ISSUE
All machines fail to download with the following errors in DataTransferService.log:
GetDirectoryList_HTTP Error sending DAV request. HTTP code 401, status 'Unauthorized'
LOGS
DataTransferService.log –
Job {0BB4BD48-DEC8-4153-BD2A-5062A8725579} impersonating Network Access Account. Successfully queued event on HTTP/HTTPS failure for server 'KULPSYBKP001.intlsos.com'. GetDirectoryList_HTTP Error sending DAV request. HTTP code 401, status 'Unauthorized' GetDirectoryList_HTTP GetDirectoryList_HTTP('https://contonso.test.com:443/CCMTOKENAUTH_SMS_DP_SMSPKG$/6cced099-2065-42fe-ac1b-001de8865708') failed with code 0x80070005.
IIS log –
PROPFIND /CCMTOKENAUTH_SMS_DP_SMSPKG$/6cced099-2065-42fe-ac1b-001de8865708 - 443 - 192.168.33.52 SMS+CCM+5.0 - 401 1 0 1589 1
IIS Freb log –
Note: How to enable IIS Freb logging – https://learn.microsoft.com/en-us/iis/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis#enable-failed-request-tracing
Common possibilities
There could be various possibilities:
- Distribution point prerequisites not met: Refer to https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/configs/site-and-site-system-prerequisites#distribution-point
- Authentication settings for the site in IIS: Windows Authentication not enabled
- Security settings for the site folder in IIS: Local Users group permissions missing
- Antivirus software blocking file access
- Security settings about C:\Windows\system32\inetsrv\smsfileisapi.dll: smsfileisapi.dll has permissions missing
ANALYSIS
In my case, all the above possibilities have been excluded. Therefore, I captured a ProcMon and found that HKLM\SOFTWARE\Microsoft\Sms has missing Read permission for local Users group.
SOLUTION
- Add Users group into Sms node of HKLM\SOFTWARE\Microsoft\Sms
- Grant Read permission to Users group
- Restart IIS: IISReset