Credential Issues
Occasionally (every 2-3 days), PDQ Deploy will fail deployments because of issues such as "failed to connect to target share". To try and fix this, I restart the background service. However, when I start it back up, I always get a credential error, even though my Windows credentials have not changed. If I go into the edit dialog, hit OK without making any changes, and try again, it works fine.
0
Comments
Ryan,
It sounds like something may be resetting the credentials on the service, possibly a GPO? By hitting OK PDQ Deploy reapplies the credentials (the credentials it shows are those which it will apply, not necessarily those that are currently set on the service). You can verify this by checking the Log On information in the Windows services control panel next time you see the problem.
I also use PDQ Inventory, though, and I never have any credential problems with it.
That is odd. Do both services use the same account?
Yes, they do.
Next time you see the problem, check the PDQ Deploy service in the Windows control panel and let me know if it's been changed, probably to Local System.
Will do!
It just happened again. I checked the service before editing my credentials in PDQ Deploy, but it still has the proper username and domain.
Ryan,
Thank you, that answers that question. When you restart the service and you get a credentials error, what does it say and where do you see it? Is this withing PDQ Deploy or do you see it within Windows somewhere?
It is within PDQ Deploy. I lost the exact error message, because I fixed my credentials, but it was something along the lines of "logon failure".
You should have something in your system event log about it. It could be that the password within the service is being reset or corrupted, or a privilege is being removed. Since this doesn't affect PDQ Inventory then it's probably not a privilege thing, but it could be due to timing.
The system event log has an entry, saying that the service could not start because the specified account does not have "log on as service" rights. However, the account does have these rights. I'll get with the sysadmins here to make sure that the right is not being revoked, but right now it's getting more and more confusing.
Ryan,
Aha, that makes sense. When you reapply the credentials within PDQ Deploy we assign that privilege if it's not set. It sounds like you may have a GPO that's revoking it. What's odd is that it hasn't affected Inventory, but that may just be a timing issue where you notice the problem in Deploy before it has a chance to break Inventory.
After talking with one of the sysadmins, we believe that there is a GPO somewhere that revokes that right. The even more unusual part is, this occasionally occurs overnight, and I don't catch it until the next morning, but it still doesn't affect PDQ Inventory, so I don't think it's just good timing on my part.
There are some slight differences in how Inventory and Deploy authenticate which may account for the difference. There may also be another issue that's causing Deploy to stop authenticating and you only run into this issue when you restart the service. Once you've got the privilege revocation problem fixed you'll find out if Deploy stops working again and a simple restart fixes it.
I've switched over to using credentials which does have the log on as service right set in a GPO, so I'll let you know if I have this issue again.