Description

Remote Controlling an agent workstation may fail with the following errors

You do not have remote control rights

"Unable to establish a secure session with the remote computer (-5)."

This can occur when using any Remote Control security type in Management Suite 8.7.

Cause

1. The failure can occur when using Domain Groups (sometimes called a Nested Group) in the LANDesk Management Suite group on the Core Server or the Remote Control Operators group on the agent workstation. 
    
   In order to see if a user is in a Domain Group, a user with Domain access is needed. By default the LANDesk COM+ objects are set to use LANDeskCOMPlus user which is a local account on the core. It cannot query the domain for security group membership information. 
     
   On the Core Server, if the LANDesk1 COM+ application identity does not have permission to enumerate groups on the domain, the following will be seen in the UserValidatorErrlog.txt that is located in the ManagementSuite directory:

   UserValidatorErrlog.txt
   
   UserValidatorErrlog.txtUserValidatorErrlog.txtUserValidatorErrlog.txt

   ERROR on 10/31/2008 12:13:11 PM with user CALDOR\Administrator, and core vm88:

   GetGroupUsers() : NetGroupGetUsers failed with an ERROR_LOGON_FAILURE code.  IIS may not have permission to query the domain for group information.

    

2. Regardless of who is logged into the Management Console, the user credentials logged into Windows on the Remote Controlling workstation are the credentials that are passed to the core server/target machine. If the user logged into Windows on the Remote Controlling workstation does not have the remote control rights, the error above will be returned and along with a prompt for credentials.

Resolution

These errors can be resolved in different ways.  Review the resolutions below and determine the resolution best suited for your environment.

Configure COM+ to use a Domain User

1. On the Core Server, open Administrative Tools | Component Services. 
   

2. In Component Services, browse to Component Services | Computers | My Computer | COM+ Applications | LANDesk.
    

   Note:These same steps must also be performed against the LANDesk1 COM+ Application. 
   

3. Right-click the object and click on Properties. 
   

4. Select the Identity tab. 
   

5. Change the LANDeskComPlus user to a valid domain user. 
    

   Note:A valid domain user is one that has read access to Active Directory. The user account must be in the format Domain\UserName. Again, both  COM+ Applications LANDesk and LANDesk1 should be modified. 
   

6. After making this change, reboot the Core Server or Rollup Core Server.

Add the User to the Remote Control operators group Explicitly

1. If using NT Security Type, make sure that the user logged into the Operating System on the remote controlling workstation or the viewer workstation is in the Remote Control operators group on the client.

Add the User to the Management Suite Group Explicitly

1. Add any remote control user accounts explicitly to the LANDesk Management Suite group on the Core Server. 
   

2. Enter Credentials  
   

3. Logon to Windows as a user that has the remote control rights 
   

Logon to the Remote Controlling Workstation as a User with Remote Control Rights

1. Log into the OS with a user that has Remote Control rights.
    

   Note:This is needed because Remote Control authenticates with the user logged into the Windows Operating System, not the user logged into LANDesk Console.

Description

The following are errors that may be received when trying to remote control.

• You do not have remote control rights.

• Credentials Required.

• Unable to establish a secure session with the remote computer (-5).

• Unable to find the remote control web service on [CORENAME].

• Receive Failed: -1 unable to locate the remote computer.

• Not a member of the HDAllowed group.

• "No TCP Agent Found" may be in connection messages.

• You must provide a valid console user name, password, or domain.

• The currently logged-in user does not have rights to access the remote computer. You must provide the user name password, and domain of an account that is authorized to control the remote computer.

• Unable to send a request to remote computer.

