Non Domain computers accessing Report Manager.

Similar Messages

• Non-domain computers not reporting

  I have a few machines that are not joined to the domain, but use our domain joined WSUS server.  Never had a problem before, but this problem seems to have started when I did the migration to 2012 R2.  I used the TechNet migration procedures that
  I later found can be somewhat problematic.  I just discovered that the computers not joined to the domain are having issues.  I'm still trying to confirm whether they're actually getting updates, but the certainly aren't reporting.
  I have confirmed the clients cannot contact http://myserver/selfupdate/wuident.cab.  I've looked at permissions in IIS, but the only article I've found is for WSUS 3.2 (https://technet.microsoft.com/en-us/library/dd939903(v=ws.10).aspx).  It talks
  about anonymous access being enabled for reportingwebservice and I verified it is.  I've also found people reference a ReportingWebService virtual directory in IIS, but I only see it as an application and not a virtual directory so I'm guessing they changed
  the way that works since all my domain joined machines work just fine.  Can anyone provide a 2012 R2 reference to setting permissions correctly so I can confirm that?
  I'm getting these errors in WindowsUpdate.log:
  WU client failed Searching for update with error 0x80244019
  WARNING: GetAuthorizationCookie failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404
  WARNING: Failed to initialize Simple Targeting Cookie: 0x80244019
  WARNING: PopulateAuthCookies failed: 0x80244019
  WARNING: RefreshCookie failed: 0x80244019
  WARNING: RefreshPTState failed: 0x80244019
  WARNING: PTError: 0x80244019
  WARNING: Reporter failed to upload events with hr = 80244019.
  WARNING: Cached cookie has expired or new PID is available

  I have confirmed the clients cannot contact http://myserver/selfupdate/wuident.cab.
  It looks like you have not included the port number, 8530 is used by default with 2012R2. Try http://myserver:8530/selfupdate/wuident.cab.
  If you find the answer of assistance please "Vote as Helpful"and/or "Mark as Answer" where applicable. This helps others to find solutions for there issues, and recognises contributions made to the community :)

• SCSM 2012 Portal change from http to https to get silverlight to work on non domain computers?

  Hi
  Wanting to change our Self Service Portal from http to https and make it accessible from non domain computers.
  Non domain computers - the sharpoint parts load (the silverlight does not load). Domain computers can access the portal with no problem.
  Does this mean I need to reinstall the portal or can it be changed while in operation now?
  Would something like the below link be enough to get https going?
  http://blogs.technet.com/b/babulalghule/archive/2013/01/10/how-to-create-alternate-url-for-service-manager-self-service-portal.aspx
  Thanks!

  the silverlight part not loading due to SSL certification. import the certification into non domain computer will fix this issue.

• MBAM on Workgroup (non-domain) Computers

  Hi,
  is it possible to manage non-domain computers with MBAM to deploy bitlocker?
  assuming policy is set by local policy or registry settings.
  thanks ahead,

  I was thinking the same as it was pointed in this thread - you will not be able to store keys on SQL database, because it´s relied on AD:
  http://social.technet.microsoft.com/Forums/en-US/8eea1337-9cc7-47d4-87ca-83428abdce83/mbam-for-work-group-computers?forum=mdopmbam

