AGPM client fails to connect with 2022-01 CU

[Markus Klocker]

Dear all,

just a heads up cause it might concern you.

We have a 20H2 machine with an AGPM client installed.
After installing 2022-01 CU the connection to the AGPM server failed.
After uninstalling the patch the connection to the server works again.
The 2019 server has the 2022-01 CU installed though.

The error on the clients log:
2022-01-13 10:21:23:1869726 [pid=8016,tid=3] [Error] Error in
AgpmClient.Reconnect()
System.ServiceModel.Security.SecurityNegotiationException: Either the
target name is incorrect or the server has rejected the client
credentials. --->
System.Security.Authentication.InvalidCredentialException: Either the
target name is incorrect or the server has rejected the client
credentials. ---> System.ComponentModel.Win32Exception: The logon
attempt failed
   --- End of inner exception stack trace ---
   at
System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult
lazyResult)
   at
System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential
credential, String targetName, ProtectionLevel requiredProtectionLevel,
TokenImpersonationLevel allowedImpersonationLevel)
   at
System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream
stream, SecurityMessageProperty& remoteSecurity)
   --- End of inner exception stack trace ---

Seems the patch breaks the auth process. Not much we can do except
waiting for a fix I guess.

    Markus

[Markus Klocker]

No one using AGPM any more?
It already would help if the issue could be confirmed.

    Markus

[Charles F Sullivan]

To answer your last question, at least one of us is still using AGPM. Server
is Windows 2012 R2, Client machine is 20H2 but I just noticed that the
January CU is waiting to be installed, so consider this the before and I'll
get back to you with the after later today.

I don't use the AGPM Client very often myself as we don't have any
controlled GPOs for our servers. I set it up long ago for our techs that
support workstations. When I do use the Client it's usually from a Windows
2019 Server.

I see that when I want a Differences HTML report I get an error, but I see
I'm getting the same from Windows 2019 and even Windows 2016. Other than
that it seems fine. We'll see how it is after the January CU is installed.

--
You received this message because you are subscribed to the Google Groups
"ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/839924a0-78fe-0e8b-f887-cc43f5e326c0%40univie.ac.at.

[Charles F Sullivan]

After installing the January CU on my 20H2 machine, I can access the AGPM server via Change Control in my GPMC.

--

Charlie Sullivan

Principal Windows Systems Administrator

[Markus Klocker]

Has the AGPM server the 2022-01 patches installed?

Thanks for the info!
    Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzmue8CL%2Bc%3D54TQhf8SOyqimU5vcCzWdzHeGrCnfwUbOWQ%40mail.gmail.com.

[Charles F Sullivan]

Our AGPM (Windows 2012 R2) server has not been patched yet for January. We won't be able to until next month.

Do you know if you are able to use the AGPM client on other OSes which have been patched with the January CU?

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/93bcdc7b-622e-f927-3a07-041425dc8821%40univie.ac.at.

[Markus Klocker]

Well I'm testing right now and it doesn't look promising at all.

21H2 => install GPO management RSAT => install AGPM client
normally now you can open the GPO console go to "Change Control" and everything should be fine.
Here is what I get:

When I click on something else and then on "Change Control":


No connection what soever. The log-folder \AppData\Local\Microsoft\AGPM isn't even created!
Same on a freshly installed 20H2.
I did not jet try installing the machine and only patching 2021-12.
The AGPM server is on a server 2019 with KB5010791 (the fixed January).
On the server itself AGPM works fine.

    Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzz%3DJrML4ELD_h%3D-wfw__anmF0S0musrhj_Od1S4ehFaiCg%40mail.gmail.com.

[Markus Klocker]

Well, just learned that one has to install WCF non-HTTP activation components that AGPM client and snapin works!

The freshly installed 20H2 with an old patchlevel connects now fine to the AGPM Server.
Once I install the 2022-01 patch no more connection:


Looks like opening a ticket with MS.

    Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/60d10ad1-c8e6-7a0f-0688-bcc34a0c1748%40univie.ac.at.

[Markus Klocker]

2022-02 CU still kills AGPM. Just reverted back to 2021-12 CU.
MS still not looked at the problem ... ticket still open.

    Markus

On 13.01.2022 11:06, Markus Klocker wrote:

[wearyITguy]

Any luck with your ticket? My organisation is getting this too. I'm thinking of logging a ticket...

[Don Cerebro]

not right now, but they're saying that they're looking into it.

[Markus Klocker]

Well they already have looked. They will try to reproduce which isn't that hard I guess.
Let's see how much love there is left for AGPM

    Markus

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/f4cc9190-78be-4cbd-87b9-3e5ddaa2a54cn%40googlegroups.com.

[wearyITguy]

Thanks for the update... fingers crossed something comes out of it.

[Markus Klocker]

We fear that MS has not much love left for anything.
Our ticket lead us to convergys.
I just can say that the thread is real!
We got the suggestion to install an Outlook patch to solve the problem!

Why do I get the feeling that this is like treating COVID with Ivermectin?

I don't expect anytime soon.

    Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/a9de6d5c-078f-4aeb-af8d-016c2a7d3d39n%40googlegroups.com.

[wearyITguy]

LOL @  Ivermectin :)

That thread is insane. I can relate with very similar ongoing experiences with VMware support.

Well if any miracles happen and you manage to find a solution, please let us know!

Good luck!

[Markus Klocker]

Dear all,

problem solved.
What did I do?
I replaced the server IP address with the FQDN.

In more detail we have split DNS. So the AGPM client tried to connect to a DNS name outside of the domain which caused Kerberos to fail and fall back to NTLM.
Well exactly this was changed in 2022-01 CU and an article was puplished by MS.

So the question to you still have the problem do you use the server IP and do you have split DNS as well?

hth

    Markus

On 13.01.2022 11:06, Markus Klocker wrote:

[Charles F Sullivan]

On the client end, did you get Event 40970 in the System Log? I'm just wondering what to look for.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/14a5ebff-f714-8746-2f42-f83e0fd59aa4%40univie.ac.at.

[Markus Klocker]

Exactly that event.
The SPN in the event referenced a FQDN outside the domain which caused Kerberos to fail and the fallback to NTLM was blocked.

That made me look at the server Tab in AGPM where I found that the IP was used which normally doesn't mean something bad.
And in our case that lead to the problem.

Would be interesting for me to know if this is the case in the other failing AGPM setups.

    Markus

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzznY374iWfLjF94FJC2T05E4VyEvbx3Uq7nU%2BJ%3DsccK2kQ%40mail.gmail.com.

[Matthias Stemmle]

did you installed .Net 3.5?