WinRM command fails with Access Denied, Error number: -2147024891 0x8007005

Article
12/20/2011

Here’s a new KB article we published today. This one describes an issue where the WinRM command fails with Access Denied and error number: -2147024891 0x8007005:

=====

Symptoms

After installing the UNIX/Linux agent for System Center Operations Manager 2007, the Discovery process may fail and the client will not appear in the console. When attempting to troubleshooting such an issue, you may run a command similar to the following to verify that the discovery process is functioning:

winrm e https://schemas.microsoft.com/wbem/wscim/1/cim-schema/2/SCX\_OperatingSystem?\_\_cimnamespace=root/scx -r:https://<Unix server name>:1270 -u:<User account> -auth:basic -encoding:UTF-8 -skipCAcheck -skipCNcheck

In certain scenarios this command will fail with the following error:

Access Denied, Error number: -2147024891 0x8007005.

You may also see the following in /var/opt/microsoft/scx/log/scxcimd.log

cimserver: Listening on HTTPS port 1270.
cimserver: Listening on local connection socket.
cimserver: Started SCX CIM Server version 2.9.0 Release.
cimserver: Authentication failed for user=<User account>.
cimserver: Authentication failed for user=<User account>.

Cause

This can occur if an incorrect PAM.CONF file is generated on the UNIX server. This file is auto-generated by the SCX installer.

Resolution

To resolve this issue, remove the auto-generated entries from the PAM.CONF file and add the lines below:

# The configuration of scx is generated by the scx installer.
scx auth required /usr/lib/security/$ISA/pam_unix.so.1
scx auth required /usr/lib/security/$ISA/pam_dial_auth.so.1
scx account requisite /usr/lib/security/$ISA/pam_roles.so.1
scx account required /usr/lib/security/$ISA/pam_projects.so.1
scx account required /usr/lib/security/$ISA/pam_unix.so.1
# End of section generated by the scx installer.

IMPORTANT Please make sure to have a backup of the original PAM.CONF file before making any changes. PAM.CONF files are UNIX/Linux install specific and this resolution may only work in certain configurations. It is also possible that there may be custom PAM modules added to support additional features such as AD authentication, etc. As such, this resolution only applies if you have no custom PAM module defined.

In most case the entries that are defined for the sshd process are enough. If you are unsure of what entries are needed you can replicate the entries that are defined for the sshd process and for the scx process and that generally will take care of the issue. Be sure that you fully understand the ramifications of making these changes in your specific environment before doing so.

More Information

For more information please see the following: https://technet.microsoft.com/en-us/library/ee344801.aspx

=====

For the most current version of this article please see the following:

2653882: WinRM command fails with Access Denied, Error number: -2147024891 0x8007005

J.C. Hornbeck | System Center & Security Knowledge Engineer

The Forefront Server Protection blog: https://blogs.technet.com/b/fss/
The Forefront Identity Manager blog : https://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: https://blogs.technet.com/b/isablog/
The Forefront UAG blog: https://blogs.technet.com/b/edgeaccessblog/

WinRM command fails with Access Denied, Error number: -2147024891 0x8007005

Symptoms

Cause

Resolution

More Information

Additional resources