4 Replies Latest reply on Nov 10, 2016 1:55 PM by rdavidson

    Errors during verification, errors with download.

    Rookie

      Background:

      I'm running into issues while setting up Shavlik in our environment that had an existing installation of Shavlik before. WSUS is working fine and no sync errors are apparent. Patching devices using SCCM/WSUS integration is working as expected.

       

      • WSUS is co-located on the same server as SCCM.

      • Server OS is 2012 R2.

      • One forest, one domain.

      • The DC and functional level is a 2008 R2.

      • Shavlik is set to use its own self-generated cert, it’s in all correct stores, and a GPO is pushing it out to all clients we are testing on, in addition to the setting that allows non MS updates. All basic pre-requisites are fulfilled. The cert is not expired.

      • User account running SCCM is the same as the account that set up SCCM, and is used “as an administrator” to run the SCCM console and the Shavlik integration.

      We uninstalled Shavlik (that never worked in the first place) and removed any associated folders and attempted to get it to work but we are running into issues.

       

      Problems:

      I'm running the pre-check "Verify Setup" and I'm coming up with an error for "log on as batch job". The system is telling me the user account does not have this right – although I specifically went in and granted this permission to the user account. More specifically the details of the error are "System directoryServices AccountManagemet NoMatchingPrincipalException: An error occurred while enumerating the group. The group could not be found." Research suggests there may be a bug with Visual Studio. Apparently this exception is being thrown out when an SID cannot be resolved. When replicated in a lab environment, everything integrates fine and the check passes fine. If I ignore this and continue on to publish updates I begin to see other problems.

       

      When I try manually set up a group of updates and set it up for deployment it fails to download content with “failed to download content ID XYZ error invalid certificate signature” for which research suggests a WebSence type blocker can be responsible. A filter has been created for WebSense to bypass the SCCM server, yet this error persists. On the client side the issue manifests itself by a fail to download error, (only for 3rd party updates, everything works fine for MS) Failed to download updates to the WUAgent datastore. Error = 0x800b0109. This is a certificate error – yet all of my certificates are correctly configured, something I’ve triple checked and even redone from scratch with the same results.

       

      Any idea why any of these things may be occurring?