• Scom monitoring non domain computers

  hello experts
  i have scom 2012 and want to monitor non domain computers (servers in dmz)
  i have created new template in ca server then create new certificates for dmz server and scom rms server.
  now i have connection between two servers but there is an authentication error.
  hear are logs.
  please help
  log from dmz computer
  Log Name:      Operations Manager
  Source:        OpsMgr Connector
  Date:          29/09/2014 10:54:51
  Event ID:      20071
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SRV-AB-WWW1.somebank.am
  Description:
  The OpsMgr Connector connected to scom.somebank.am
  , but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which
  indicate a failure to authenticate.
  Event Xml:
  <Event xmlns="">
    <System>
      <Provider Name="OpsMgr Connector" />
      <EventID Qualifiers="49152">20071</
  EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
      <EventRecordID>2163</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>SRV-AB-WWW1.somebank.am</Computer>
      <Security />
    </System>
    <EventData>
      <Data>scom.somebank.am</Data>
    </EventData>
  </Event>
  scom rms computer
  Log Name:      Operations Manager
  Source:        OpsMgr Connector
  Date:          29/09/2014 11:18:57
  Event ID:      21010
  Task Category: None
  Level:         Error
  Keywords:      Classic
  User:          N/A
  Computer:      SRV-SCOM1.somebank.local
  Description:
  The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
  Event Xml:
  <Event xmlns="">
    <System>
      <Provider Name="OpsMgr Connector" />
      <EventID Qualifiers="49152">21010</EventID>
      <Level>2</Level>
      <Task>0</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
      <EventRecordID>1269145</EventRecordID>
      <Channel>Operations Manager</Channel>
      <Computer>SRV-SCOM1.somebank.local</Computer>
      <Security />
    </System>
    <EventData>
      <Data>192.168.169.40:53552</Data>
    </EventData>
  </Event>
  telnet to 5723 port from dmz server to scom rms server is ok

  PS C:\Users\administrator.AMERIABANK>  C:\Users\administrator.AMERIABANK\Desktop\1.ps1
  This script will inspect Local Machine certificate
  store and registry settings. This will take several seconds...
  Script will check certificates to match the following requirements:
          Subject equals computer FQDN
          Certificate is time valid
          Certificate has private key and it supposed for computer certificate
          KeySpec is set to 1
          Certificate Application Policies (in former EKU) contains both Server and Client Authentication
  WARNING: OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in
  WARNING: LocalComputer store or not match all certificate requirements.
  To resolve this issue, obtain new certificate from trusted Certification Authority
  using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
  and install it by running the following command: MOMCertImport /Subject SRV-SCOM1.ameriabank.local

• Restrict non-domain computers

  Does anyone know if it is possible to restrict access based on domain membership or an AD Group?
  The purpose is to restrict non-domain computers even if the client has a legitimate domain credential to use for authentication.

  That is correct. The only way to restrict these computers would be to make a rule (above your auth group policies), that states the specific IPs / subnets are granted certain / no access.
  As long as the rule is above all your auth rules, it will trigger first and take precedence. Be sure to disable WBRS for this rule as well, since there is a potential for +6 sites to be allowed.

• Non-Domain computers via VPN

  I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise

  Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
  IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
  With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
  If u r using an external server for validating the incoming users, u must go for aaa server externally.
  For a complete detail of deploying vpn with ipsec,
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493

• Exchange 2010 Autodiscocer for non-domain computers.

  Hello. I have problems with autodiscover for non -domain computers. Somebody can explain me in turn what i must do for configuration. 

  Hi,
  For your Non-domain joined clients, the Outlook would connect to Exchange mailbox from the Internet. We need to enable Outlook Anywhere for your external users:
  Enable-OutlookAnywhere -Server:Exch10 -ExternalHostname:mail.contoso.com
  -ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
  For autodiscover service, when Outlook is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active
  Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine the right side of the user’s email address, that is, contoso.com, and check DNS by using two predefined URLs. For example,
  if your email address is [email protected], Outlook will try the following two URLs to try to connect to the Autodiscover service:
  https://contoso.com/autodiscover/autodiscover.xml
  https://autodiscover.contoso.com/autodiscover/autodiscover.xml
  For more information about autodiscover service in Exchange 2010, please refer to:
  http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
  Therefore, you don’t need to change any configuration for Autodiscover. Just make sure your Exchange certificate which is assigned with IIS service has included aotodiscover.contoso.com name and the certificate is valid and trusted for external
  user using. If not, please create a new SRV record for your autodiscover service and pointed to
  mail.contoso.com. For more information about SRV record of autodiscover, please click:
  http://support.microsoft.com/kb/940881
  Regards,
  Winnie Liang
  TechNet Community Support

