After a few days troubleshooting on this one I think I've just cracked it by switching off the Windows firewall. However we need this enabled. Can anyone quick advise which setting needs to be enabled on the Windows firewall to allow this through? Cheers

After a few days troubleshooting on this one I think I've just cracked it by switching off the Windows firewall. However we need this enabled. Can anyone quick advise which setting needs to be enabled on the Windows firewall to allow this through? Cheers

Hi there. I'm running an NLB on the MP. No clients are auto approving - mode set to auto approve from the start. I have regsitered an SPN and followed the details outlined by Microsoft - eg adding account to run CCM Windows Auth Server Framework Pool. I'm getting the following error on the DC The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server <>$. The target name used was HTTP/<SPNName>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN) is different from the client domain (DOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server. I've made sure that only one account is using the SPN and followed all forum post here on how to resolve. I get constant 'MP has rejected a policy request from GUID:<GUID> because it was not approved. The operating system reported error 2147942405: Access is denied.' I've checked to make sure only one GUID per device. I'm baffled at this stage. Can anyone throw anything in to assist on this? Cheers

Just a thought. Does IIS authentication need to be set so Windows Authentication is Enabled?

Make sure that the computer account for the SCCM server is in the local admins group on the client. Also, I believe SCCM primarily uses 135, 445, RPC range, and 80 to do it's communication. Generally this is initiated from the client so make sure you take note of any outbound rules on your client's windows firewall.

You may refer to the following links to configure the firewall: Windows Firewall Settings for Configuration Manager Clients Ports Used by Configuration ManagerSabrina TechNet Community Support