Asset Intelligence Synchronization Point: Online Service Account is not Provisioned

Similar Messages

• Asset Intelligence synchronization point failing to update, Status = Online Service account is not provisioned

  Has anyone seen or dealt with this issue?
  We are running SCCM 2012 R2 CU3 on Win 2008 R2 server and are having problems with our AI synch point where the Online Service Account is showing as not provisioned.  It's on the CAS and it synched months ago so it *was* working. 
  Attempted to uninstall and reinstall thinking that may help, but no luck.  Cannot locate anywhere to input an online service account or how to obtain one and we are not using a proxy to get out. Any help would be appreciated.
  Thanks
  Dave
  Errors in the AIUpdateSvc.log
  Asset Intelligence Catalog Sync Service Warning: 0 : Tue, 09 Dec 2014 19:04:19 GMT:WebException trying to enroll: Status = Timeout
  Asset Intelligence Catalog Sync Service Error: 0 : Tue, 09 Dec 2014 19:04:19 GMT:Retrieve Machine Cert, Error - The operation has timed out
  Asset Intelligence Catalog Sync Service Error: 0 : Tue, 09 Dec 2014 19:04:19 GMT:Exception attempting sync - The operation has timed out
  Asset Intelligence Catalog Sync Service Information: 0 : Tue, 09 Dec 2014 19:04:19 GMT:Exception details:
  Microsoft.AssetIntelligence.CatalogSyncException: The operation has timed out ---> System.Net.WebException: The operation has timed out
  - Dave

  Hello thanks for the reply... 
  nope, nothing blocking access to Microsoft. 
  I did see the 403 in the logs and when I throw
  https://sc.microsoft.com/CatalogService/service.svc into a browser in or outside our network I get at 403.
  Asset Intelligence Catalog Sync Service Information: 0 : Fri, 12 Dec 2014 14:51:58 GMT:Redirected to URL
  https://sc.microsoft.com/CatalogService/service.svc
  Asset Intelligence Catalog Sync Service Warning: 0 : Fri, 12 Dec 2014 14:51:59 GMT:WebException trying to enroll: Status = ProtocolError
  Asset Intelligence Catalog Sync Service Error: 0 : Fri, 12 Dec 2014 14:51:59 GMT:Retrieve Machine Cert, Error - The request failed with HTTP status 403: Forbidden.
  Asset Intelligence Catalog Sync Service Error: 0 : Fri, 12 Dec 2014 14:51:59 GMT:Exception attempting sync - The request failed with HTTP status 403: Forbidden.
  - Dave

• Partner signup for Intune - your existing Microsoft Online Services account is not eligible for one or more partner benefits

  When trying to add my Partner Intune rights to my Microsoft Online services account, I get the error;
  Note: your existing Microsoft Online Services account is not eligible for one or more partner benefits.
  Learn more
  Does anybody know how to work around this?

  Hi Mathew, this worked for me:
  1. Sign into your Microsoft Partner account
  2. Go to Orders & Benefits
  3. Select Download Software
  4. Click on Microsoft Online Services
  5. Under MPN Online Services click Expand products
  6. You should see Windows Intune click this
  7. There is one final link to click
  This should add you Intune licenses to your portal
  Martin

• SCVMM 2008 R2 - "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS)."

  I know this question has been asked before, but never for R2, that I can tell, and the posted fixes aren't working. I have just installed SCVMM 2008 R2 on a Windows Server 2008 R2 server, using a remote SQL 2008 SP1 database. When I attempt to connect to SCVMM, I get the following error:
  "The SQL Server service account does not have permission to access Active Directory Domain Services (AD DS).
  Ensure that the SQL Server service is running under a domain account or a computer account that has permission to access AD DS. For more information, see "Some applications and APIs require access to authorization information on account objects" in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=121054.
  ID: 2607"
  What I've seen online is that this is usually becuase the domain account SCVMM is running as does not have the proper permissions on the SQL database. Here's what I've confirmed:
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still "doesn't have access to AD DS," which is obviously untrue)
  5) Neither service account is locked out
  Has anyone run in to this? It says in Technet that remote SQL 2008 is supported, as long as the SQL management studio is installed to the SCVMM server, and I installed and patched before I began the SCVMM installation. I just don't know what else to try - I have no errors in event logs, no issues during the installation itself...
  Andrew Topp

