WinRM command fails with Access Denied, Error number: -2147024891 0x8007005

Article ID: 2653882 - View products that this article applies to.
Expand all | Collapse all

Symptoms

After installing the UNIX/Linux agent for System Center Operations Manager, the Discovery process may fail and the client will not appear in the console.  When attempting to troubleshooting such an issue, you may run a command similar to the following to verify that the discovery process is functioning:

winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem?__cimnamespace=root/scx -r:https://<Unix server name>:1270 -u:<User account> -auth:basic -encoding:UTF-8 -skipCAcheck -skipCNcheck

In certain scenarios this command will fail with the following error:

Access Denied, Error number: -2147024891 0x8007005.

You may also see the following in /var/opt/microsoft/scx/log/scxcimd.log

     cimserver: Listening on HTTPS port 1270.
     cimserver: Listening on local connection socket.
     cimserver: Started SCX CIM Server version 2.9.0 Release.
     cimserver: Authentication failed for user=<User account>.
     cimserver: Authentication failed for user=<User account>.

Cause

This can occur if an incorrect PAM.CONF file is generated on the UNIX server. This file is auto-generated by the SCX installer.

Resolution

To resolve this issue, remove the auto-generated entries from the PAM.CONF file and add the lines below:

# The configuration of scx is generated by the scx installer.
scx auth required /usr/lib/security/$ISA/pam_unix.so.1 
scx auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 
scx account requisite /usr/lib/security/$ISA/pam_roles.so.1 
scx account required /usr/lib/security/$ISA/pam_projects.so.1
scx account required /usr/lib/security/$ISA/pam_unix.so.1 
# End of section generated by the scx installer.

IMPORTANT Please make sure to have a backup of the original PAM.CONF file before making any changes.  PAM.CONF files are UNIX/Linux install specific and this resolution may only work in certain configurations.  It is also possible that there may be custom PAM modules added to support additional features such as AD authentication, etc.  As such, this resolution only applies if you have no custom PAM module defined.

In most case the entries that are defined for the sshd process are enough. If you are unsure of what entries are needed you can replicate the entries that are defined for the sshd process and for the scx process and that generally will take care of the issue.  Be sure that you fully understand the ramifications of making these changes in your specific environment before doing so.

More Information

This issue applies to Solaris 8, Solaris 9 and Solaris 10. For more information please see the following: http://technet.microsoft.com/en-us/library/ee344801.aspx

Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2653882 - Last Review: June 17, 2013 - Revision: 6.0
Applies to
  • Microsoft System Center Operations Manager 2007
  • Microsoft System Center Operations Manager 2007 R2
  • Microsoft System Center Operations Manager 2007 Service Pack 1
  • Microsoft System Center 2012 Operations Manager
Keywords: 
kbtshoot KB2653882

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com