, 2011 8:12am
See that article for full details about the approval process: http://blogs.technet.com/b/configurationmgr/archive/2010/01/20/how-it-works-automatic-client-approval-in-configuration-manager-2007.aspx Torsten Meringer | http://www.mssccmfaq.de
March 11th, 2011 8:45am