Here’s a new KB article we published today. This one describes an issue where the WinRM command fails with Access Denied and error number: -2147024891 0x8007005:
After installing the UNIX/Linux agent for System Center Operations Manager 2007, the Discovery process may fail and the client will not appear in the console. When attempting to troubleshooting such an issue, you may run a command similar to the following to verify that the discovery process is functioning:
winrm e http://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem?__cimnamespace=root/scx -r:https://<Unix server name>:1270 -u:<User account> -auth:basic -encoding:UTF-8 -skipCAcheck -skipCNcheck
In certain scenarios this command will fail with the following error:
Access Denied, Error number: -2147024891 0x8007005.
You may also see the following in /var/opt/microsoft/scx/log/scxcimd.log
cimserver: Listening on HTTPS port 1270. cimserver: Listening on local connection socket. cimserver: Started SCX CIM Server version 2.9.0 Release. cimserver: Authentication failed for user=<User account>. cimserver: Authentication failed for user=<User account>.
This can occur if an incorrect PAM.CONF file is generated on the UNIX server. This file is auto-generated by the SCX installer.
To resolve this issue, remove the auto-generated entries from the PAM.CONF file and add the lines below:
# The configuration of scx is generated by the scx installer. scx auth required /usr/lib/security/$ISA/pam_unix.so.1 scx auth required /usr/lib/security/$ISA/pam_dial_auth.so.1 scx account requisite /usr/lib/security/$ISA/pam_roles.so.1 scx account required /usr/lib/security/$ISA/pam_projects.so.1 scx account required /usr/lib/security/$ISA/pam_unix.so.1 # End of section generated by the scx installer.
IMPORTANT Please make sure to have a backup of the original PAM.CONF file before making any changes. PAM.CONF files are UNIX/Linux install specific and this resolution may only work in certain configurations. It is also possible that there may be custom PAM modules added to support additional features such as AD authentication, etc. As such, this resolution only applies if you have no custom PAM module defined.
In most case the entries that are defined for the sshd process are enough. If you are unsure of what entries are needed you can replicate the entries that are defined for the sshd process and for the scx process and that generally will take care of the issue. Be sure that you fully understand the ramifications of making these changes in your specific environment before doing so.
For more information please see the following: http://technet.microsoft.com/en-us/library/ee344801.aspx
For the most current version of this article please see the following:
2653882: WinRM command fails with Access Denied, Error number: -2147024891 0x8007005
J.C. Hornbeck | System Center & Security Knowledge Engineer
App-V Team blog: http://blogs.technet.com/appv/ AVIcode Team blog: http://blogs.technet.com/b/avicode ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ OOB Support Team blog: http://blogs.technet.com/oob/ Opalis Team blog: http://blogs.technet.com/opalis Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/ SCMDM Support Team blog: http://blogs.technet.com/mdm/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
The Forefront Server Protection blog: http://blogs.technet.com/b/fss/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/