  That answer was very unhelpful fr33m4n. The individual mentions that they've received the error that points to the KB article. I currently receive the same error -- there seems to be no resolution. I've run the Microsoft VBS script to add TAUG to the WAAG
  as suggested by 331951, and that made absolutely no difference.
  1) My SCVMM service account is a local admin on the SCVMM server
  2) My SCVMM service account is a dbowner on the SCVMM database in SQL
  3) My SQL service account is a dbowner on the SCVMM database in SQL
  4) My SQL service account is a domain user (even made it a domain admin, just in case, and it still
  "doesn't have access to AD DS," which is obviously untrue)
  The user is also a member of WAAG, the machines have delegated authority to each other. Is there any other solution?

• SQL server agent job running as Agent Service Account whose service account does not have r/w access but is still able to write?

  Hi. I am newer to SQL server security and am reviewing some of our SQL server's configuration to make sure the services are running under accounts with least privilege.  I have a SQL server 2012 instance whose Agent service is configured to run
  under an AD user account named 'SQLServices'.  The jobs on this server are configured to run as 'SQL server agent service account', which means they should execute as user 'SQLServices'.  The jobs are set up to execute SSIS packages which read and
  write to a database on the same server where the agent job is scheduled and SSIS package installed (all on same server).  The jobs are currently executing without error and are reading writing data correctly.  Upon close examination, it turns out the
  SQLServices account is not assigned to the 'sysadmin' role and had no users mapped to any databases on this server.  How are these jobs working?  I verified in profiler that the login name indeed is 'SqlServices'.  I also verified
  that SQLServices login has no database access by remote-ing onto the server and trying to log into the DB, and access was denied as expected.  According to the literature, the Agent service needs to be a member of 'sysadmin role' but I am reading
  some cases where that is not necessarily the case.  So this is not so concerning.  What is concerning is that the login 'SQLServices' had no access to the databases on that server yet it is reading and writing to the databases as if it does. 
  The only thing I can think of is maybe jobs run as 'SQL server agent service account' on the same server as the databases it r/w to somehow has some kind of default access.  What am I missing here?  Any input would be helpful.

  After 2 days on this forum I found the answer to my own question.  In retrospect, I should have posted this under 'SQL Server Security', but I didn't know it existed.
  The 2 threads below explain that Sql agent actually runs using SID (service) NT SERVICE\SQLSERVERAGENT if you chose that when you installed.  This will automatically create an associated login NT SERVICE\SQLSERVERAGENT in SQL server with sqladmin
  role.  This is the login that Agent uses to connect to the local instance of SQL server.  If you changed to domain account to run the service during install or after using config manager, basically NT SERVICE\SQLSERVERAGENT is still
  used to connect to your local instance behind the scenes (even though you will still see your domain user as account), and the domain account is used to reach outside the server. 
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for
  https://social.technet.microsoft.com/Forums/sqlserver/en-US/b83a52fd-fe11-4c28-a27b-88be8ae79f2a/how-do-i-change-sql-server-agent-service-account-to-nt-servicesqlserveragent?forum=sqlsecurity

• Cellular - Suddenly "No Service" and "SIM not provisioned" iPad 2 and mini

  I have an iPad 2 and an iPad mini and occasionally sign up for AT&T cellular service on both, has always worked and never had a problem, until now!
  Suddenly on BOTH iPads I see "No Service" and if I check network in settings I see "SIM not provisioned"?
  My question is, does anybody know what has happened, especially as it has happened to both of my iPads, what it means and how I can resolve it?
  I was reluctant to post as I see lots of similar posts on line, but couldn't anywhere find a solution.

  Talk to your carrier, it's their sim problem.

• Can't add Office Online Services account to Outlook 2010

  Yesterday, one of our employees changed his webmail password, what it's necessary when that password expires, every three months. But now Outlook don't accept his new password.
  I've checked the password again, changed it to another one, deleted the email profile from windows and created another one, but without success...
  Have someone any advice to solve this? Thanks in advance!

