True Control Center - Unable to open the "Remote Manage" pane

Bryan_TaylorBryan_Taylor Customer IT Monkey ✭

Hi again Cireson Community!

I'm excited to say that I had the pleasure of getting to install version 3.0 of the True Control Center (formerly the ConfigMan Portal). In my environment, we initially deployed a single instance of version 1.0 of the CMP, which was upgraded to 2.XX. This portal instance was pointed at a single primary site in our CAS hierarchy and did not use SCCM RBAC - while it was nice, it didn't provide the capabilities that our support teams needed.


With the release of True Control Center we've decided to re-do our Configuration Manager web portal solution. What this means is that we've decided to install the portal on a dedicated system that all of the domain in our environment can reach and install the portal while pointing it at the CAS and leveraging the SCCM RBAC security model.


The automated installer went great and we had no issues during the setup; this was a fantastic experience as I've always had something go wrong with the 2.X installers. I'm able to log in and I see the event logs populating with messages about SCCM RBAC, so everything is looking wonderful so far... or so I thought. When I went to try and utilize the new "Remote Manage" option on a system, nothing happens. The pane doesn't slide out and I have no access to any of the new tools. When I look at user objects, I see the "Unlock Account" and "Reset Password" options and can click them to get their relevant dialogs to appear. I have tried a variety of browsers, logins, and other workstations and have not had any success getting the new True Control Center features to appear for workstations.


Have you fine community members braved the waters and installed the True Control Center? And If you have, did you have to do anything to get the "Remote Manage" pane to appear? In the near future, I'd like to demonstrate the ability to do this from the Analyst Portal as well, but that's another bridge to cross later :wink:

«1

Comments

  • Matt_MedleyMatt_Medley Cireson Support Advanced IT Monkey ✭✭✭

    Hi again Cireson Community!

    I'm excited to say that I had the pleasure of getting to install version 3.0 of the True Control Center (formerly the ConfigMan Portal). In my environment, we initially deployed a single instance of version 1.0 of the CMP, which was upgraded to 2.XX. This portal instance was pointed at a single primary site in our CAS hierarchy and did not use SCCM RBAC - while it was nice, it didn't provide the capabilities that our support teams needed.


    With the release of True Control Center we've decided to re-do our Configuration Manager web portal solution. What this means is that we've decided to install the portal on a dedicated system that all of the domain in our environment can reach and install the portal while pointing it at the CAS and leveraging the SCCM RBAC security model.


    The automated installer went great and we had no issues during the setup; this was a fantastic experience as I've always had something go wrong with the 2.X installers. I'm able to log in and I see the event logs populating with messages about SCCM RBAC, so everything is looking wonderful so far... or so I thought. When I went to try and utilize the new "Remote Manage" option on a system, nothing happens. The pane doesn't slide out and I have no access to any of the new tools. When I look at user objects, I see the "Unlock Account" and "Reset Password" options and can click them to get their relevant dialogs to appear. I have tried a variety of browsers, logins, and other workstations and have not had any success getting the new True Control Center features to appear for workstations.


    Have you fine community members braved the waters and installed the True Control Center? And If you have, did you have to do anything to get the "Remote Manage" pane to appear? In the near future, I'd like to demonstrate the ability to do this from the Analyst Portal as well, but that's another bridge to cross later :wink:

    Hey Bryan, it sounds like there may be a permissions issue with the account being used to use the Remote Manage tool set. You mention that you can see the Unlock Account and Reset Password options, do those features work? If you try to reset a password, does it go through and make the password change?
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    @matt_medley Yes, we tested those options just yesterday afternoon and to my delight, they worked without a hitch!

    @james_atance I pulled up the IE and Edge Dev Tools and while I don't see any errors in the Console tab, I do see some 404 Not Found errors in the Network tab. I can confirm that each time I click on "Remote Manage" a new error appears. It appears to be doing a get request to /platform/api/ however if I try to complete the request or navigate to that page in a browser I get the same 404 response.
  • Davis_MathaiDavis_Mathai Cireson Solution Architect Adept IT Monkey ✭✭
    Hey Bryan,
    The remote manage slide out is based on the Cireson Platform (additional component to the portal) so this has to be working and caching/populating data for the slide out to work.  Can you check if the CMPPlatformService is installed and running please.  If it is, please check if you get data back when you navigate to http://<portal address>/platform/api/CmDevice- you should see all your cached device details in this list.