• Configure DHCP to add non domain computers to DNS

  Hi
  We would like to add non domain computers automaticallly to DNS through our DHCP server.
  The reason is that we actally use Linux and our Linux admins would like the machines automatically to DNS when receiving a IP.
  I assumed that it was just a matter of selecting "Always dynamically update DNS A and PTR records" on the IPv4 scope option, but it doesn't seem to work?
  Lasse
  /Lasse

  I started out changing that setting to "Dynamically update DNS records for DHCP clients that do not request updates" but it didn't seem to work.
  I then changed "Always dynamically update DNS A and PTR records" and it didn't work. Then I tried having both settings set and then it worked. I then removed "Always dynamically update DNS A and PTR records" since it shouldn't be necessary
  and then it still worked..... :-)
  Lasse
  /Lasse

• Non Domain Computers Becoming Master Browser

  Hello,
  I am troubleshooting an issue with the master browser service when an external user connects his workgroup laptop to our domain network and wins the election.
  The network consists of a domain controller which has the following registry settings
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster = True
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList = Yes
  All the client computers that are connected to the domain have IsDomainMaster = False and MaintainServerList = No.
  When an external user connects to the network with a laptop that isn't part of the domain it causes a master browser election and wins. All the servers and client computers list only media devices instead of all the computers and servers on the network.
  Is there a way to prevent non domain computers from becoming the master browser without changing registry settings on that computer?
  Thanks
  Jon

  Hello,
  The TechNet Wiki Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.
  Please note that this forum exists to discuss TechNet Wiki as a technology/application.
  As it's off-topic here, I am moving the question to the
  Where is the forum for... forum.
  Karl
  When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
  My Blog: Unlock PowerShell
  My Book:
  Windows PowerShell 2.0 Bible
  My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

• 401.2 Error Accessing Report Manager

  I concede defeat on this one.  I've gone through every configuration option I can think of in order to get this working so I am bowing to those who know more than I do!
  I've got a native installation of SSRS 2008 R2 running on W2K8 R2.  Straightforward installation and configuration with the service running under Network Service.  Local DB Engine which has the ReportServer and ReportServerTempDB deployed on to.
  But when when I try and run Report Manager to add users as system admins I keep hitting the
  401.2: Unauthorized: Logon failed due to server configuration.  To try and overcome this I have done the following:
  Run IE as administrator
  Disabled UAC
  Checked, double-checked and triple-checked Windows authentication configuration for report server.  RSreportserver.config authentication is configured for RSWindowsNTLM, and the web.config files for Report Server and Report Manager authentication is
  set to Windows.
  The server URL (i.e. http://<servername>) is added to the list of Trusted Sites in IE.
  I'm just looking to use NTLM for authentication purposes.  I have configured SSRS countless times without issue, but this one has got me stumped and it seems whatever I do I can't get around this 401.2 error.  Looking in Event Viewer, an ASP.NET
  2.0.50727.0 error is logged whenever I'm running the webpage with the following details:
  Event code: 4007
  Event message: URL authorization failed for the request
  Request URL: http://<my server>/Reports/folders/pages.aspx
  Request path: /Reports/folders/pages.aspx
  User host address: ::1
  User: <My network account>
  Is authenticated: True
  Authentication: NTLM
  Thread account name: <My network account>
  Any thoughts?

