Distribution/management point in non trusted domain

Similar Messages

• Documentation on settings up DP, MP in non trusted domain USING HTTPS

  Is there any documentation that specifically talks about setting up a site system in a non trusted domain with management point and distribution point and communication using HTTPS.
  I see some examples but none of them talk about the certificates that are required on the DP and MP in the non trusted site server.
  Thanks Lance

  Hi Jason,
  I am stumped (and not a certificate guru) and not sure how to get certs based on the Config Manager Web Server template and Config Manager Distribution Client Template into the machine (Secondary MP/DP) that is in the untrusted domain.   I hear
  you about the untrusted domain part not making a difference.   Our secondary MP/DP in the untrusted domain does have the root certificate in the trust root store.
  I have tried MMC certificates, certreq and have tried to go directly to the CA (https://caserver/certsrv) but in neither case do the Config Manager Distribution Client nor Config Manager Web Server templates show up.
  Conversely in the domain that the CA Server resides,  I can request both of these certs in the MMC certificate plugin.
  I am certain I am missing something.
  We used this technet document to setup the certificate templates, etc.
  http://technet.microsoft.com/en-us/library/gg682023.aspx
  Thanks Lance

• OSD Across a Non-Trusted Domain

  Hello All,
  Thank you in advance for the help. I am trying to validate a configuration I would like to put in place for a client.
  The client has Configuration Manager 2012 set up to manage computers in a non-trusted domain with no MPs in the non-trusted domain. There are DPs in the non-trusted domain. The site runs in an https configuration for these clients. We have configured a subordinate
  CA in their forest that trusts the CA in the forest that hosts the ConfigMgr site servers and all certs are working fine.
  My question: Will OSD function correctly for computers in the non-trusted domain? Or so I need to have an MP in the non-trusted domain as well?
  Thanks!

  Hi Jason,
  Yes, you are correct - there are multiple HTTP MPs that are reachable from the non-trusted forest's computers on the Intranet. There is also an HTTPS MP in the DMZ which is reachable from the internal network as well (we use split-brain DNS for this). The
  DMZ MP in HTTPS mode can handle the requests from the non-trusted forest's clients and I envision DPs being configured in the non-trusted forest's domain in HTTPS mode to provide the DP service for the non-trusted domain's clients.
  One of the other respondants indicated that they believed this config would work as long as the client could reach a PXE enabled DP. I don't see a reason this won't work as well with a boot image with a cert on it or via Software Center, right?
  Does this configuration sound kosher?
  Thank you!

• Gateway server in non trusted domain

  I have been trying to monitor a non trusted domain from SCOM 2012 R2. All servers are running Server 2012 R2 and this is running in a home lab.
  I have added the trusted root certificate to both the gateway server and the SCOM management server. 
  SCOM Management Server is OM01.Corp.ViaMonstra.Com.
  Gateway Server is BMC-DC01.BMC.Intern.
  Both of these servers have the trusted root cert for ViaMonstraRootCA.
  I then created a OpsMgr certificate by copying the ipsec(offline request) and making a new template. This has server and client authentication.
  I requested this on both the gateway server and the management server and exported it from the user store and into the local computer store (with the private key). 
  I also ran MOMCERTIMPORT on both servers, only one cert showed up on each server which was the one I created and imported into the personal area of the local computer store.
  I have checked that the FQDN name of the management server appears in the required opsmanager registry keys and also the required tls2.1 keys are in place.
  I have also run the gateway approval tool which can with success and installed the gateway server role using the opsmgr install media.
  I see the event 20053 stating the opsmgr connector has loaded the specified authentication certificate succesfully.
  Yet I will get the events 20057,21001,20071,21016
  Any ideas what else I can try?