    The log for the platform is in C:\ProgramData\Cireson.Platform.Host so please have a look at this too (feel free to upload here)

    When I first installed the TCC portal, I had a similar issue but a simple reload of the website (Ctrl+F5) sorted it for me.  

    Thanks
    Davis
  • Billy_WilsonBilly_Wilson Cireson Solution Architect Advanced IT Monkey ✭✭✭
    Hi Bryan,does this happen when you log in as the Service Accoutn for TCC or just for other users?


  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭

    @James_Atance - I have uploaded the requested HAR file to IR71982. Please let me know if you need more info.

    @Davis_Mathai - I do see the CMPPlatformService and the CMP Hosting Service installed and running on the server that is hosting TCC. Looking at the logs in the Cireson.Platform.Host I see a very large number of errors complaining about foreign keys (I've attached one of the two logs in this directory - the second is too large). The second log file ends with the following:

    Critical 2018-01-25T08:14:25.3204427-09:00: Failed to listen on prefix 'http://*:80/Platform/' because it conflicts with an existing registration on the machine.
    Critical 2018-01-25T08:14:25.3360717-09:00: Core cannot continue, press 'Enter' to stop.


    @Billy_Wilson - This happens with the Service Account and other accounts within the TCC.

  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭

    @James_Atance - I have uploaded the requested HAR file to IR71982. Please let me know if you need more info.

    @Davis_Mathai - I do see the CMPPlatformService and the CMP Hosting Service installed and running on the server that is hosting TCC. Looking at the logs in the Cireson.Platform.Host I see a very large number of errors complaining about foreign keys (I've attached one of the two logs in this directory - the second is too large). The second log file ends with the following:

    Critical 2018-01-25T08:14:25.3204427-09:00: Failed to listen on prefix 'http://*:80/Platform/' because it conflicts with an existing registration on the machine.
    Critical 2018-01-25T08:14:25.3360717-09:00: Core cannot continue, press 'Enter' to stop.


    @Billy_Wilson - This happens with the Service Account and other accounts within the TCC.



    Most likely the issue you are seeing is what you identified in the logs indicating that the platform is no longer listening and has stopped. The flyout won't ever come out if there is no response from the platform service endpoint.

    You can check the endpoints by going to <hostname>/platform/api/Me and this should show you a list of your users current access and roles. If this works then the platform is up and running. If you get a 404 then it's not and it's most likely related to something else on that box conflicting with the platform on port 80.

    Do you still have the default website on that box running?
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    edited February 1

    The /platform/api/Me does indeed return a 404. This is a brand new VM that was stood up solely to run the portal. No other applications or software were installed and I let the TCC installer handle all of the heavy lifting.


    IIS does not show any websites other than TCC. Perhaps I'll try to perform an uninstall/reinstall of the TCC.


    EDIT: Performed an uninstall/reinstall of TCC on the system. I'm now receiving HTTP 400 Bad Request and HTTP 401 Unauthorized Access responses and am being prompted for credentials when trying to click "Remote Manage". Using the Service Account that was used to setup TCC (and has full admin rights in the SCCM CAS Hierarchy and sa rights on the DB) returns a 401, as well as any other accounts I use.

  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    edited February 1

    So, I think the issue is stemming from the fact that it's trying to use the Windows identity for the Remote Manage actions.

    I am VPN'd in on my home computer this evening (which obviously isn't on the domain), and attempted to log into the TCC from there. It prompted for my credentials since it couldn't pass my local account through, and I'm able to use the Remote Manage pane from there.

    I RDP'd into my work computer, cleared the IE cache and opened up an InPrivate tab (to ensure that any and all caching was not causing the problem), tried to open Remote Manage and... nothing. If I open IE as a different user, the same error occurs; the TCC opens up a security dialog prompting me for credentials and returns an HTTP 401 Unauthorized response.

    We don't provide our technicians access into SCCM with their standard accounts, instead opting only to give them access to their admin accounts. The technicians don't log into workstations with their admin accounts, so I'm curious if it is possible for us to switch TCC to use Forms Authentication and let the authentication flow through that way; do you have any steps I can use to switch to Forms Authentication? I tried to play with the configuration on my own, but I couldn't get it to go to a login page (and I actually couldn't find anything that resembled a login.aspx anywhere...)

