Do WebDAV/BITS enabled DPs require Anonymous Authentication?
I started having a problem with my OSD Build/Capture task sequence where the Install Software Updates step was hanging at Installing Updates 1 of 50... It would never progress past that. I looked at the IIS logs on my DPs and noticed that there were numerous PROPFIND requests coming from the client that received 401 errors. I checked to make sure that my web site was configured to allow anonymous propfind, and it was. I also checked the XML file that contains these settings as I read that frequently the XML file does not update correctly - it was configured with allow anonymous propfind set to true. Still, I had the same problem. Then, as a troubleshooting step, I enabled Anonymous Authentication on the DPs web site. This fixed the problem and my Build/Capture completed successfully. This is a problem though because now, I am able to map a drive to any DP folder without authentication. Am I required to allow anonymous authentication to my DPs in order for Install Software Updates to work during the Build/Capture trask sequence? I know if has something to do with anonymous propfind, but how can I allow anonymous propfind without removing authentication for GET and HEAD and the rest? PROPFINDS all show up 401 error unless I enable Anonymous Authentication. Domain clients during deploy phase and later in production work fine because they reauthenticate with the Computer$ account and don't rely on anon access to the DPs.
November 30th, 2010 1:55pm

I think you need a NAA for that to work but you'd do better to ask in the OSD forum. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|
Free Windows Admin Tool Kit Click here and download it now
November 30th, 2010 1:58pm

Wow - Anonymous Authentication has changed itself back to disabled on its own. Configmgr must be adjusting the permissions on the SMS_DP_SMSPKGX$ web site? Possible? I'm taking it on over to the OSD forum...
November 30th, 2010 3:21pm

If I check the box on the DPs "Allow clients to connect anonymously (Required for mobile device clients), then the Install Software Updates task works during the build process. it also means that the DP WebDAV site is accessible without authentication from any computer on my network - that is not cool. Does installing Software updates during the OSD build sequence really require me to enable that "Allow clients to connect anonymously?" it is weird because all the packages for OSD (like the MDT Tools, the WIM, the Configuration Settings) all download fine and authenticate using the Network Access Account. The Software updates, however hang on downloading 1 of 50 when that anon box is unchecked. On the IIS logs of the DPs, the machine running the build process drops about 90 PROPFIND lines with 401 errors. There are never any patch related GET commands for the Intall Software Updates process, just failed PROPFIND on all three of my DP. As soon as I enable that Allow anonymous, it works fine. I am also amble to go to any computer on the network and type net use * http:\\FQDN.TO.DP.com\ SMS_DP_SMSPKGD$ and map a drive to all my distribution packages - unauthenticated - so I can't leave it like that... What to do?
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2010 5:57pm

What do your boundaries look like? Are you defining an SLP and MP as properties of the client installation in the TS? Have you reviewed all of the suggestion's in this post: http://coreworx.blogspot.com/2010/08/configmgr-install-software-updates-task.html?Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
December 9th, 2010 8:02pm

I don't think boundaries are the issue, but mine are all defined as subnet boundaries - I do not use AD site boundaries. If it were a boundary problem, then I don't think the other packages like drivers and MDT script packages would be loading - and they are. Also, it is finding the DPs because it is doing a PROPFIND for all the patch packages - I can see the requests in the IIS logs on the DPs. The logs on the clients list 3 (the correct number of) DPs with both http and smb style sources. If any of the settings were wrong with regards to SLP and MP, then I don't think enabling Anonymous access would fix the problem. If you are missing the SLP, the client is unable to find the SUP and you never get to the downloading section- they can't complete a scan if the slp is not defined. I looked at that link. Solutions 4 and 6 are interesting and at least they are something to try. As soon as I enable Anonymous authentication on the DPs, the task runs fine, so to me that seems like an authentication problem or a misconfiguration on the DPs, but I have been over and over that WebDAV configuration utility lots of times with no positive results.
Free Windows Admin Tool Kit Click here and download it now
December 10th, 2010 12:16am

Are your boundaries subnet boundaries? If so, replace them with IP Address Range boundaries. I have seen boundaries affect just software updates (in a very similar manner as to what you are describing) before particularily during build and capture TSes because the systems are not joined to the domain. Note that I don't necessarily disagree with your conclusions or problem-solving methodology (that seems solid), but there is clearly something going on (I know, that's obvious) that others are not experiencing. It may be time to call CSS because it's difficult to get a feel for your entire issue on the forums.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
December 10th, 2010 9:54am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics