Now that you mention it, what you are experiencing makes complete sense. Last year, I ran into an issue where user targeted deployments were not evaluating for certain users. In this environment, there were tons (and tons) of group memberships that were preventing the evaluation to occur due to limitations in Kerberos authentication on the MPs. (BTW - This was solved by increasing HTTP and Kerberos parameters).
Since authentication is involved, I can see why you would not be able to get user policies and would say that this is by design based on the limitations of the lack of trust. From: [email protected] [mailto:[email protected]] On Behalf Of Spinelli, Robert J Sent: Wednesday, June 26, 2013 4:08 AM To: [email protected] Subject: [mssms] RE: SCCM 2012 - MP Forest Affinity It's already set to automatically approve. The client can talk to the MP and get computer polices, for example I can send an advert to the computer and it will run, the issue is that I can't send the same advert to the user logged onto the computer. It looks like computer policies use: CCM_System SMS_MP Both of these virtual directories are set for anonymous authentication, so Client1.untrusted.com has no issue getting the computer polices from the MP1.trust.com, if client1.untrusted.com tries to get an advert targeted to a user from MP1, it can't authenticate and won't install. If I bring back up MP2.untrusted.com, Client1.untrusted.com (which is in the same forest as the MP) can run the advert targeted to the user Untrusted.Com\User1 logged into Client1.untrusted.com. It seems to me that if the MP the client is communicating with is not trusted by the user (ex: Untrusted\User1) then user policies won't run on the client. It looks like user policies use CCM_System_WindowsAuth SMS_MP_WindowsAuth These virtual directories are not set for anonymous authentication, and when I do set them to anonymous the whole MP stops working until I set them back to default settings. I'm trying to see if anyone else can confirm this? Thank you. Robert Spinelli | CTS | GTI | 575 Washington Boulevard, Jersey City, NJ, 07310, United States| T: +1.201.595.6820 | C: +1.917.538.6192 | [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mike Terrill Sent: Tuesday, June 25, 2013 11:09 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: SCCM 2012 - MP Forest Affinity Have you tried changing your client approval method to automatically approve all computers so that the untrusted client could talk to the trusted MP? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Spinelli, Robert J Sent: Tuesday, June 25, 2013 4:07 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] SCCM 2012 - MP Forest Affinity If you have the following: 001 site which is in the trust.com domain 2 MP's MP1 is part of trust.com domain MP2 is part of untrusted.com domain (so no trust exists between trust.com and untrusted.com) When a client called Client1.Untrusted.com does an MP Lookup it will use forest affinity and use MP2.Untrusted.com as its MP. The issue I'm trying to figure out is when you look at IIS there are 4 directories: CCM_System CCM_System_WindowsAuth SMS_MP SMS_MP_WindowsAuth [cid:[email protected]] CCM_System and SMS_MP have anonymous authentication enabled and CCM_System_WindowsAuth and SMS_MP_WindowsAuth have anonymous authentication disabled. It looks like when you're targeting any user based policy, the client uses Windows Authentication to get the policy info from CCM_System_WindowsAuth. If client1.untrusted.com is using MP2.untrusted.com, no issue getting the user policy to the client1, but if MP2.untrusted.com is down and client1 is using MP1.trust.com, it can't authenticate to CCM_System_WindowsAuth virtual directory since there is no trust between MP1 and Client1, so the user based policy won't make it to Cleint1. I did try to enable anonymous authentication on both CCM_System_WindowsAuth and SMS_MP_WindowsAuth and that totally broke my MP, and I had to change it back so my client could communicate with it again. Am I doing something wrong, or do you need to ensure that an MP that is trusted with the client is always up for user based deployments / polices to succeed? Thank you. Robert Spinelli | CTS | GTI | 575 Washington Boulevard, Jersey City, NJ, 07310, United States| T: +1.201.595.6820 | C: +1.917.538.6192 | [email protected]<mailto:[email protected]> This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures for disclosures relating to European legal entities. ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
<<inline: image001.jpg>>