Troubleshooting

General Tips

1. Ensure the user is part the LANDesk Management Suite group.
2. Verify that the Console is patched to the same level as the Core, (even if installed after the Core was updated).
3. Verify that the LANDesk Management Agent is running on the machine.  If it is not running or will not start, run the cba8inst.msi file in c:\program files\LANDesk\ldclient.
4. Set SecurityType to 0 (Local Template).
5. Attempt to browse http://{Agent Nameor_IP_Address}:9595
6. Attempt to Telnet to 9535 on the Agent.  If you cannot Telnet to this port shut down any firewalls, and / or run ICFConfig-V4.exe to open those ports in the Windows Firewall.
7. On the Agent create a text file titled isswuser32.log in the C:\Program Files\LANDesk\LDClient directory, attempt Remote Control, check it for errors. Verify that the Remote Control Viewer is not to set to use “Enable old agent compatibility (pre 8.5 agents)” in Tools > Options. Note: RC-11047587.2 addresses this issue.
8. Verify that the Agent is only in Gateway mode only if the Management Gateway is being used.
9. Verify that only .NET 1.1 is installed on the Core Server, if .NET 2.0 or 3.0 is installed in 8.7 verify that the Default Website is set to use .NET 1.1 and move to step 8.  If in a version prior to 8.7 uninstall other .NET versions and move to step 8.  Note: If .NET 3.0 has been installed on a Core Server and removed it will need to be reinstalled for 8.7 to function properly, this has not been tested in versions previous to 8.7.
10. On the Core Server run from a command prompt; %windir%\microsoft.net\framework\v.1.1.4322\aspnet_regiis.exe –i.
11. Restart IIS.
12. Re-push Agent.
13. Attempt to browse in IIS https://Core_Server_Name/LANDesk/ManagementSuite/Core/SSL/remotecontrol/RemoteControlService.asmx from both the core and from the machine when Remote Control is being performed.
15. Attempt to browse in IIS https://Core_Server_Name/landesk/managementsuite/core/ssl/information/databaseinformation.asmx from both the core and from the machine when Remote Control is being performed.
16. If the Console does not show the Remote Control Icon when choosing an Agent for Remote Control, run C:\Program Files\LANDesk\LDClient\issuser.exe /resident on the client.

Windows NT Security / Local Template

1. Verify that the User (that is logged on to Windows, not the Console) is part of the Remote Control Operators group (synonymous with HDAllowed) on the Agent and LANDesk Management Suite group on the Core Server.

Certificate Based Security

1. Verify that the user (that is logged on to Windows, not the Console) performing Remote Control is part of the LANDesk Management Suite group on the Core Server.
2. Set Component Services | Computers | My Computer | COM+ Applications | LANDesk and LANDesk1 > Right-Click> Choose Properties> Advanced Tab > Server Process Shutdown> Leave Running When Idle.
3. Create an SSL AppPool (for instructions on how to create this see Optimizing IIS 6.0, available from KB Article #3076.
4. Check %windir%\system32\inetsrv\w3wp.exe.log for errors.

Integrated Security:

1. Perform same tasks as with Certificate Based Security.
2. Specify Domain Administrator Credentials in Component Services | Computers | My Computer | COM+ Applications | LANDesk and LANDesk1 > Right-Click> Choose Properties> Identity Tab> This User.
3. Verify on the Client that the LANDesk Remote Control Service is running.  If the service is not running, run C:\program files\LANDesk\LDClient\issuser.exe /resident.
4. Verify that the ASP.Net Web service Extensions are set to Allowed in IIS.
5. Check the Binding certificate in IIS and make sure it's set to Landesk Secure Token Server for 9.6 and for 9.5 make sure it pointed to the most current .0 file.

Help in Finding the Problem

To help troubleshoot the exact problem, use Processmon.exe from Sysinternals to tell exactly why the specified user was being blocked.  This utility can show which permissions were being denied to the following site:

https://Core_Server_Name/LANDesk/ManagementSuite/Core/SSL/remotecontrol/RemoteControlService.asmx.

Once it is known which permissions were denied, compare the NTFS permissions from a working Core Server with the Core Server you are working on.  For example, you may noticed that the management suite\landesk folder did not have the LANDesk Management Suite group added to the Security portion of the folder.  Once that group is added, that particular cause of this issue would be resolved.

Level of Encryption for the Remote Control Authentication

Level of Encryption for the Remote Control Session

The level of encryption used during a remote control session depends on the security type chosen in the agent configuration. For NT security/local template, the encryption strength of the operating system determines the level of encryption during the remote control session. For Microsoft (R) Windows 2003 Server and Windows XP, the default level of encryption is 128-bit.

For all other security types, remote control sessions are obfuscated, but not encrypted. Obfuscation is an RC4-like algorithm that scrambles traffic between the remote control viewer application and remote clients.

Issue

When trying to Remote Control a device you receive the error:

Receive Failed: -1 unable to locate the remote computer.

Resolution

Ensure that Gateway mode is set to "Direct" unless a Management Gateway is being used for Remote Control.

• This can be changed by using the system tray icon, by right-clicking and going to status and choosing change mode.
• Or remotely by using a remote registry and browsing to HKLM\Software\Intel\LANDesk\WUSER32\Gateway, changing it to 0 and restarting the LANDesk Remote Control service.

Description

This process will enable ALL (configured) LANDesk services to Start AND Run while a workstation is in Safe Mode with Networking.  This article will specifically cover Ivanti EPM Remote Control, but it is assumed that all other functions would work as well. This capability is accomplished by the registry telling Windows to allow the LANDesk services to Start and Run while in Safe Mode with Networking.  This process could potentially work for other services as well.

