Hi,

We had an issue with the SCCM 2012 R2 remote console.Below are the details of the configuration

We have installed SMS provider on standalone primary site server and created few security roles based on the administrators roles/activities. Also created Administrative users in SCCM console and assign them to one of the Security roles where it had "Read" permissions to the "Site". When these users are trying to launch a remote SCCM console, its not connecting and giving error message.

*****************

The Configuration Manager console cannot connect to the Configuration Manager site database. Verify the following:

      This computer has network connectivity to the SMS Provider computer.
      Your user account has Remote Activation permission on the Configuration Manager site server and the SMS Provider computer.
      The Configuration Manager console version is supported by the site server.
      You are assigned to at least one role-based administration security role.
      You have the following WMI permissions to the Root\SMS and Root\SMS\site_<site code> namespaces: Execute Methods, Provider Write, Enable Account, and Remote Enable.

*****************

Addition to that, I have checked and given COM and WMI permissions on the server as per the point (5) in the above error message

For the security scope, we have assigned Default security scope.

Per my observation, users that are part of Local Administrator group of the primary site server, can able to launch the SCCM console. However only members in SMS Admins group could not able to launch the remote SCCM 2012 R2 console.

Please let me know, Did i missed any configuration on the server end, Security role and Security scope?

Below is the XML file that i have exported from the Security role that users has been assigned.

++++++++++++++++++++++++++++++++++++

<?xml version="1.0"?>
-<SMS_Roles> 
 -<SMS_Role RoleDescription="" RoleName="Local IT" CopiedFromID="SMS0007R"> 
  -<Operations> 
<Operation ObjectTypeID="1" GrantedOperations="20513"/> 
<Operation ObjectTypeID="2" GrantedOperations="268435457"/> 
<Operation ObjectTypeID="4" GrantedOperations="268435457"/> 
<Operation ObjectTypeID="6" GrantedOperations="268435457"/> 
<Operation ObjectTypeID="7" GrantedOperations="9219"/> 
<Operation ObjectTypeID="9" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="11" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="15" GrantedOperations="1"/> 
<Operation ObjectTypeID="17" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="20" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="22" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="25" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="28" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="30" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="31" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="33" GrantedOperations="268435457"/> 
<Operation ObjectTypeID="37" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="41" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="42" GrantedOperations="9"/> 
<Operation ObjectTypeID="43" GrantedOperations="1"/> 
<Operation ObjectTypeID="44" GrantedOperations="805306371"/> 
<Operation ObjectTypeID="45" GrantedOperations="1"/> 
<Operation ObjectTypeID="46" GrantedOperations="1"/> 
<Operation ObjectTypeID="47" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="49" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="52" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="55" GrantedOperations="268435457"/> 
<Operation ObjectTypeID="56" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="57" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="58" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="59" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="60" GrantedOperations="268435456"/> 
<Operation ObjectTypeID="61" GrantedOperations="268435456"/>   
   </Operations> 
  </SMS_Role> 
</SMS_Roles>

++++++++++++++++++++++++++++++++++++

Are DCOM permissions set? (http://technet.microsoft.com/en-us/library/bb633148.aspx)

Hi Torsten,

Yes, DCOM permissions has been set.

DCOM Permissions has been set for "SMS Admins" and "Distributed COM Users" with f

Any suggestions on this. Thank you

Is the consolesetup taken from the same media as Site server is installed? Console and site server must always match same version. If site server has been upgraded from SP1 to R2, existing remote console is not valid anymore.

Hi,

Is the version of the console the same with SCCM Server?

Any chance that your SCCM server applied some Hotfix or CU Updates and your console is not?

Any chance that your workstation is not join to domain?

Regards,
Hau

Hi yannara and kwokhau, Thank you for the reply

Yes, We had upgraded to R2 with CU1 recently and deployment packages has been created to upgrade SCCM clients (both x32 & x64 bit) and SCCM console to R2 + CU1 version. Now the SCCM remote console we are using has the same version of SCCM 2012 R2 (i.e 5.0.7958.1203).

Another thing that i am the full administrator on SCCM server and i can able to access the remote console, But other administrators those are part of SMS Admins group with full DCOM and WMI permissions. They did not able to access the remote console.

All our workstations are in domain.

Was there any RBAC setting in the Security role or Security scope causing this issue?

Hello,

Remote console issue has been resolved, Below is work around.

       I followed these steps to fix the Remote SCCM 2012 console issue for non admins on the SCCM Server(ITs):

       1.Checked the log on my PC in and found this: C:\Program Files\Microsoft Configuration Manager\AdminConsole\AdminUILog :

        Error Message in AdminUILog: [11, PID:12340][06/19/2014 12:04:54] :System.Management.ManagementException\r\nAccess denied         \r\n   at

       2.Checked the access using non admin account on the site server using this  :
         Followed the verification section by running as non admin using this string :
                    \\<SCCM Server Name>\root\sms\site_<Site Code>

         Changed the rights to include subnamespaces! No need to give full rights.

            For more information : http://technet.microsoft.com/en-us/library/bb932190.aspx

Just wanted to respond that this resolved the issue for me also.

SCCM 2012 R2 accessing from Windows 8.1.

Setting the explicit permissions as per the Microsoft troubleshooting guide didn't work, enabling the 'subnamespaces' inheritance fixed the issue no problems.

Thanks a lot!