  Try these -
  1)
  http://social.technet.microsoft.com/Forums/ie/en-US/e478b734-b631-4daa-a752-e4557ad21fd7/gateway-unable-to-connect-to-management-server?forum=operationsmanagergeneral
  2)
  http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&docname=c03381439
  3)
  http://www2.wolzak.com/index.php/news-mainmenu-2/10-opsmanager/15-the-opsmgr-connector-could-not-connect-to-msomhsvcrms01local
  4)
  http://www.assemblein.info/system-center/steps-to-resolve-scom-2012-gateway-server-error-unmonitored-state/
  Thanks, S K Agrawal

• SCCM 2012 R2 - Management Point deployment to untrusted domain

  Hi all,
  we've got two domains in our environment which have no trust relationship. I have sccm 2012 r2 installed on a Windows 2012 R2 server in the larger domain
  and have just installed a DP and MP on a Windows 2008 R2 server in the second, smaller domain. The Management Point installed ok according to mpmsi.log but the problem i'm having is that the mpcontrol.log is now repeatedly throwing up the following message:
  Call to HttpSendRequestSync failed for port 80 with status code 500, text:Internal Server Error
  On the dp/mp server in the smaller domain i can browse to http://sccm-dp1/ ok. I can also browse to http://sccm-dp1/sms_mp/.sms_aut?MPCert ok. I cannot
  browse to http://sccm-dp1/sms_mp/.sms_aut?MPList (receive a HTTP 500 error).
  In additon to this, every now and again the MP tries to connect to the SQL DB in the other domain. This fails with the following errors:
  MPStart(): RegisterWithWINS() returned 0x0 
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04  1924 (0x0784)
  CMPControlManager::PublishInDNS: DnsReplaceRecordsInSet() failed with status 9002.           
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04  1924 (0x0784)
  MPStart(): PublishInDNS() returned 0x0         
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04  1924 (0x0784)
  EnableBranchCache(): configuration has not been changed. 
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04           
  1924 (0x0784)
  MPStart(): EnableBranchCache() returned 0x0           
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04  1924 (0x0784)
  Successfully Registered for IP Address Change notifications. 
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04           
  1924 (0x0784)
  MPStart(): RegisterForIPAddressChangeNotification() returned 0x0  
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04         
  1924 (0x0784)
  Attempting to register the SQL connection type for the configured SQL database.    
  SMS_MP_CONTROL_MANAGER           
  01/04/2015 17:23:04 
  1924 (0x0784)
  Registered connection type for SQL Server 'xxxxxxxxx' and database 'xxxx\xxx_xxx'.           
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04  1924 (0x0784)
  MPStart(): RegisterSqlDatabaseConnectionType() returned 0x0        
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04         
  1924 (0x0784)
  Checking the current CLR Enabled configuration setting for the configured SQL Server hosting the database.           
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04  1924 (0x0784)
  Getting the CLR Enabled value from the configured SQL database.   
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04         
  1924 (0x0784)
  Attempting to connect to the configured SQL database.        
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:23:04           
  1924 (0x0784)
  Impersonating using the SQL connection account; user name is now 'xxxxxxxxx'.    
  SMS_MP_CONTROL_MANAGER           
  01/04/2015 17:23:04 
  1924 (0x0784)
  *** [08001][10060][Microsoft][SQL Server Native Client 11.0]TCP Provider: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to
  respond.        SMS_MP_CONTROL_MANAGER       
  01/04/2015 17:28:10           
  1924 (0x0784)
  *** [HYT00][0][Microsoft][SQL Server Native Client 11.0]Login timeout expired        
  SMS_MP_CONTROL_MANAGER           
  01/04/2015 17:28:10 
  1924 (0x0784)
  *** [08001][10060][Microsoft][SQL Server Native Client 11.0]A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL
  Server is configured to allow remote connections. For more information see SQL Server Books Online.    
  SMS_MP_CONTROL_MANAGER       
  01/04/2015 17:28:10        
  1924 (0x0784)
  *** Failed to connect to the SQL Server, connection type: MP_CONTROL_ACCESS.           
  SMS_MP_CONTROL_MANAGER       
  01/04/2015 17:28:10        
  1924 (0x0784)
  Failed to get connection to the configured SQL database.  
  SMS_MP_CONTROL_MANAGER       
  01/04/2015 17:28:10       
  1924 (0x0784)
  Failed to connect to the configured SQL database. 
  SMS_MP_CONTROL_MANAGER       
  01/04/2015 17:28:10           
  1924 (0x0784)
  Reverting back from using the SQL connection account.         
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:28:10           
  1924 (0x0784)
  Failed to get the current CLR Enabled configuration setting for the configured SQL Server hosting the database.           
  SMS_MP_CONTROL_MANAGER       
  01/04/2015 17:28:10        
  1924 (0x0784)
  MPStart(): CheckSqlDatabaseClrEnabled() returned 0x800720d9      
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:28:10         
  1924 (0x0784)
  Waiting up to 300 seconds for the SMS Agent Host service to be running.    
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:28:10         
  1924 (0x0784)
  Stopped waiting for the SMS Agent Host service to be running; Result = 0x0.           
  SMS_MP_CONTROL_MANAGER           
  01/04/2015 17:28:10 
  1924 (0x0784)
  MPStart(): WaitOnSmsAgentHostRunning() returned 0x0       
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:28:10           
  1924 (0x0784)
  MPStart(): CreateThread() succeeded with id 0x2fc.  
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:28:10  1924 (0x0784)
  SMS_MP_CONTROL_MANAGER successfully STARTED. 
  SMS_MP_CONTROL_MANAGER
  01/04/2015 17:28:10  1924 (0x0784)
  Can anyone provide any suggestions as to where i should begin troubleshooting this issue? When i deployed the MP to the smaller domain i ensured it
  had a Management Point Connection Account which could access the SQL DB in the larger domain. I'm wondering if the two error messages i'm receiving are related or whether i have two separate issues here?
  Thanks for the help!