Resolution

Import the attached Custom Definition below and set to AutoFix.

Details

This is accomplished by adding the following Registry keys to the workstation.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CBA8]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Intel Local Scheduler Service]
@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Intel Targeted Multicast]
@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ISSUSER]
@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\LANDesk Policy Invoker]
@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Softmon]
@="Service"

After the registry changes have been added to the workstation, the workstation must be booted to Safe Mode with Networking.

Once the Windows has loaded and the user has signed in, the user may need to retrieve the IP Address for you and then you should be able to use the LANDesk Remote Control and connect to the workstation.

Worth mentioning is that the Windows Firewall service could be enabled in Safe Mode, and if the exclusion is not there, you will not be able to access the workstation.

Issue

When trying to remote control a MAC getting an "Error: Authentication failed because a certificate was not found on the remote computer."

Cause

The hash (.0 file) does not match the hash on the core server.

Resolution

Copy the .0 file from the core server's C:\Program Files\LANDesk\Shared Files\Keys directory to the MAC's /usr/landesk/common/cbaroot/certs folder.

Description

Cause

Resolution

1. Go Into the IE Security settings and click on the Custom Level button.
   
   2. Under ActiveX, set the "Allow previously unused ActiveX controls to run with out prompting" to Enable.
   
   The error then goes away and Remote Control works properly for normal users.
   
   
   NOTE: This is not the recommended way to fix the issue securely.

Enabling this ActiveX security setting stops the issue but does not truly fix it.  This is because there is a LANDesk IE Add-On that hasn't been enabled or approved yet. This Add-On can be managed in IE. To properly fix the issue without modifying the Security Permissions:

1. Go into IE under the Tools Menu > Manage Add-on's > Enable or Disable Add-on's
   
2. Verify the existance of an Add-On named "ExecuteViewer2 Class"whose publisher is LANDesk.
   
3. Enable this Add-On
   

Description

Remote control sessions have a Default Timeout of 10 minutes if there is no interaction in the viewer window.

Resolution

Increase the number of minutes for the timeout threshold, or set the value so that no timeout exists by using the value /a0.

The Community article How to change the Remote Control timeout length describes a couple methods to complete this task.

Using a Custom Definition to modify the timeout length for Remote Control

The attached V_INTL_LD-Remote Control- Time Out Setting.xml Custom Definition can be used to set the Timeout Length to 30 minutes and includes a STOP and START of the LANDesk Remote Control Service so that the new settings are applied.

1. The Timeout settings can be modified by changing the /a30 value in the following locations in the Custom Definition:
   • Rule 1 - Detection Logic \ Registry Settings \ Value Data
   • Rule 1 - Patch Information \ Detecting the Patch\ Registry Settings \ Value Data
   • Rule 1 - Patch Information \ Patch Installation & Removal \ Patch Install Commands\ Write a value to the registry\ valueData
2. If you would like to only modify the registry key, and not restart the LANDesk Remote Control Service possibly waiting until a regularly scheduled maintenance window,  remove the following two items from the Custom Definition:
   • Rule 1 - Patch Information \ Patch Installation & Removal \ Patch Install Commands\ Execute a program with an ARGS that contains a /STOP
   • Rule 1 - Patch Information \ Patch Installation & Removal \ Patch Install Commands\ Execute a program with an ARGS that contains a /START

Issue

• Is the user history for Remote Control saved?
• How can I view what machines have been controlled in a certain time period?
• How can I view who viewed what computers?
  
  

Resolution

Several built-in reports are available that contain the data.

Remote Control logging is enabled by default and can be disabled and history purged by going to Configure > Remote Control Logging.

The available reports are:

1. Remote control history by managed device
2. Remote control history by operator
3. Remote Control Summary

 

Purpose

Description

When a remote control session is started to a client machine ISSCNTR.exe responds with the following status error:

"The remote computer is not managed by your server"

Cause

This issue is most commonly caused by device's with a corrupted, or mismatched DeviceID in the Inventory Database.  You can try verifying that the core server can "ldping" the target machine by opening a web browser and going to the following page:

http://machine-name:9595/allowed/ldping

This should return an XML document with the client's DeviceID.

Resolution

1. Delete the device Name from the Core Server device listing.
2. Run a Full Inventory scan from the client Machine using the /F and /SYNC switches:

"C:\Program Files\Landesk\LDClient\LDISCN32.EXE" /NTT=%server%:5007 /S="%server%" /I=HTTP://%server%/ldlogon/ldappl3.ldz /NOUI /NOCD /F /SYNC

Once the full inventory scan has finished and is processed by the Core server, the client machine will show back up in the device listing and remote control will no longer reply with the error.

