KBI 311415 Issue Addressed: Cannot Access Local Farm In Argent for SharePoint
Argent Advanced Technology 3.1A-1601-T10 and later
Date
Thursday, 16 June 2016
Summary
Addressed the issue that the connectivity test in Argent for SharePoint failed with an error “Cannot access local farm”
Technical Background
An issue was reported that the connectivity test in Argent for SharePoint failed with an error “Cannot access local farm”
This is due to an issue called “Double Hop Issue” which is described in below section
Consider the following two types of deployment
- SharePoint Server, its backend SQL Server and Argent for SharePoint are installed on three different servers of the same domain
- SharePoint Server, its backend SQL Server are installed on different servers of one domain and Argent for SharePoint is installed on a server of another domain
Argent for SharePoint uses PowerShell for its monitoring
In the above-mentioned scenarios, user credentials have to be delegated to remote computers which are called “Double Hop” issue
From PowerShell 2.0 onwards, Microsoft provides a facility using Credential Security Service Provider (CredSSP) authentication to solve the “Double Hop” issue
Argent for SharePoint will implement CredSSP in Argent for SharePoint 3.1A-1601-T11 to support Double Hop in order to address the issue scenarios
Configurations To Be Made On The Server Where Argent for SharePoint Is Installed
- Start GPEDIT.MSC and look at the following policy:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Delegating Fresh Credentials
Enable this policy and configure with the SPN appropriate for the target computer
For example, for a target computer name “myserver.domain.com”, the SPN should be the following: WSMAN/myserver.domain.com
- Double click on Allow Delegating Fresh Credentials
- Click on ‘Enabled’ radio button and select ‘Concatenate OS defaults with input above’ checkbox and click on the ‘Show’ button as shown below
- Enter the SPN of the machine in the format as explained above
- Click on the ‘Apply’ button
- Again look at the following policy:
Computer Configuration -> Administrative Templates -> System -> Credentials Delegation -> Allow Fresh Credentials with NTLM-only Server Authentication
Enable this policy as described above
- Update the group policy by executing ‘GPUPDATE’ as shown below
- Verify that everything set by executing the PowerShell Cmdlet ‘Get-WSManCredSSP’
Configurations To Be Made On The Server Where SharePoint Is Installed
- Execute the PowerShell Cmdlet ‘Enable-WSManCredSSP -Role Server -Force’
- Verify that everything set by executing the PowerShell Cmdlet ‘Get-WSManCredSSP’
Configuration Of License Node To Use Credential Security Support Provider (CredSSP)
Following is a typical configuration of a License Node using CredSSP
It is important to note that the name of the License Node should match the same SPN configured in the Group Policy
A successful connectivity test generates the following message
Note:
You may get an error message – ‘Connecting to remote server failed with the following error message: The WinRM client cannot process the request because the server name cannot be resolved.’ -, when Argent for SharePoint and SharePoint Servers are on different domains
Following steps helps to solve this issue
- Add the SharePoint server to the trusted host list as by executing the command, Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value “TRIV-SP2010.TRIV.SP2010.NET” -Concatenate -Force
(Use the same SPN used to configure in the Group Policy)
- Restart the WinRM Service by executing the command, Restart-Service WinRM -Force
- Edit the C:\Windows\System32\drivers\etc\Host file and add the SPN and corresponding IP address as shown below
If you run the connectivity test again, it will show the successful result as shown below
Resolution
Upgrade to Argent Advanced Technology 1601-T11 or later