Microsoft KB Archive/878456

= You cannot access the folders in the SMS Administrator console from a computer that is running Windows XP Professional Service Pack 2 =

Article ID: 878456

Article Last Modified on 3/2/2007

-

APPLIES TO


 * Microsoft Windows XP Service Pack 2

-





Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you use the Microsoft Systems Management Server (SMS) Administrator console on a computer that is running Microsoft XP Professional with Service Pack 2 (SP2), you cannot open the folders in the console tree.

This problem occurs even though you have followed the steps to add the Unsecapp.exe program and TCP port 135 to the list of programs and services on the Exceptions tab of Windows Firewall. (These steps are described on the SMS &quot;Site Systems Frequently Asked Questions&quot; Web page on the Microsoft TechNet Web site. For more information, see the &quot;References&quot; section.)

Additionally, every time that you click various folders, such as the Collections, Packages, or Sites folders, you may receive the following error in the SMS\Logs\Adminui.log file:

Error: Possible UI connection error code is -2147217406



CAUSE
This behavior occurs if the following Group Policy setting is enabled:

Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC Clients

Note By default, this Group Policy setting is disabled.

This behavior may also occur if Kerberos authentication is not used to authenticate to the target domain. If Kerberos authentication is not used, Windows Management Instrumentation (WMI) queries are delivered as anonymous. The DCOM protocol in Microsoft Windows XP SP2 does not permit anonymous sessions and blocks the calls to the SMS server.

Note DCOM is a Windows protocol that can be used on top of the remote procedure call (RPC) protocol by client and server programs.



RESOLUTION
To resolve this behavior, disable the Group Policy setting for RPC authentication that blocks the DCOM protocol, and then make sure that Kerberos authentication is working correctly.

Disable the Group Policy setting
You can change the RPC authentication setting by using the Group Policy Object Editor or by modifying the Windows Registry.

Method 1: Change the RPC authentication setting by using the Group Policy Object Editor

 * 1) Open Active Directory Users and Computers.
 * 2) In the left pane, right-click   object, and then click Properties.
 * 3) Click the Group Policy tab, click the Group Policy that you want to modify, and then click Edit.
 * 4) Under the Computer Configuration node, expand the Administrative templates\System folder.
 * 5) Click the Remote Procedure Call folder.
 * 6) In the right pane, right-click Restrictions for Unauthenticated RPC Clients, and then click Properties.
 * 7) Click Disabled, and then click OK.
 * 8) Close the Group Policy Object Editor.
 * 9) Click OK, and then close Active Directory Users and Computers.

Method 2: Change the RPC authentication setting by modifying the Windows registry
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.  Click Start, click Run, type regedit, and then click OK. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

 Click the RPC key. In the right pane, right-click RestrictRemoteClients, and then click Modify. In the Value data box, type 0, and then click OK. Quit Registry Editor.</li></ol>

Verify Kerberos authentication
Verify that Kerberos authentication is working correctly on your network.

262177 How to enable Kerberos event logging

244474 How to force Kerberos to use TCP instead of UDP

<div class="references_section">