8 Replies Latest reply on Dec 8, 2017 4:37 PM by brian.taylor.support

    Deployment Tracker Status - Unable to Verify or Complete (not verified)

    KierenMW Rookie

      I have a handful of machines when I am deploying patches, and I receive the above errors.

       

      I found an article talking about this issue, see below link:

       

      Deployment Tracker Status - Unable to Verify or Complete (not verified)

       

      I am running:

       

      Ivanti Patch for Windows® Servers Standard 9.3.0 Build 4440

       

      However I cannot find where the HF.log is, and by following the document below, it does not exist in that location for me:

       

      Scans Show Few/No Missing Patches and No Installed Patches.

       

      I have looked on the Console server and the client and i can't find it. Has this log be renamed?

       

      Thanks in advance.

       

      Kieren

        • 1. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
          jdfoxmicro Rookie

          Kieren,

           

          It appears the log files hf, schf, and rehf have been rolled into ST.EngineHost.native as of 9.3.  This document needs to be updated:

           

          Listing And Purpose Of Each Log File Generated By Shavlik Protect

           

          I found your post while researching to solve my own chronic and inexplicable problems with the "Unable to verify" on multiple Shavlik Protect consoles I manage.  I'm digging in to investigate, and I'll post anything I find here.

           

          Jeffrey Fox

          1 of 1 people found this helpful
          • 2. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
            jdfoxmicro Rookie

            Well, I'm completely at a loss.  I've tried everything, and I can't for the life of me figure out what's different between the systems where it works and the ones where it doesn't.

             

            The rescan process simply ignores all credentials (whether set on the machine in Machine Properties, for the Machine Group, or default credentials), and logs in to the workstation using the computer account of the console server to do the rescan (meaning it's using Local System).  The document you linked above should only do this if the credentials are not set or they don't work, but my credentials are certainly correct.

             

            The only workaround that worked was assigning the computer account of the console server to be local admin on the target workstation, which, of course, is a terrible thing to do. But, I did it to prove that it's not anything else but account selection that's causing the problem.  I'm going to open a ticket on this.

             

            Jeffrey Fox

            1 of 1 people found this helpful
            • 3. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
              brian.taylor.support SupportEmployee

              Kieren, I apologize.  I'm not sure how we missed this thread, but I'm sorry we hadn't responded yet.  Jeffrey pointed out the correct log - ST.EngineHost.native.log - for the information you're looking for.  What we've found on the support side is that a one-off network issue can cause this, but if you see this error consistently, it's pretty much guaranteed to be related to credentials somehow.  I would first check the Machine Properties of the handful you mention (right-click the machine to find Machine Properties in the context menu) to make sure you don't have a different credential inadvertently assigned there.  If you're struggling to get to the bottom of it, open a support case and let us help.  We're happy to help you dig in and figure out what's going on.

               

              Jeffrey, thanks for helping out fellow community members!  We really appreciate you contributing to the community.  I've received notification of your case, so we'll get to work on getting to the bottom of this for you.  Thanks!

               

              Brian Taylor

              1 of 1 people found this helpful
              • 4. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
                KierenMW Rookie

                Jeffrey,

                 

                Thanks for the update. I guessed that the ST.EngineHost.native.log was the log I was supposed to be looking for, but nowhere could I see what you kindly confirmed, so thank you for clarifying.

                 

                I haven’t had much time to further investigate this issue, but the problems you're experiencing sound very similar to my own. I'm not going to have a chance to continue the investigation this week due to other work priorities, but I will look to open a support call and update this thread, as per Brian’s suggestion, and like he said it’s most likely permissions issue, but where exactly I don’t know.

                 

                Out of interest, have you enabled User Role Assignment in your environment? As I think this maybe causing an issue for me, but haven’t confirmed it.

