When we try to use Remote Tools it doesn't get past the "Starting a Remote Control session" on the SCCM console. We have to kill the rc.exe process in task manager to close the window. On the destination client, RemoteControl.log says "Agent did not receive a valid connection attempt within the time limit. Session will be terminated."

We have tried every combination of Windows 2008 R2, Vista x86, and Win7 x64 for the source and destination and get the same error each time.

We have tried/verified the following
1. We can RDP into the clients with Remote Desktop Connection.
2. Checked ports per http://technet.microsoft.com/en-us/library/bb632618.aspx
3. Added a firewall rule for RCAgent.exe just in case
4. All of the clients are on the same LAN and besides the Windows firewalls there is no firewalls between any of the workstations or the site systems.
5. Verified the admins are in the PermittedViewers string in HKLM\Software\Microsoft\SMS\Client\Client Components\Remote Control\PermittedViewers and HKLM\Software\Wow6432Node\Microsoft\SMS\Client\Client Components\Remote Control\PermittedViewers
6. According to RSOP, the admins are in the "Access the computer from the network" group policy setting and not in the "Deny access to this computer from the network"
7. Tried Wally's suggestion at http://social.technet.microsoft.com/Forums/en-US/configmgradminconsole/thread/2f7bb8d1-2cb2-40f6-816b-fdd0b1929913/ to disable and re-enable the Remote Tools client.
8. Checked DCOM permissions per http://technet.microsoft.com/en-us/library/bb680755.aspx

We've never tried to use Remote Tools before so does anyone have any other suggestions we could try?

Have u enabled Ask for permission option uder client agent - remote control . If yes you didnt get the permission from user to take the control?

We have tried it with "Ask for permission when an administrator tries to access clients" checked and unchecked. When it is checked we don't see a popup/notice asking for permission.

Hello LOC_750,

Thank you for writing to the TechNet forums. Here are the steps that can help you troubleshooting the REMOTE Tools

Try to connect to the WMI of the remote client:

1.       To do that from the Site Server, Open the WBEMTEST.

2.       Then in the WBEMTEST, type following \\machine name\root\cimv2 [DO this from a Remote Machine site server could be used]

3.       Machine Name could be the NETBIOS/FQDN of the machine which is experiencing the issue.

4.       And then click on connect, If you have issues connecting to remote WMI

Then; Forget about remote tools fix WMI first.

If we are able to connect to the remote WMI, You are on the right track and keep reading further.

In the second hurdle we need to check if the client is getting the policy for the permitted viewer:

We’ll add a user account/Group in the permitted viewers tab on the ConfigMgr Console. Once you have done that, Try checking the client side registry settings; either the client is able to receive the newly added user account /group.

To specify a new remote tools permitted viewer account

1.       In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management / <site server name> / Site Settings / Client Agents.

2.       In the results pane, right-click Remote Tools Client Agent and then click Properties.

3.       In the Remote Tools Client Agent Properties dialog box, click the Security tab.

4.       Click the new button to open the New Viewer dialog box, and then specify an existing Microsoft Windows user account or group name.

5.       Click OK to close the dialog box, and then click OK to close the Remote Tools Client Agent Properties dialog box.

Once you have added the user accounts in the ConfigMgr console, Please go back to the client and force the Machine Policy Retrieval. Once that is done we should check the client after 2-3 minutes to verify the Permitted Viewer account that we added in the console should be listed under : HKLM\Software\Microsoft\SMS\Client\Client Components\Remote Control

In the right hand side you should see, “Permitted Viewer” and it’s value must contain the user account/group that we added in the ConfigMgr console as explained above.

If that’s not the case; Stop here and check why the policy is not getting delivered to the client.

If you see the account/group in the permitted viewers then move to the next steps:

Here are the miscellaneous steps that we can use, Also please note that if you can capture the NETMON trace.

Here’s one article that gives you how you can leverage the NETMON http://support.microsoft.com/kb/812953

OR

You can also use the WireShark as well. Click here to download the latest version of Wireshark.

1.      Check the log created RemoteControl.log Ccmsetup \ client is having problems.

2.      Check the log RemoteTools.log created in% temp% in the computer that is initiating the connection.

3.      Verify that the ConfigMgr Remote Control Users group is correctly configured on the client.

4.      Check the security settings for DCOM are applied correctly.

5.      Ensure that ports TCP 2701, TCP 2702, TCP 135 are released into the firewall. If you are using Remote Desktop or Remote Assistance check if TCP port 3389 is released in the firewall.

6.      Make sure the file c: \ windows \ system32 \ RCAgent.exe is also released into the firewall.

7.      Make sure the file c: \ windows \ PCHealth \ HelpCtr \ binaries \ Helpsvc.exe is also released into the firewall or the File and Printer Sharing.

8.      Make sure the anti-virus is not blocking the remote connection.

9.      Verify that no other remote connection to the same customer.

10.  Groups linked with Remote Tools do not work, that is, one should place the main group.

11.  When capturing network packets by Wireshark, check for: isystemactivator
a. For successful connection has only one pair of ISystemActivator RemoteGetClassObject ISystemActivator RemoteGetClassObject request and response

12.  b. To have connection without success:

a.      When the user does not have permission DCOM: ISystemActivator RemoteGetClassObject request and another could be DCERPC Fault: call_id: 10 ctx_id: 0 Status: nca_s_fault_access_denied

b.      When the user has permission DCOM, there will be several times the double ISystemActivator RemoteGetClassObject request and another ISystemActivator RemoteGetClassObject response.

13.  See http://technet.microsoft.com/en-us/library/bb735873.aspx for a list of error codes using Remote Tools.

Hope that helps !!!

Anurag

 

By checking RemoteTools.log I noticed a ton of "Viewer disconnected with reason:2308, extended info:0" errors. That lead me to http://social.technet.microsoft.com/Forums/hu-HU/configmgrgeneral/thread/b258a851-4fe2-475c-82d9-6876ca618835, which noted the issue was the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing was enabled," setting. Once I disabled that setting in the GPO linked to the admin workstations OU I was able to use RemoteTools. Thanks for you help.

• Proposed as answer by Damoah Saturday, January 04, 2014 8:54 PM

Dear Loc,

I have same issue like  "Viewer disconnected with reason:2308, extended info:0" and all symptoms similar to you. But in my case, I was able find that FIPS algorigthms is in Disabled state. Anyway to troubleshoot further.

Regards,
Sereno

Disabling FIPS resolves the problem.