FileServerVssAgent denied RPC client without supported valid authentication level.
FileServerVssAgent client does not have its RPC message signed.
FileServerVssAgent.requires its client to support RPC message in signed or more securely encrypted format. If a client RPC message is not signed or encrypted, FileServerVssAgent will deny file share shadow copy operation from this client.
Make sure the client use at least signed RPC message when connecting to FileServerVssAgent RPC server.
Target | Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentEnabled | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Event_ID | 1011 | ||
Event Source | Microsoft-Windows-FileShareShadowCopyAgent | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Microsoft-Windows-FileShareShadowCopyAgent/Operational |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentRpcClientNotSigned" Target="Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentEnabled" Remotable="true" Enabled="true">
<Category>AvailabilityHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Microsoft-Windows-FileShareShadowCopyAgent/Operational</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Microsoft-Windows-FileShareShadowCopyAgent</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1011</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentRpcClientNotSigned.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue/>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>