LANDesk Management Console 9.6 SP3 running on Windows Server 2008R2.

We consistently have to fallback to other remote control methods to help users remotely on our team.  There seems to be no rhyme or reason this occurs.  The response time from a click can take up to 30seconds, I've seen it!

We have ran the remote control from various machines around the network, even from the main landesk server and the problem still exists.

This happens on hundreds of newly installed Windows 10 Enterprise 64bit machines.  This can happen on machines that are on the same subnet as the current remote management console as well.  We have removed the posibility that this is network related.  The computers in question are all gigabit connected, SSD/i7 desktops that perform excellently locally.

One noticable nuance is that this problem often occurs on computers that have graphics cards installed.  Nvidia or AMD seems to make no difference.

Has anyone else noticed these issues?

We are now using EPM 2017.3 and are running on Windows 10 Enterprise LTSB Desktops.

Our service desk team as saying that they used to be able to copy and paste from a remote desktop session to their own PC but it does not work now.

I can't see any differences in the Agents we push out and File trasfer is enabled in the remote control agent settings.

Is this a Windows 10 thing or does the agent in 2017.3 not allow copy and paste anymore?

• Windows Remote Control
  • General Information
  • Implementation and Access
  • Stand Alone Access
  • Current Features
  • Upcoming Features and Current Limitations
  • Additions and Changes in SU1

Windows Remote Control

General Information

     With the release of 2018.1, there is a new improved remote control option available. The product has been redesigned from the ground up to offer a smoother more secure method. This version will have features added as the product evolves. This document will go over some of the highlights and features of the new method.

Implementation and Access

     Accessing the new version from the console will be very similar to before. It is simply in the right-click menu of a device. If you are managing a device with an older agent, it will still initialize the connection to the older version. If you are controlling a 2018 agent it will launch the new viewer that is used as the updated interface.

Stand Alone Access

• RCViewer.exe can be executed off-core
  • File located in the ManagementSuite Directory; %LDMS_HOME%
• Access viewer via browser HTTPS://Corename/RemoteControl
  • Client port 44343
  • Core port 443

Current Features

     The initial release includes the following capabilities:

• KVM (keyboard\video\mouse) for on network devices
  • Supports international keyboards
    • Now sends Unicode characters so the key pressed is the key received
    • Currently Windows only
• WinPE 32 and 64-bit access
• Scaling
  • Fit to window or client native (up to 1920x1920)

• Single Sign-On via Console
• No SSL certificate error presented
• Supports multiple connections to client
• Minimal alerting but documents access
• Remote Control Session notifications
  • Green border
  • Movable with a click+drag
  • Always on top

• Permission Required notifications
  • If second session connects will prompt again. Disables all remote input

• Copy and Paste (text only)
  • Bi-Directional (source to client, client to source)

Upcoming Features and Current Limitations

     The following features will be released in Service Updates:

• CSA
• File Transfer
• Remote Execute
• Chat
• Idle timeout
• User not logged in Auditing
• Display will scale down if resolution higher than 1920x1920
• Unable to send CTRL+ALT+DEL

Additions and Changes in SU1

     The following additions and changes were added in SU1. Some are cosmetic and others are functional.

• Remote Control WS is now accessible from the Web Console
• RCViewer.exe has been moved to ..\ManagementSuite\RemoteControl\RCViewer\ folder

• Minor UI and functionality fixes

RCViewer.exe can now be launched from the web console as well as the win console (via right click on 'Remote Control WS')

Ivanti EPM Remote Control WS Return Codes

When researching connectivity issues with the new EPM 2018.3 WS Remote Control, you may find some of the below errors in the API.DLL.LOG file, located in the 'ManagementSuite\Log' folder.

The errors will look similar to this:

msg=auth error,status=40

General Return Codes

Registry Related Return Codes

Identity Server Related Return Codes

EPM Related Return Codes

Purpose

The purpose of this document is to show how to trust a certificate so that when you are using the new HTML5 Remote Control you do not get the security warning. We have also attached the certificate that is to be trusted.

Adding certificates to the Trusted Root Certification Authorities store for a domain

Domain Admins is the minimum group membership required to complete this procedure.

To add certificates to the Trusted Root Certification Authorities store for a domain

Open Server Manager, and under Features Summary, click Add Features. Select the Group Policy Management check box, click Next, and then click Install.

After the Installation Results page shows that the installation of the GPMC was successful, click Close.

