Troubleshooting

From Recast RCT
Jump to: navigation, search

SCCM Console Slow After Installing RCT

If you're experiencing slowdowns in-console after installing RCT, likely you need to add AV exclusions for Recast. We've created packs of these exclusions for import for SCEP:

500.21 IIS Error on Server 2008 R2

This is usually caused by the .Net 4.5 Framework being installed before ASP.NET was enabled on the Recast Enterprise Server. To fix it, open Programs and Features and repair .Net 4.5.

500.19 IIS Error

This can happen when WSUS is installed on the same box as Recast Server and is caused by WSUS installing a 64-bit version the DynamicCompressionModule but not the 32-bit version. To fix the issue, you can either disable the XPress compression scheme for all pages and application pools, disable loading the xpress module for 32-bit application pools, or install the 32-bit version of this module.

Disable XPress compression for all pages and application pools

Run the following command to disable XPress compression globally. %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']

Disable XPress for 32-bit application pools

Edit the C:\Windows\System32\inetsrv\config\ApplicationHost.config file and add the following line in the <modules> section. <add name="DynamicCompressionModule" lockItem="true" preCondition="bitness64" />

Install the 32-bit version of suscomp.dll

Install WSUS on a 32-bit machine and copy the suscomp.dll file from that machine to %windir%\SYSWOW64\inetsrv\

Access Denied

Access Denied errors can occur for a few different reasons when running the Recast tools. The reason for the error depends on the Authentication Mode setting on your Recast server.

Service Account

When the Recast Server is configured to use a service account, all actions run as the account specified in the Recast Control Panel. If you get Access Denied messages when running the tools, it indicates the service account is missing permissions on the remote machine. To fix this, add the service account to the administrators group on the remote device. Additionally, the service account will need permissions in the ConfigMgr console and in Active Directory.

Impersonation

When the Recast Server is configured to impersonate users, all actions will run as the user account running the ConfigMgr console. If you see an Access Denied message with impersonation mode, the first thing to check is that the user running the Recast tool has administrator permissions on the remote device. If the user has permissions on the remote device, check the following common reasons that Kerberos delegation fails.

Active Directory Delegation

The Recast server will need to be trusted for delegation to any service in order for the tools to work. If the server is not trusted for any service, it will not be allowed to impersonate the ConfigMgr console user on remote devices and will fall back to using the user account assigned to the NMSMS app pool on the Recast server. To trust the server for delegation to any service, open Active Directory Users and Computers, right click on the Recast server computer account and choose properties, choose the Delegation tab, and make sure the "Trust this computer for delegation to any service (Kerberos only)" option is selected. Note that the server may need to be restarted in order for this change to take affect, and this change will need to be replicated to all domain controllers before the impersonation will work.

Account is Sensitive

If the user account running the Recast tools has the "Account is sensitive and cannot be delegated" option enabled in Active Directory, delegation will fail and prevent the tools from running as that user account. Usually this will cause an access denied message because the tools will fall back to using the service account specified on the NMSMS app pool of the Recast server. To check if this applies to you, go to the properties of the user object that is running the tools in Active Directory Users and Computers, click the Account tab, and make sure the "Account is sensitive and cannot be delegated" option is unchecked.

DNS Alias

If the Recast server was configured to use a DNS alias, a new SPN will need to be added to the Recast server for the DNS alias. If the DNS alias is a CNAME record, type the following command:

 setspn -A host/<DNS Alias> <Recast Server>

If the DNS alias is an A record, type the following command:

 setspn -A http/<DNS Alias> <Recast Server>

Recast Server and Recast Desktop installed on same computer

If the Recast server and Recast desktop components are installed on the same computer, Kerberos delegation will fail. If having both components installed on the same computer is required, then the Authentication Mode should be switched to Service Account in the Recast Control Panel. Alternatively, the Recast desktop component can be installed on another computer with the ConfigMgr console installed in order to run the Recast tools or the Recast desktop component on the server can be configured to run in local mode.

Windows Defender Credential Guard

Windows Defender Credential Guard prevents unconstrained delegation from working. If you're using Credential Guard on the devices running the desktop component, you will either need to configure the Recast server to run as a service account, or use the desktop tools in standalone mode. This site has more details on the considerations when using Credential Guard: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations

Insufficient Permissions

User Permissions

The Insufficient Permissions error is usually caused by a user account being denied access to run a Recast action by the Recast server. To add permissions to a user account, launch the Recast Control Panel, navigate to the Users tab, select the user account you wish to assign a role, and click the > arrow button to move the role to the Assigned Roles. The Effective Permissions list will update with the new permissions. To create new roles, select the Roles tab, create a new role and click Add Role. When the new role appears in the roles list, select the role, select a permission, and click the > arrow button to assign the permission to the role. Once the role is created, you can assign users to the role.

Administration Plugin

This error can also be caused by disabling the Permissions Checks option in the Administration plugin - this option will put the Recast server into a provisioning mode, only allowing user provisioning to take place. To fix this error, launch the Recast Control Panel, go to the Plugin Settings tab, select the Administration plugin, check the Permissions Checks box and click Save Settings. Note that the permissions checks setting will not save if you don't have at least one user assigned to the Administrators role.

Could Not Establish Secure Channel

The Could Not Establish Secure Channel error is caused by the certificate not being trusted on the devices running the Recast Desktop component. To fix this, we need to export the Recast Server certificate on the Recast Server.

Exporting your Recast Server Certificate

  1. Open IIS Manager on your Recast Server and select the server name
  2. Double click Server Certificates
  3. Right click the Recast certificate and choose View
  4. Choose the Details tab and click Copy To File
  5. Walk through the Certificate Export Wizard with the default settings. You will not need to export the private key.
  6. Store the certificate in a location that you will be able to access from your Recast Desktop clients

Importing the Recast Server Certificate

  1. Right click on the certificate and choose Install Certificate
  2. In the Certificate Import Wizard, select Local Machine
  3. Choose the "Place all certificates in the following store" radio button and click Browse
  4. Select the Trusted Root Certificate Authorities Store and click Ok
  5. Click Next on the Certificate Store page
  6. Click Finish on the Summary page
  7. Click Ok on the completion prompt

Invalid URI: The Hostname Could Not Be Parsed

This error means that the desktop tools are configured with an invalid Recast Server URI. The default URI during installation is https://<servername>/MobileToolsEnterprise.svc, which is an invalid URI. To fix this, we can either reinstall the Recast Desktop Tools specifying the URI during installation, or modify the registry value that the desktop tools use.

Reinstalling the Recast Desktop Tools

If you reinstall the desktop tools, the first screen in the installation wizard is the one you want to watch out for. In this screen, enter the Recast Server URI as it appears in the Recast Control Panel. You can also specify the Recast Server URI on the command line with the RCTENTERPRISESERVER MSI property. See the Recast Desktop Tools Installation page for more information.

Modifying the Registry

The desktop tools use the ServerName value under "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Now Micro\Right Click Tools Enterprise Desktop". This value should be the same URI as shown in the Recast Control Panel.

Firewall requirements for Recast

  1. ICMP Echo
  2. Remote Registry
  3. Remote WMI

Need more help?

If you're having trouble that isn't listed here, visit our website to submit a support case