Environment
Novell ZENworks 10 Configuration Management
Situation
Managed workstations cannot login at boot time or explicitly by using zicon login when proxy is set up on the managed workstation.
ERROR (from zenlgn.log):
ObtainAuthToken Failed: 0xC7FF0001
ERROR (from casaauthtoken.log):
CASA_AuthToken -InternalRpc- HTTP request did not complete successfully, status = 503
CASA_AuthToken -InternalRpc- End, retStatus = C7FF0001
CASA_AuthToken -InternalRpc- End, retStatus = C7FF0001
Resolution
Under Internet Explorer > Tools > Internet Options > Connections > LAN Settings check if a proxy is set. If so, check that either:
- The proxy server will forward traffic to port 443 or 2645
or - That you create an exception for the ZENworks server in the proxy configuration so that the authentication request goes directly to the ZENworks server.
Use proxycfg to check the settings. For example:
Microsoft (R) WinHTTP Default Proxy Configuration Tool
Copyright (c) Microsoft Corporation. All rights reserved.
Copyright (c) Microsoft Corporation. All rights reserved.
Updated proxy settings
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :
Current WinHTTP proxy settings under:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :
Proxy Server(s) : myProxyServer
Bypass List : myZENServer;192.168.0.7
Bypass List : myZENServer;192.168.0.7
WinHTTP proxy settings are separate from the proxy settings in Microsoft Internet Explorer. See http://msdn.microsoft.com/en-us/library/ms761351(VS.85).aspx for more information.
Additional Information
When reading the casaauthtoken.log, note that only those requests to port 2645 are relevant to the problem. Port 443 is not used by CASA client.
To determine whether the CASA login request is going directly to ZENworks server or attempting to use the proxy, use the Microsoft tool: WinHttpTraceCfg.exe to collect traces while logging in.
In the output trace you will see the following if the request is going to a proxy, for example:
16:52:31.832 ::*0000018* :: Using proxy server: 192.168.0.11:8080
16:52:31.832 ::*0000018* :: sending data:
...
16:52:31.832 ::*0000018* :: received data:
16:52:31.832 ::*0000018* :: 1024 (0x400) bytes
16:52:31.832 ::*0000018* :: <<<<-------- HTTP stream follows below ----------------------------------------------->>>>
16:52:31.832 ::*0000018* :: HTTP/1.0 503 Service Unavailable
16:52:31.832 ::*0000018* :: 1024 (0x400) bytes
16:52:31.832 ::*0000018* :: <<<<-------- HTTP stream follows below ----------------------------------------------->>>>
16:52:31.832 ::*0000018* :: HTTP/1.0 503 Service Unavailable
Use -u to import from the IE settings if they aren't already set here.
For Windows 7:
For Windows 7:
netsh winhttp set tracing trace-file-prefix="C:\temp\WinHttpLog" level=verbose format=hex state=enabled.
Also running the request directly from the Internet Explorer: https://myZENServer:2645/CasaAuthTokenSvc/ should not return an error, but should return a file listing. If the proxycfg settings conflict with the IE settings, this will succeed but login will still fail, so check both.
Additionally check gpedit User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings and User Configuration > Administrative Templates > Windows Components > Internet Explorer/disable changing proxy settings.
Note: The non-CASA portions of the managed agent services do not use the winHTTP settings. Instead they rely on the PROXY_SETTINGS.xml file in the cache.
For other TIDs relating to login issues, see TID 3273870 - Troubleshooting ZCM login problems
For other TIDs relating to login issues, see TID 3273870 - Troubleshooting ZCM login problems