Click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy GPO that you want to edit.

Right-click the Default Domain Policy GPO, and then click Edit.

In the GPMC, go to Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

Right-click the Trusted Root Certification Authorities store.

Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

The certificate for LDMS 9.6 and 9.6 SP1 can be found at C:\Program Files\LANDesk\ManagementSuite\rchtml5.cer

They can be found at this link as well… http://technet.microsoft.com/en-us/library/cc754841.aspx#BKMK_managedomain

This now has the certs required for 9.5, 9.5 SP1, and 9.5 SP2.

NOTE: If you would like to show the FQDN (ie. https://MachineName.domain:4343) instead of the short name (eg. https://MachineName:4343), be sure that when you sign into the console, it is using the FQDN for the Core server

Issue

After upgrading the core server to 2017.3, or applying a Service Update to 2017.3, Remote Control may fail for users that are not in the "LANDesk Administrators" group. The following error(s) may occur:

"The signed rights document was not valid. authentication failed." "You do not have rights to access the remote computer."

Cause

The 2017.3 Core uses different access for the folder "C:\Program Files\LANDesk\Shared Files\keys".

Resolution

Add the local group "LANDesk Management Suite" to "C:\Program Files\LANDesk\Shared Files\keys" with "Read & Execute" permissions on the core server.

In addition, "List Folder Contents" and "Read" permissions may resolve the issue.

Issue

You are remotely controlling a client computer using the Landesk legacy console.

You need to transfer some files to the computer but when you click the "file transfer" option, the "Landesk Remote Control" window shows a blank screen.

No logical volume seems to be detected on the remote client device.

Cause

This is a known issue that is currently being addressed by our engineering team.

Please note that this issue only occurs when doing a remote control session from a legacy remote console.

A bug report has already been opened for this issue: TFS 282932 - File Transfer UI is blank

Workaround

Customers experiencing this issue are advised to use the HTML5 remote control.

They may also initiate the remote control directly from the core server as only remote consoles are affected by this issue.

Issue

When remote control to a client computer, the window starts minimized and can't be opened to full screen.

Cause

The window has opened unsuccessfully one time for some reason. Then the window remembered the last setting of the window size.

Resolution

A registry key can control the windows size.

This will need to be modified and then the remote controlling computer will need to be modified.

[HKEY_USERS\S-1-5-21-3461657420-2590047586-3954473000-1140\Software\LANDesk\Instant Support Suite Console\Container]

"style"=dword:00000003

"style"=dword:00000001, normal size
"style"=dword:00000003, maximized size

*The string value 'S-1-5-21-3461657420-2590047586-3954473000-1140' here need to modified:

EPM Remote Control Tunnel

General Information

The new EPM Remote Control ( RC ) Tunnel is the new out of band RC methodology. This does not replace the Cloud Services Appliance ( CSA ) for Legacy and HTML5 Remote Control. It is only used for Remote Control WebSockets ( WS ). It is a stand alone installation that is supported on both Windows and CentOS Linux.

RCViewer Tunnel Information

• The Tunnel(s) are registered with the core via the RCViewer Authentication Service. This is an outbound connection from the core
• When launched, RCViewer contacts the core and requests any Tunnel information currently registered
• Device list is updated dynamically with the Tunnel

Tunnel Information

• Supports CentOS 6
  • Can be installed on the CSA
• Supports Windows Server OS's that are also supported for the EPM install
• Device Tunnel is installed on is not supported, only the Tunnel service
• Ports required; all communication is inbound
  • Viewer connects on port 44344
    • This will be an 'inbound internal TO tunnel internal interface'. This is based on the location a viewer might connect from
  • Client connects on port 44345
    • This will be an 'inbound any external TO tunnel external interface'
  • Core connects on port 44346
    • This will be an 'inbound Core(s) TO tunnel internal interface'
• Installation files located %LDMS_HOME%tunnel
  • Installation instructions are in a file named tunnel_readme.txt.
    • EPM 2018.3 RC Tunnel Installation and Configuration
• Supports 3rd party certificates. If not supplied, self-signed will be used
• Can be configured to allow only one core to connect
• Tunnel information added to core via Configure > 'Manage remote control tunnels'
  • Adding tunnel similar to adding CSA
  • Adding a tunnel required a Name and IP to be provided. The Name is for identification purposes only, is not the FQDN
  • If a Tunnel has an internal and external IP, you must add both for the core to connect internally and agents externally
• Tunnel information is added to agent settings similar to CSA
  • Only the external Tunnel config needs to be added to agent
  • Supports Dynamic and Direct settings
  • Supports Ordered List and Random