  Hi SQLPhil,
  According to your description, you configured SSRS 2008 R2 on Windows Server 2008 R2 and use Network Service as service account. When you tried to access report manager, you got the error message: 401.2: Unauthorized: Logon failed due to server configuration.
  The error message means that you do not have permission to view this directory or page using the Admin credential. The error occurs when the authentication methods that were tried are either disabled, or you are attempting to use NTLM through a proxy server.
  To troubleshoot the problem, please refer to the following steps:
  Make sure ReportServerURL element in rsreportserver.config (default location: C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer)have value that is equal to the Web Service URL.
  Add report manager and web service FQDN to IE trusted sites.
  Click Tools at top right of IE, click Internet Options.
  In Security tab, click Custom Level button.
  Scroll down to the end of the list, and select "Automatic logon with current user and password”.
  Access the report server with FQDN instead of localhost, E.g.
  http://servername/Reports.
  For more information about the error message, please refer to the following KB:
  http://support.microsoft.com/kb/253667
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.
  Wendy Fu
  TechNet Community Support

• Non Domain User Access to Report Server

  HI Team,
  I am Back with another question. These days i am working on SSRS web services as a part of that i need to provide user access to non domain users to the report manager which is residing in a virtual machine and also when i use the report service web service
  URL it is asking for virtual machine's windows credentials and as per my client's requirement i should not be prompted with VM'S windows credentials.
  Also, we are providing end users with a login page and this login page is connected to a separate User's database  in the VM and how to register these non domain users in the report server database
  and also reort manager. please help me out of this issue. 
  Thank you.

  Hi NB515,
  In Reporting Services, if we connect to Report Manager out of domain, then we need provide a domain username and password can we access to it. If you want to skip this step, you can configure anonymous access for the report server. However,anonymous access
  is not recommended as it may give direct access to your report server or report projects to any one who know the URL of your Reporting Services. But in case you still want to try it, you can refer to the link below to see it:
  http://blog.quasarinc.com/ssrs/sql-server-reporting-services-2012-anonymous-access/
  If you have any questions, please feel free to ask.
  Regards,
  Charlie Liao
  TechNet Community Support

• RemoteApp file associations for non-domain computers

  I have a customer with a simple AD domain, and some joined and some workgroup computers, all windows 8.1 pro. I want to connect them to my remote app service. We want to create a "default connection" for this remote app service, specifically for
  the file type associations. We tried using the default connection group policy, but credentials are a problem. The remote app service has its own domain. So the "default connection" created by the group policy is trying to use the local logon credentials.
  Is there a way to specify what default credentials are to be used for the remoteapp "default connection" using credential manager? Or is there a better way to accomplish remote app file type associations all together using non-domain joined Windows
  8.1 and 2012R2 remote app on a different domain?

  Hi,
  For your case, you can try the following way. You can create the RDP file as what you want and then publish that RDP file as RemoteApp with default user credentials. When non-domain joined system will get access to RD Web they will launch the RemoteApp as they
  are using the other apps, the RDP file App will first get connect to the RDS Farm server name which is displayed and try to resolve that name through gateway or any other method which is configured. Once got resolve it will use the default user credentials
  to connect to that user and then the user can use that RDP file to connect to the respective Server.
  Apart for file type association you can go through the detailed article for more information.
  Windows Server 2012 RemoteApp and Desktop Connections: Default Connections and File Type Associations
  http://blogs.msdn.com/b/rds/archive/2013/05/21/windows-server-2012-remoteapp-and-desktop-connections-default-connections-and-file-type-associations.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• PEAP authentication for domain & non-domain computers

  Hello Everyone,
  Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
  We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
  "AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
  By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a  3rd party SSL certificate installed on the NPS server. 
  Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem. 
  Any suggestions would be greatly appreciated.
  Thanks,
  Ali.

  Hi Ali,
  That’s all part of the wonderful world of wireless on Windows.
  When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
  Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
  Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
  Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
  The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
  Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
  There isn’t an easy way to support non-domain windows systems on a domain integrated one.
  You might want to try adding another SSID.
  You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
  Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

• Use Wildcard SSL Cert to Monitor Non-Domain COmputers

  Hello,
    I was wondering if a Wildcard SSL Cert from GoDaddy or another Provider can be used to monitor Non-Domain Computer on SCOM 2012R2?
  TIA,
  Jim

  Hi,
  The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
  certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]