  Hi Paul,
  thanks for taking the time to help. I registered asp.net v4 with IIS as per your suggestion, unfortunately it hasn't made much difference and i'm still seeing the "Call
  to HttpSendRequestSync failed for port 80 with status code 500, text:Internal Server Error"
  message repeating in mpcontrol.log. Have you got any further suggestions of things
  to try? Seems like an error message i really need to fix!
  As far as the MP to SQL issue goes, the network team assured me the connection is allowed
  but i might get them to double check this just in case. 
  Thanks

• SCOM Agent in Pending Management with two way trusted domain

  Hello Guys,
  I have two trusted domain abc.com & xyz.com with two-way trust forest-wise authentication enabled and my SCOM 2012 R2 Management server is part of abc.com. And there are multiple host which are part of domain xyz.com.When I am pushing agent from SCOm console
  to server then agents are getting installed with success message in task pane, but my agents are now at in pending Management.
  for this I am getting Event ID 20002 opsmgr connector with following message "A device at IP 10.1.1.6:54277 attempted to connect but could not be authenticated, and was rejected." on SCOM Server.
  And below message on the server where I am installing the agent.
  Event 20071 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log
  on the server and on the agent for events which indicate a failure to authenticate.
  Event 21016 OpsMgr Connector
  OpsMgr was unable to set up a communications channel to SCOM.abc.com and there are no failover hosts.  Communication will resume when fabSCOM2.nmfab.loc is available and communication from this computer is allowed.
  Event 20070 OpsMgr Connector
  The OpsMgr Connector connected to SCOM.abc.com, but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received
  configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
  Need help to resolve this can any one help me.
  Thanks in Advance.
  NM-BG
  NM-BG

  Hi,
  Here i  suspect Authentication issue. 
  1.Could you please if 88, 389 & 3268 ports are opened between client domain controller and management server.
  2. if ports are already open collect netmon traces on both client and management server simultaneousely and check if there are any kerborose errors
  Kind Regards,
  Naveen Kumar B
  ~Bommi

• How to assign clients to alternate management point

  Hi Guys
  Does anyone know how to reassign clients to another management point on the same site.
  We have 3 seperate locations connected by a vpn, our main site has a primary site server with the management point role and the other 2 locations are just distribution and management point servers.
  I have built another distribution /management point server as the primary server site location as i want to take some of the roles of the primary site server as its overloaded, all my clients at this site are already assigned to the primary site server management
  point but want to assign them to the new distibution/management point at the same site.
  Was going to uninstall the management point role of the primary site server so that just my new server would have this role at this location, if i do this will the cleints automatically assign themself to the only available management point at this site
  or will they break.