  Hi,
  What is the error message that you get when Outlook doesn't accept the new password? What is the account type?
  The issue may be caused by the corrupted credentials cache, I suggest you remove the credentials from Windows Credentials Manager, then re-add the account to Outlook, check if then the new password can be accepted:
  1. Launch the Credential Manager (from [Control Panel] and [User Settings])
  2. In the Windows Credentials
  section you’ll see a setting for [MS Outlook]. Click the downward-pointing arrow to the right of that value
  3. The section will expand to show further details. Under those details is a link to Remove from vault. Click this and Outlook will no longer have a stored copy of your password
  Hope this helps.
  Regards,
  Melon Chen
  TechNet Community Support

• Directory Synchronization with different Service Account Permissions than "Enterprise Admin"

  Hello,
  I would like to ask whether there is a way to install and configure DirSync tool with the account different than Enterprise Admin. Please let me know if there are alternate methods to accomplish that.
  Thanks,
  NerKO

  No.
  This screen will not allow you to continue without Enterprise Admin rights.  Understand however, this account is used for 5 seconds, and not saved anywhere once the wizard completes.
  Mike Crowley | MVP
  My Blog --
  Planet Technologies

• Online Service Assistant-iPhone Not Activated

  Hi,
  I was just checking the warranty status of my new iPhone 3G S (purchased and activated 26th June 2009) to see the length of technical support I have left. After entering in my serial number I get the following message
  +"Our records indicate this product has not been activated. Learn how to activate your iPhone. Please note that warranty service is not dependent on activating your iPhone."+
  Any ideas? Should i visit the Apple shop? (Only 5 minutes away)
  Thanks for any help in advance.
  Chris

  Visiting an Apple Store might be the best way .. or you can call Apple Support. Since it's Monday morning there, either would work. Likely just some data base glitch .. unless you mis-read or mis-typed the S/N. If the phone is working, it is activated.
  Phil

• Asset Intelligence Update Service Point fails to update

  Hello,
  as the titel says, for a couple of days now, the Site- and Component Status has been showing a critical error for the Asset Intelligence Synchronization Point, stating that the Update Service Point cannot be updated.
  The system running is CM 2012 SP1 CU1 on a Server 2008 R2 SP1 Host with an SQL 2012 SP1 installation on the same machine. The AI Point syncs just fine and I can't "see" any errors in daily business tasks. 
  The AIUSSetup.log states that AIUS.msi could not be installed. Checking the AIUSMSI.log, I find the "error": AIUSDetectDowngrade_ErrorMessage = A newer version of the SCCM Asset Intelligence Update Service Point is already installed. Which
  makes the MSI abort. Seems okay to me, but it retries every 60 minutes... is this a known behaviour/error? How could I fix this or turn the update off, if the whole thing's okay?
  Cheers,
  Fred

  It's been a while since I posted this question and I've found a way to get this running.
  The entire error message is a bit confusing, as the source was simple - the AI Update Service Point Service timed out when trying to start. Manually executing AIUS.msi, thus getting access to AI_UPDATE_SERVICE_POINT under services, which did not show up
  earlier, then changing the startup type to delayed and changing the ServicesPipeTimeout value to 60 seconds in the registry (HKLM\SYSTEM\CurrentControlSet\Control) and then rebooting did the trick. Everything's working fine now.
  Cheers,
  Fred

• SCCM 2012 SP1 - Asset Intelligence

  Hi All,
  Need your advice on the below query please,
  I have not enabled Asset intelligence synchronization point in SCCM 2012 SP1 but enabled Hardware Inventory, Sofware Inventory, SOftware Metering. Can i still able to pull reports related to hardware/software since i didnt enable Asset intelligence point.
  Please advice
  Regards, Pratap