                 

                Kieren

                • 5. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
                  brian.taylor.support SupportEmployee

                  Hi Kieren,

                   

                  One thing we may also look at - is it only scheduled deployments that run into this issue?  Do manual deployments work as intended?  If yes, the next question would be - is your scheduler credential set to a different account than you are logged in with?

                   

                  When running scheduled tasks, they use whatever options are configured under the account of the scheduler credential.  In the following hypothetical, we'll assume the scheduler account belongs to Bob, a domain admin).  You log in, assign credentials to all your machines or Machine Groups, and set a default credential to use in case one doesn't get assigned.  Bob has not logged into the console (or maybe he has, but has never configured any console options), so does not have the same Machine Group options configured and does not have a default credential set.

                   

                  If you use Bob's credential as your scheduler credential, then schedule a scan/deployment with it, the job is initiated as though Bob launched it manually.  Since Bob hasn't set any options, there aren't any valid credentials assigned under his user profile.  The CLOUC (Currently Logged On User Credential) is used since there is nothing else specified.  Since Bob's account has the necessary authority, the scan and deployment finish, but after the post-deployment reboot the credentials can't fail over the same way, so the re-scan fails due to lack of permissions and returns "Complete (not verified)" or "Unable to verify".

                   

                  See this doc for a more complete overview:

                  Deployment Tracker Status - Unable to Verify or Complete (not verified)

                   

                  Obviously we haven't dug into your setup, but this is just a hunch hypothetical that would result in what you're describing.  If this applies to you, just log onto the console with the scheduler credential account and set the credentials you want there and you should be able to run scheduled jobs without running into this issue anymore.

                   

                  Let me know if that helps!

                   

                  Thanks,

                  Brian

                  • 6. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
                    brian.taylor.support SupportEmployee

                    Hi Kieren,

                     

                    We determined in Jeff's case that the issue was the use of a different scheduler credential as outlined in my last comment, so if you're seeing a similar issue, we'll probably want to focus on your scheduler credential setup.

                     

                    Thanks,

                    Brian

                    • 7. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
                      jdfoxmicro Rookie

                      Kieren,

                       

                      No, I had not enabled roles.  The problem, as Brian mentioned, was that I had created a service account in Active Directory with the limited permissions it needs (local administrator on workstations only), entered that username and password in the Credentials Manager of Shavlik, and designated that as the Scanner Credential, while logged in with my own administrator user account. Since 9.2, this doesn't work, and it originally gave an error message when you tried to assign Scanner Credential to an account other than your own user login account, until an update removed the message but didn't fix the underlying problem.  And, it's not a total failure, which can send us down the wrong path trying to find the problem: the initial scheduled scan works fine with another user account as the Scanner Credentials, but then the rescan (after deployment and reboot) fails, resulting in the "Unable to verify" message. You can see why we wouldn't think it's the credentials.

                       

                      The answer was to:

                       

                      1. Remove all the saved credentials in the Shavlik console while logged in as my user account.
                      2. Grant Remote Desktop login rights to the Shavlik scanner service account.
                      3. Log off, then log in to the Windows Server running Shavlik as that service account.
                      4. Add all the service account credentials into the Shavlik Credentials Manager.
                      5. Take ownership of the Scheduled Console Tasks.
                      6. Assign the credentials to objects (OU browsing, machine admin for pushing agents and for deployments, and the Scanner Credentials at the top of the Scheduled Console Tasks window).

                       

                      Then, the jobs will shows "Finished" with a green box, after deployment and rescan.  Let us know if this gets you squared away.

                       

                      Jeffrey Fox

                      • 8. Re: Deployment Tracker Status - Unable to Verify or Complete (not verified)
                        brian.taylor.support SupportEmployee

                        Just to clarify, you'll only want to do that first step if you don't want to run any jobs under your own account.  If you want to run the scheduled jobs under a service account and continue to be able to run jobs manually under your own, you would need to leave the credentials, Machine Group assignments, and everything intact under your own account.

                         

                        Thanks,

                        Brian