  The clients always request a list of available MPs. If you deinstall a MP it will not be on that list anymore, so the clients will automatically go to another available MP.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Distribution manager failed to connect to the distribution point

  After upgrading my distribution point to windows server 2012 standard I can't distribute content to my distribution point.
  I see the following error.
  source: SMS Server
  Component: SMS_DISTRIBUTION_MANAGER
  message id 2391
  Distribution Manager failed to connect to the distribution point Check your network and firewall settings.
  The firewall is not enabled. 
  wbemtest is able to connect to the remote server that has the distribution point role installed.
  The network access account is working.
  How do I fix this?

  but why does it most of the time work? I did inplace upgrade at least 6 times from 2008 R2 to 2012 R2 and every DP except one works fine.
  I'm not completely sure, but I think, my faulty one, that I'm trying to get working, was working correctly after the inplace upgrade. But as I said, that is only a theory, I'm just curious if that's possible.
  I have the same issue as described above.
  The IT guys from LukOIL

• Distribution manager failed to create the defined share or folder on distribution point and failed to connect to remote distribution point

  We have recently upgraded remote distribution point to SCCM 2012 R2 CU4. when i try to distribute the package getting the error on the distribution point configuration status "Distribution manager failed to create the defined share or folder on distribution
  point and failed to connect to remote distribution point"
  Errors on the package transfer log file.
  CWmi::Connect() could not connect to \\XXXXXXXX.COM\root\SCCMDP. error = The operation completed successfully.. Will try FQDN
  CWmi::Connect() failed to connect to \\XXXXXXX.COM\root\SCCMDP. error = The RPC server is unavailable.
  Failed to connect to the DP WMI namespace on the remote DP

  Thanks Sandys for your suggestions.
  i have tried wbemtest from site server(Secondary site) and remote DP server. Receiving the "The RPC
  server is unavailable" from both ends.
  error:0x800706ba - The RPC server is unavailable

• Management point and Distribution point behind netscaler for virtual ip/dns name

  Is it supported to place a server behind a netscaler for using a virtual IP/DNS name?
  We are looking into placing our distribution points and management points behind the netscaler to provide firewall functionality.
  We would point our clients to a different DNS name for each individual MP and DP to provide routing through the netscaler.
  As far as I know this is only possible using IBCM.
  Please let me know if this is possible without IBCM internally.

  Using a different DNS name is problematic as there is no way to specify an alternate fqdn for a site system on the intranet. Clients use the actual fqdn of the system hosting the role; this is given out by the MP directly to the client based upon the site
  system's actual name.
  You could manipulate name resolution in a variety ways so ultimately the actual IP used wouldn't matter, but that's useless unless the client is using the proper name.
  If you you could use the same name and IP, then it should work no problem as long as the traffic is properly delivered to the site system. Ultimately, nearly all client agent to site system traffic is nothing more than WebDAV via IIS on the site system so
  just basic web traffic.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Distribution Point creation failed. possible cause : distribution manager does not have the sufficient access right to the computer

