Home
  •  

FileServerVssAgent denied RPC client without valid supported authentication level

Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentRpcClientNotSigned (Rule)

FileServerVssAgent denied RPC client without supported valid authentication level.

Knowledge Base article:

Summary

FileServerVssAgent client does not have its RPC message signed.

Causes

FileServerVssAgent.requires its client to support RPC message in signed or more securely encrypted format. If a client RPC message is not signed or encrypted, FileServerVssAgent will deny file share shadow copy operation from this client.

Resolutions

Make sure the client use at least signed RPC message when connecting to FileServerVssAgent RPC server.

Element properties:

TargetMicrosoft.Windows.FileServices.Service.SMB.10.0.FssAgentEnabled
CategoryAvailabilityHealth
EnabledTrue
Event_ID1011
Event SourceMicrosoft-Windows-FileShareShadowCopyAgent
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
FileServerVssAgent denied RPC client without valid authentication level supported
FileServerVssAgent denied RPC client without valid authentication level supported.
Event LogMicrosoft-Windows-FileShareShadowCopyAgent/Operational

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentRpcClientNotSigned" Target="Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentEnabled" Remotable="true" Enabled="true">

  <Category>AvailabilityHealth</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Microsoft-Windows-FileShareShadowCopyAgent/Operational</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">Microsoft-Windows-FileShareShadowCopyAgent</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">1011</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Windows.FileServices.Service.SMB.10.0.FssAgentRpcClientNotSigned.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>