Troubleshooting the errors due to incorrectly configured account rights during remote installation of Kaspersky Security Center Network Agent
Show applications and versions that this article concerns
- Kaspersky Security Center 14.2 (version 14.2.0.26967)
- Kaspersky Security Center 14 (version 14.0.0.10902)
- Kaspersky Security Center 13.2 (version 13.2.0.1511)
- Kaspersky Security Center 13.1 (version 13.1.0.8324)
- Kaspersky Security Center 13 (version 13.0.0.11247)
Issue
You may encounter errors when trying to run a remote installation task of Network Agent or a third-party software using operating system resources through Administration Server or using operating system resources through distribution points.
Cause
Error | Cause |
---|---|
“Shared folder "\\192.0.2.45\admin$" is unavailable for the following accounts: svc_kavadmin@example.com, EXAMPLE\svc_kavadmin, <Current Administration Server service account> (Access Denied.)” | The permissions of the account under which the Administration Server is running are incorrectly configured. |
“Distribution point "˂DP_name˃” has failed to start remote installation. Installation package download from the Administration Server to the shared folder on the device returned an error: ˂Kaspersky Security Center 14.2 Network Agent service account˃ (Access denied.) No more distribution points have been found.” | |
“Shared folder "\\192.0.2.45\admin$" is unavailable for the following accounts: <Current Administration Server service account> (The RPC server is unavailable)”. | There are NTLM protocol restrictions, or the trust relationship between the target device, a distribution point, or the Administration Server and the Active Directory domain is disrupted. |
“Distribution point "˂DP_name˃” has failed to start remote installation. Installation package download from the Administration Server to the shared folder on the device returned an error: ˂Kaspersky Security Center 14.2 Network Agent service account˃ (The RPC server is unavailable.) No more distribution points have been found.” |
Solution
- Use the following command to check the account under which the Administration Server service is running:
- Examine the command execution result.
If there is a period instead of a company’s domain name, it means the service works under a local user of the operating system (OS) on which the Administration Server is installed.
If an account has been added to the installation task settings, the connection to the target device will be made under this account and the Administration Server account.
- Follow the guides below to resolve the issue in the following situations:
Troubleshooting the error: Access denied
Verify the following:
- Whether the account password specified in the remote installation task is correct. Re-enter this password.
- Whether the account is neither locked nor expired. Make sure that no password change is required.
- Whether the account has administrator rights on the target device.
- Whether the basic authentication method is set for the accounts:
- Press + R on the keyboard.
- Type secpol.msc and click OK.
- In the Local Security Policy window that opens, go to Local Policies → Security Options and make sure that Network access: Sharing and security model for local accounts is set to Classic - local users authenticate as themselves. For details, see the Microsoft website.
Troubleshooting the error: The RPC server is unavailable
- Check the trust relation between the domain device, a distribution point, or the Administration Server and the Active Directory domain.
To do this, open the command prompt as administrator and run the commands:
If the command result is True, then the device is trusted by the domain. For more details about the command, see the Microsoft website.
Installation using Kerberos
- Enter Service Principal Name for each domain target device:
- Open the command prompt as administrator with rights to write Active Directory attributes.
- Run the command for each device:
setspn -s cifs/<target_host_ip> <target_pc_hostname>Where <target_host_ip> is an IP address of connection to the Administration Server network or to a distribution point of the target device for Network Agent installation. <target_pc_hostname> is a device name.
For example:
setspn -s cifs/192.0.2.45 mytestpc - Engage support of Kerberos through IP in the OS of the Administration Server.
- Open the command prompt as an administrator.
- Run the following command:
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" /v TryIPSPN /t REG_DWORD /d 1 /f - Deploy Network Agent on devices.
- Delete previously created SPN records if the IP addresses of the devices are temporary. For details, see the Microsoft website.
Installation using NTLM
- Change the Active Directory domain policy security settings to provide the operation of the NTLM protocol during deploying Network Agent.
- On the target domain devices, set Network Security: Restrict NTLM: Incoming NTLM traffic to Allow all.
The Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting can be set to Deny all. - Set the Network security: Restrict NTLM: NTLM authentication in this domain setting to Disable on domain controllers.
- On the Administration Server, set the Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy setting to Allow all.
- Deploy Network Agent on devices.
- Only for Kerberos: reset the domain security settings to initial mode.
- On the target domain devices, set Network Security: Restrict NTLM: Incoming NTLM traffic to Allow all.
- If the issue persists, review additional diagnostic data of all the listed devices through the OS snap-in: open Event Viewer → Application and Services Logs → Microsoft → Windows → NTLM → the Operational log. You can also use the installation methods specified in the fourth item from the What to do if the issue persists block.
What to do if the issue persists
- Use additional recommendations on troubleshooting the network access and configuring the OS.
- If the installation task completes successfully and the message "Remote installation has completed successfully on this device." appears, but the Network Agent is not available or doesn’t appear on the device object, see the recommendations in the article.
- Try to exclude checking the connection of the target device to the Administration Server if Deep Packet Inspection (DPI) or decryption and traffic analysis technologies (SSL inspection) are used as part of third-party protection software.
- Use additional centralized tools for deploying Network Agent:
- Using Active Directory group policies
- Integration into a reference OS installation image
- Third-party tools for centralized application deployment
If the issue still persists, submit a request to Kaspersky Technical Support via Kaspersky CompanyAccount. In your request:
- Describe the problem: attach screenshots of the installation error, specify which steps from the instructions you have performed, and provide the output of the diagnostic commands from this article.
- Collect the diagnostic information and attach the created files to your request.
Useful references
Troubleshooting the network errors related to remote installation of KSC Network Agent
How to configure an operating system to troubleshoot the remote installation of the Kaspersky Security Center Network Agent
Forced deployment through the remote installation task of Kaspersky Security Center
Running stand-alone packages created by Kaspersky Security Center