  Hi All,
  I had this really disturbing experience with
  SCCM 2012 SP1.
  OD : 2008r2 Enterprise 64bit 
  Possible cause: Distribution Manager does not have sufficient rights to the computer.
  Solution: Verify that the site server computer account is administrator of the computer.
  in Distmgr.log says :
  DPConnection::Disconnect: Revert to self
  SMS_DISTRIBUTION_MANAGER 5/26/2014 7:34:30 AM
  16280 (0x3F98)
  DPConnection::Connect: For ["Display=\\PNGBRANCHSERVER.xxx\"]MSWNET:["SMS_SITE=SSM"]\\PNGBRANCHSERVER.xxx\, logged-on as ssm\sccmadmin
  SMS_DISTRIBUTION_MANAGER 5/26/2014 7:34:30 AM
  16280 (0x3F98)
  DPConnection::Connect: For ["Display=\\PNGBRANCHSERVER.xxx\"]MSWNET:["SMS_SITE=SSM"]\\PNGBRANCHSERVER.x\, logged-on as ssm\sccmadmin
  SMS_DISTRIBUxxx ON_MANAGER 5/26/2014 7:34:30 AM
  16280 (0x3F98)
  Failed to find a valid drive on the distribution point ["Display=\\PNGBRANCHSERVER.xxx"]MSWNET:["SMS_SITE=SSM"]\\PNGBRANCHSERVER.ssm.com.myx
  DPConnection::Disconnect: Revert to selfxxx
  MS_DISTRIBUTION_MANAGER 5/26/2014 7:34:30 AM
  16280 (0x3F98)
  DPConnection::Disconnect: Revert to self SMS_DISTRIBUTION_MANAGER
  5/26/2014 7:34:30 AM 16280 (0x3F98)
   GetContentLibLocation() failed SMS_DISTRIBUTION_MANAGER
  5/26/2014 7:34:30 AM 16280 (0x3F98)
  Failed to get the content library path on server PNGBRANCHSERVER.  SMS_DISTRIBUTION_MANAGER
  5/26/2014 7:34:30 AM 16280 (0x3F98)
  Failed to install DP files on the remote DP. Error code = 16389
  SMS_DISTRIBUTION_MANAGER 5/26/2014 7:34:30 AM
  16280 (0x3F98)
  STATMSG: ID=2370 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SCCMSVR. SITE=SSM PID=2660 TID=16280 GMTDATE=Sun May 25 23:34:30.428 2014 ISTR0="["Display=\\PNGBRANCHSERVER.ssm.com.my\"]MSWNET:["SMS_SITE=SSM"]\\PNGBRANCHSERVER.\"
  ISTR1="PNGBRANCHSERVER.S" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=404 AVAL0="["Display=\\PNGBRANCHSERVER.\"]MSWNET:["SMS_SITE=SSM"]\\PNGBRANCHSERVER.ssm.com.my\"
  SMS_DISTRIBUTION_MANAGER 5/26/2014 7:34:30 AM
  16280 (0x3F98)
  I have tried many of the solution provided unfortunately nothing positive happened.
  Appreciate your input before engaging premier support.
  Thank you

  Hi，
  NO_SMS_ON_DRIVE.SMS
  This file is used to prevent Configuration Manager from installing binaries to a volume. By default, when you install System Center 2012 Configuration Manager on a remote Site System, the SMS Site Component Manager Service installs the binaries (files and
  folders) for the Site System on the NTFS-formatted volume that contains the most free space. You may want to use an NTFS volume other than the default volume for your remote Site Systems by preventing ConfigMgr from enumerating certain NTFS volumes.
  In order to prevent CM from enumerating an NTFS volume, on the remote server you can create a text file that is named NO_SMS_ON_DRIVE.SMS and put the this file on the root folder of all NTFS volumes where you do not want to install the binaries (SMS folder)
  for the ConfigMgr components.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCCM - Branch Distribution point and Management point on the same server

  Hi All,
  Would like to know if any other SCCM roles like management point , distribution can be installed on the same server on which a branch distribution point is installed?
  Rgs,

  Hi,
  Branch Distribution Points no longer exist in Configuration Manager 2012 and above.
  I'm assuming you want to install additional roles on an existing server that is currently only acting as a Distribution Point and the answer is yes, this is possible, but it depends on which other roles you want to install and there will probably be some
  prerequisites needed.
  Can you elaborate on which roles you are considering installing? 
  Steven Hodson | http://www.stevenhodson.com | @_hodders