  From
  https://technet.microsoft.com/en-us/library/gg681998.aspx#AssetIntelligenceSycnronizationPoint:
  "The Asset Intelligence synchronization point is a Configuration Manager site system role used to connect to System Center Online (by using TCP port 443) to manage dynamic Asset Intelligence catalog information updates."
  and
  "In addition to downloading new Asset Intelligence catalog information, the Asset Intelligence synchronization point can upload custom software title information to System Center Online for categorization."
  Thus, as Torsten stated, the AI sync point has *nothing* to do with actually gathering or reporting on information in your site unless you actually want the supplemental software categories, labels, and families defined in the catalog. Note that to
  use the AI reports though, you must enable the AI classes in hardware inventory:
  https://technet.microsoft.com/en-us/library/gg712322.aspx#BKMK_EnableAssetIntelligence
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Asset Intelligence - Licence 14A Microsoft Volume Licensing Reconcilation report - Zero Inventory Count

  I have a SCCM 2012 SP1 Installation. I have set the client to report software and hardware inventory every 1 day. I have installed the Asset Intelligence Synchronization Point and sync it with Microsoft. I have enabled all the AIS Reporting Classes
  to be reported on.
  I have had the clients deployed for several days and I am getting no reporting on the inventory count. Software Metering and other reports are working fine. Could I please have some guidance on how to resolve this? Which logs in particular may resolve me
  issue?

  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Should I use Managed Service Accounts or individual, Domain User accounts?

  I'm setting up a new SP 2013, and I'm trying to be very granular as it relates to "Least Privilege".
  I'm trying to figure out which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint services.
  At face value, I *think* any service could be successfully run using an MSA and yet any installation of either SQL Server 2012 and/or SharePoint 2013 should be done using a Domain User account created for that specific purpose (i.e., SP_FARM, SP_ADMIN, SQL_ADMIN,
  etc.). In fact, I *think* the installation would HAVE to be done with an actual Domain User account, because (unless I'm wrong), MSA's do not have a shell and therefore CAN'T log on...which is by design?
  Here's a Microsoft TechNet article that lists many of the accounts I'm referring to:
  https://social.technet.microsoft.com/wiki/contents/articles/14500.sharepoint-2013-service-accounts.aspx
  Note that it says MOST of the accounts are Domain accounts, but I don't *think* all of these need to BE
  Domain accounts - I think MOST of them could be created as MSA's and assigned to run the specific service without any problems whatsoever?
  So again, my question is: which accounts could be created as Managed Service Accounts (MSA's) and which ones truly need to be created as Domain User accounts in order to run either specific SQL and/or SharePoint service or to even perform a
  successful installation of the software?
  Ed

  No, script 1 does not create Active Directory Managed Service Accounts (see here:
  http://blogs.technet.com/b/askds/archive/2009/09/10/managed-service-accounts-understanding-implementing-best-practices-and-troubleshooting.aspx) These are not applicable to SharePoint and are not mentioned in any of those scripts, look at the PowerShell
  commandlets, they are very different.
  Script 1 creates active directory users. These are, as far as AD cares, just standard user objects. There is nothing at all special about them in AD.
  At some point you would install SharePoint using those accounts, during that process they get resisted in SharePoint as SharePoint Managed Accounts.
  Script 2 updates the settings on those managed accounts in bulk.