    That said while looking at the Remote Manage tools on my own desktop, it looks like most information is "unavailable" or it claims that "No data has been pulled from X. Pull Now"; clicking on Pull Now of course spins for a bit, but nothing is returned after Remote Manage completes the pull. Inconsistent results, but it does seem to be working fine on a non-domain joined workstation. Most of the actions are available and a machine policy retrieval went smooth. I have not yet enabled the SCCM RBAC since the reinstall as I want to reduce complexity.

  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭
    Currently, there is no such thing as a login / forms auth for the TCC. If you run the browser as a guest or inprivate then it should block passing integrated auth and you should be able to then login using the authentication popup.

    What do you see in these scenarios when you hit the platform/api/Me end point?
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    edited February 1

    Here are the Json results for the Platform/API/Me (this was the same on the domain joined PC for standard browsing and for InPrivate browsing):

    {
      "@odata.context":"http://HOSTNAME_GOES_HERE/platform/api/$metadata#Cireson.Core.Services.ConnectionServices.CurrentUserInfoDto","Name":null,"Id":null,"Claims":[
       
      ],"Roles":[
       
      ]
    }


    On my phone while VPN tunneled, I can get results from /Platform/Api (but not from /Me). Running this on my domain PC gets me an HTTP 400 request

  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭
    I think you too and probably surmise by now that you have a network or policy related issue here. The fact that you get different behavior accessing the same server from different endpoints and methods is a good indication of that.

    If you don't log into the portal first and go straight to platform/api/Me this will show you the blank slate you'd expect above because it's showing you it couldn't read an authentication token (/Me does not auth). If you first go to platform/api/MeAuthenticate it will force an authentication with the platform (should ask you to login), from there you can then go to platform/api/Me and you should see your claims/roles. Can you try that out?

    On your domain machine the 400 error doesn't make a lot of sense unless you have something going on with a cached authentication token that is causing problems, or you don't allow integrated other in your Internet Settings (are you using a client machine or a server, I'd assume client). If you look at the request headers in the browser devtools network tab for the request, does it include the authentication information?
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭

    @seth_coussens - When I attempt to make a call to platform/api/Me while not logged into the portal, I do indeed get the empty result like you mentioned. When I navigate back to the home page (which does not prompt me for credentials) and attempt to hit platform/api/Me I get the same result back and am not prompted for credentials.

    If I try to hit something like platform/api/ProviderRoleToApplicationRoleMap, then I get prompted for credentials and then am redirected to an HTTP 400 Bad Request page. This happens with the service account used for install, my admin account (which is a portal admin), and my standard user account.

    When reviewing the headers within the IE Dev Tools, I do see authentication information sent to the calls to http://HOSTNAME/platform/api/Cireson_ConfigurationManager_Portal_Core_Models_ConfigurationManager_CmResource?$filter=ResourceId eq 123456789&$select=Id when I initiate the remote manage option; the authentication header says it is using "Negotiate" with an encrypted token of some kind.

  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭
    Brian, can you email me directly and we can setup a time to look at this together next week? Seth.Coussens@cireson.com
  • SoftwareAsset_ManageSoftwareAsset_Manage Customer IT Monkey ✭
    Hi,

    Has anyone figured it out? I also am experiencing the same issue and opened up an incident about it. These are the two errors I can see in the browser if I try it from an admin account:

    1.      {error: {code: "", message: "Authorization has been denied for this request."}} 

    1.       error:{code: "", message: "Authorization has been denied for this request."}


  • Matt_MedleyMatt_Medley Cireson Support Advanced IT Monkey ✭✭✭
    Hi,

    Has anyone figured it out? I also am experiencing the same issue and opened up an incident about it. These are the two errors I can see in the browser if I try it from an admin account:

    1.      {error: {code: "", message: "Authorization has been denied for this request."}} 

    1.       error:{code: "", message: "Authorization has been denied for this request."}


    @seth_coussens I've been working with Jordan on the same issue with TCC. Does the "Authorization has been denied for this request" come down to permissions in another area we should check?