• Management point location for workgroup clients in DMZ

  Hi All,
  I am trying to install the SCCM 2012 client to some servers that are located in a workgroup and in a DMZ at our organization.
  I have read up about the config for this and I think that we have everything in place but the clients themselves are not locating a management point which I think is due to the setup of the IIS on the management points.
  Firstly, I ammended the local hosts file on the system to ensure that the server could resolve the SCCM site server and 2 management points by using NetBIOS and FQDN. I also checked that the ports are opened from the client to the
  management point.
  I then ran ccmsetup using the following switches /noservice /mp=smsmp SMSSITECODE=XXX SMSSLP=SMSMP FSP=SMSSITESERVER CCMHTTPPORT=24555 CCMHTTPSPORT=24556 RESETKEYINFORMATION=TRUE which appers to have sucessfully installed the client
  but is now failing to communicate with the MP specified. I am seeing on the client the following repeated in the locationservices.log
  <![LOG[Raising event:
  instance of CCM_CcmHttp_Status
              DateTime = "20141127153834.775000+000";
              HostName = "SMSMP";
              HRESULT = "0x87d0027e";
              ProcessID = 4004;
              StatusCode = 401;
              ThreadID = 5184;
  ]LOG]!><time="15:38:34.775+00" date="11-27-2014" component="LocationServices" context="" type="1" thread="5184" file="event.cpp:715">
  <![LOG[Successfully sent location services HTTP failure message.]LOG]!><time="15:38:34.962+00" date="11-27-2014" component="LocationServices" context="" type="1" thread="5184"
  file="ccmhttperror.cpp:396">
  <![LOG[Error sending HEAD request. HTTP code 401, status 'Unauthorized']LOG]!><time="15:38:34.962+00" date="11-27-2014" component="LocationServices" context="" type="3"
  thread="5184" file="util.cpp:2568">
  <![LOG[Workgroup client is in Unknown location]LOG]!><time="15:38:34.962+00" date="11-27-2014" component="LocationServices" context="" type="1" thread="5184"
  file="lsad.cpp:1078">
  <![LOG[[CCMHTTP] ERROR: URL=http://SMSMP, Port=24555, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="15:38:34.993+00" date="11-27-2014"
  component="LocationServices" context="" type="1" thread="5184" file="ccmhttperror.cpp:297">
  And on the management point I am seeing the following repeated in the IIS logs
  x.x.x.x HEAD / - 24555 - x.x.x.x SMS+CCM+5.0 - 401 2 5 216 0
  I understand that this points to the IIS authentication issue so I have tried browsing to http://smsmp.domainname.com/sms_mp/.sms_aut?mplist and
  I do get a list of management points returned so I'm a little confused now. The other thing that confuses me is that we also have another domain we manage clients
  in and these systems have all registered with the MP fine even though there is no trust relationship in place between the 2 domains.
  I have checked anonymous authentication has been enabled on the SMS_MP virtual directory but I can see that it is set to use a user account of IUSR, but this is not a local user on the MP nor an AD user from what I can see.
  Is anybody able to point me in the correct direction of either what I am doing wrong or which settings I should be checking?
  Thanks in advance for any help
  Andrew

  You mention in your ccmsetup install properties: CCMHTTPPORT=24555 CCMHTTPSPORT=24556
  While the MPList test you provided shows:
  http://smsmp.domainname.com/sms_mp/.sms_aut?mplist
  This is on port 80
  Where is your MP? Port 80 or 24555 ?

• Network challenge - trusted domains

  Within my organization, I have two domains A and B. There is a Classic ASP web intranet application hosted in an IIS server
  in Domain B (Windows Authentication enabled, all other authentication modes disabled). As for as I know, A and B is
  in a Domain Trust relationship.
  The problem here is, when users logged in to Domain A try to access the web application mentioned above, it prompts for the Domain
  B user id and password. My understanding is that since both domains are trusted, Domain A users should also be able to access the web application. Please suggest any possible
  reasons for this behavior.

  The App Pool Identity seems to be one using Classic Mode, and it has "No Managed Code" selected.
  The application hosted is developed using Classic ASP.
  This has nothing to do with the identity
  REF: Application
  pool identity
  The site is not added in the IE trusted zones - we cannot do this on all client computers. I am looking
  for whether there exists some Active Directory/Network setting that displays this prompt.
  You can do it with a GPO, but meantime you can do it manually on a client just for troubleshooting purpose
  REF:
  How to configure Internet Explorer security zone sites using group polices 
  Not sure whether the IIS host trusted for delegation or not. Could you please let me know what
  it does?
  Delegates IIS to request a kerberos ticket on behalf of the user
  Some info here: http://www.adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx
  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

• Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

  Hi,
  SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
  But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
  the SharePoint Logs I found out the below exception
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
   fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
  11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     The SPPersistedObject with
  Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
  domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
  sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
  at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
  11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
  persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
  sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
  T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
  11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
  at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
  id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
  currentVe...
  Please guide me on the above issue ,this will be of great help
  Thanks.

  I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
  The problem is caused by User profile Synch Service:
  UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
  The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
  Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
  identifier, T grantRightsMask, T denyRigh...        
  08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
          0x293C        SharePoint Portal Server              User Profiles                
          eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
  Please let me know if you any solution found for this?
  Regards,
  Kunal