• Group managed service accounts for SQL Server

  Hey guys,
  Unfortunately I missed that (g/s)MSAs aren't supported yet for SQL Servers but I'm using them without any worries since ages.
  As i digged a bit deeper I could find different informations due to the related TechNet entrys. So it seems Microsofts Informations about (s)MSAs and gMSAs aren't consistent.
  I'm not a SQL Server guy and use SQL only for System Center testing stuff so i would like to get a real world exps of SQL Server guys.
  Should I continue using gMSAs or are there any worries I should know?
  some sources I found so far:
  Not supported:
  "Hi Adam,
  Thank you for your feedback. Windows Server 2012 Group Managed Service Account is not currently supported as SQL 2012 released earlier than Windows Server 2012. We will consider to support gMSA in future SQL Server release.
  Regards,
  Min He, Program Manager, SQL Server"
  11.2012 -
  https://connect.microsoft.com/SQLServer/feedback/details/767211/gmsa-for-sql-server-failover-Clusters
  gMSA are not yet available, are not yet supported for SQL Server.  gMSA exist and are available and supported in Windows Server 2012 and higher.  SQL does not support them , but
  from an OS perspective, they exist and are supported.    
  http://blogs.msdn.com/b/sqlosteam/archive/2014/02/19/msa-accounts-used-with-sql.aspx
  Within the FAQ Task Scheduler isn't supported as well ...
  http://technet.microsoft.com/en-us/library/ff641729%28WS.10%29.aspx
  ... but also PFEs using them for Tasks... this is confusin... 0o
  http://blogs.msdn.com/b/arvindsh/archive/2014/02/03/managed-service-accounts-msa-and-sql-2012-practical-tips.aspx
  supported?:
  Configure Windows Service Accounts and Permissions
  ... New Account Types Available with Windows 7 and Windows Server 2008 R2
  http://technet.microsoft.com/en-us/library/ms143504(v=sql.110).aspx#Default_Accts
  The MSA must be created in the Active Directory by the domain administrator before SQL Server setup can use it for SQL Server services.
  others sources won't mentioning s/gMSAs...
  I couldn't find clear informations about using gMSA for SQL Server 2014. 
  only the same page which also Looks like the page for 2008 R2 and SQL 2012.
  Configure Windows Service Accounts and Permissions
              SQL Server 2014        
  http://msdn.microsoft.com/en-us/library/ms143504.aspx
  annoying topic so far... ;) 

  Hi Enrico
  aside from what Dan says about the risk for support, on which I agree, the following thread may clear it up a bit:
  http://social.msdn.microsoft.com/Forums/sqlserver/en-US/acb2048c-ffce-4d44-b882-6aafc7eb689d/managed-service-accounts-to-run-sql-server-service?forum=sqlsecurity
  Andreas Wolter (Blog |
  Twitter)
  MCM - Microsoft Certified Master SQL Server 2008
  MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
  www.andreas-wolter.com |
  www.SarpedonQualityLab.com

• Question : Service Accounts for SQL Server 2012

  Hello,
  I am planning to create AD accounts for SQL Server 2012 services that will be installed on Windows 2012 server.
  I was reading the following
  Configure Windows Service Accounts and Permissions
  and
  Windows Privileges and Rights
  Is there a recommendation / document that would list that assocation of SQL Server Services with Actvie Directory service accounts / privileges required for installation and starting the services.
  Isn't it recommended to create separate account for every service and they should not be local accounts ?
  Hope to hear soon as to what industry standards are being followed for production systems ?
  Thank you very much in advance.
  Regards
  Nikunj

  From MSDN:
  Each service in SQL Server represents a process or a set of processes to manage authentication of SQL Server operations with Windows. Each service can be configured to use its own service account. This facility is exposed
  at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage the services configuration.
  When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should
  not only be different from one another, they should not be used by any other service on the same server. Do not grant additional permissions to the SQL Server service account or the service groups.
  From Glen Berry's Blog:
  You should request that a dedicated domain user account be created for use by the SQL Server service. This should just be a regular, domain account with no special rights on the domain. You do not need or want this account to be a local admin on the machine
  where SQL Server will be installed. The SQL Server setup program will grant the necessary rights on the machine to that account during installation.
  You will also want a separate, dedicated domain user account for the SQL Server Agent service. If you are going to be installing and using other SQL Server related services such as SQL Server Integration Services (SSIS), SQL Server Reporting Services (SSRS),
  or SQL Server Analysis Services (SSAS), you will want dedicated domain accounts for each service. The reason you want separate accounts for each service is because they require different rights on the local machine, and having separate accounts is both more
  secure and more resilient, since a problem with one account won’t affect all of the SQL Server Services.
  Depending on your organization, getting these domain accounts created could take anywhere from minutes to weeks to complete, so make sure to allow time for this. For each one of these accounts, you will need their logon credentials for the SQL Server setup
  program. You are going to want to make sure that the accounts don’t have a temporary password that must be changed during the next login. If they are set up that way, make sure to change them to use a strong password, and record this information in a secure
  location.
  Please Mark This As Answer if it solved your issue
  Please Mark This As Helpful if it helps to solve your issue
  Thanks,
  Shashikant