  • Matt_MedleyMatt_Medley Cireson Support Advanced IT Monkey ✭✭✭
    Hey Bryan, I wanted to reach out and provide an update. Our Dev team is working on this issue and should have it resolved in a future update that we should see within the next week to two weeks. 
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    Thanks for the update @matt_medley!
  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭
    @Bryan_Taylor
    have you had a chance to try out v3.0.2 yet? This should resolve some of what you are having issues with including double authentication.
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    @seth_coussens - The latest revision of the TCC resolved the issue only for Chrome. IE (which is our default browser) and Edge are still having the issue. I've tried multiple machines and mucked with settings (disabling compatibility mode, add to trusted sites, etc), however we have had no luck with the Remote Manage pane.
  • SoftwareAsset_ManageSoftwareAsset_Manage Customer IT Monkey ✭
    @seth_coussens - The latest revision of the TCC resolved the issue only for Chrome. IE (which is our default browser) and Edge are still having the issue. I've tried multiple machines and mucked with settings (disabling compatibility mode, add to trusted sites, etc), however we have had no luck with the Remote Manage pane.
    I've also upgraded to 3.0.2 but getting a different error now.


  • SoftwareAsset_ManageSoftwareAsset_Manage Customer IT Monkey ✭
    @seth_coussens - The latest revision of the TCC resolved the issue only for Chrome. IE (which is our default browser) and Edge are still having the issue. I've tried multiple machines and mucked with settings (disabling compatibility mode, add to trusted sites, etc), however we have had no luck with the Remote Manage pane.
    I've also upgraded to 3.0.2 but getting a different error now.


    Remote manage does work from the server where its installed. But anywhere else it fails.
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    Any updates on this?
  • Matt_MedleyMatt_Medley Cireson Support Advanced IT Monkey ✭✭✭
    Any updates on this?
    I replied in your ticket. I'm sending you a link to try a newer release as it's resolved this issue for a couple of other instances. 
  • Matt_MedleyMatt_Medley Cireson Support Advanced IT Monkey ✭✭✭
    Any updates on this?
    Hey Bryan, Did you receive the updated release? 3.0.4?
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭

    @Matt_Medley and @seth_coussens - I was able to install 3.0.4 and we are getting closer, but there are still a lot of issues around security prompts and configuration that I will need to address with you. Under some circumstances I'm able to open the panel, but it's inconsistent and unreliable. Additionally, the actions don't work as intended (i.e. C$ share and Remote Control don't connect to the selected device, etc).


    Would it be possible to schedule a work session with you to perform some testing, analysis, and answer some configuration questions?

  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭
    @Bryan_Taylor
    The folder shares buttons actually had a URL change and the conversion of the URL before sending to the app launcher caused an issue. This will be fixed in 3.0.5 due out this week and the latest version of the app launcher is already out and has it's part of the fix it in (2.0.1)

    Let me get this release out this week, let you get it checked out to see if it resolves your issues further and then we can get on a call to make sure we get anything left you are having issues with knocked out before the 3.1 release in April.
  • Matt_MedleyMatt_Medley Cireson Support Advanced IT Monkey ✭✭✭
    @Bryan_Taylor
    The folder shares buttons actually had a URL change and the conversion of the URL before sending to the app launcher caused an issue. This will be fixed in 3.0.5 due out this week and the latest version of the app launcher is already out and has it's part of the fix it in (2.0.1)

    Let me get this release out this week, let you get it checked out to see if it resolves your issues further and then we can get on a call to make sure we get anything left you are having issues with knocked out before the 3.1 release in April.
    I'll update this in Bryans ticket as well as I've been trying to keep these up to date with each other.
  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    Thanks both of you! I'll keep my eyes out for the new release and I'll let you know if it resolves the issues.
  • seth_coussensseth_coussens Product Owner Ninja IT Monkey ✭✭✭✭

    Cireson True Control Center

    v3.0.5

    ConfigMgr 2012+
    Released: 03/13/2018
    Download

    A True Control Center or Configuration Manager Portal license key is required.

    NOTE: If your license key is older than 30 days you will need to request a new key from Customer Success team.

    Release Notes   |   Installation Instructions   |   Administration Guide (up to v2.2.2)

  • Bryan_TaylorBryan_Taylor Customer IT Monkey ✭
    Thanks @seth_coussens! Downloading now and I'll get the install started as soon as I can. Will let you know how it goes
«1
Sign In or Register to comment.