Automated account assignment not working with SCP (ServiceConnectionPoint)

Hi everyone,

I followed the official Teamviewer documentation about the rollout of the TeamViewer 12 Host MSI and using a SCP (service connection point) for the automated account assignment.

So i created manually the SCP as mentioned in the documentation:

1) Created the container CN "TeamViewer" at the root (DC=<mydomain>,DC=<myTLD>)

2) Created the service connection point CN "TrustConfigIDs" in the container "TeamViewer" (CN=TrustConfigIDs,CN=TeamViewer,DC=<mydomain>,DC=<myTLD>)

3) Edited the "keywords" properties of the SCP "TrustedConfigIDs" and add the attributes values as mentionned in the documentation: "TeamViewer" and "B15CB251-377F-46FB-81E9-4B6F12D6A15F"

4) Applied everything

5) Edited the "serviceBindingInformation" properties of the SCP "TrustedConfigIDs" and add the attributes value of my ConfigurationID of my customized host (without the "-idc" ): d7xxxxx.

6) Apply and close the windows.

7) Then i deployed my customized host on a virtual test machine by GPO (TeamViewer_Host-idcd7xxxxx.msi)

The product installed itself on the machine successfully but when i open the settings of the host, none account is added. The computer is also not showing up in the management console.

I am missing something ?

Thanks in advance for your help.

Find more posts tagged with

Management Console

TeamViewer 12

Question

Accepted answers

SIR

My issue has been resolved by the Teamviewer's support team. I will share below the details of the answer i had by the support engineer:

When you want to use the Service Connection Point (SCP) for auto account assignment, you have to uncheck the option "Authorize account affectation without any confirmation" (option that you need to check if you use the "Assignment Tool").

Open the Teamviewer Management Console
Go in "Configure and deploy"
In the "Custom module tab", click the "Edit" button on your cutomized host
Uncheck the option "Authorize account affectation without any confirmation" and save the modifications.

Sans titre.png

After unchecking the option, re-download the custom host and re-deploy on your client's computers. After a login with a domain account on your client's machine, the SCP should have added your account automatically.

All comments

SIR

My issue has been resolved by the Teamviewer's support team. I will share below the details of the answer i had by the support engineer:

Open the Teamviewer Management Console
Go in "Configure and deploy"
In the "Custom module tab", click the "Edit" button on your cutomized host
Uncheck the option "Authorize account affectation without any confirmation" and save the modifications.

Sans titre.png

DomLan

Hi SIR (nice nickname),

I think the topic is discussed in this thread https://community.teamviewer.com/t5/API-and-Scripting/Auto-account-assign-doesn-t-work-on-TV12-Host-MSI/td-p/1173/page/3.

It is long enough to read, but carry the third page would be useful to look at the comments provided by @RogerH

Some elements related to the occurrence of the problem may be caused by previous versions already installed on the client that must be removed before proceeding (also via Regedit)

Regards.

RogerH

Hi @SIR

Did you create a TeamViewer_Settings.reg file on a test computer, and include that with the correctly named MSI file ? The way i understand it, the MSI file (named with -idcprofileID) installs the host and will only apply the profile and add to the TV Account the profile is in If you have the following in place -

Properly configured SCP
Properly configured and named TeamViewer_Settings.reg in same folder as the MSI file

When I originally setup TV11 using SCCM, and an SCP in AD to auto assign the profile and account, I needed both SCP AND the .REG file. Also, when I first logged in, after host was installed -

If I logged in with a LOCAL account that had Admin rights, it would prompt me to allow the host to be assigned to the TV account (when you login with a local account immediately after TV is installed, it 'ignores' the SCP
If I logged in with an AD account, then TV would read the SCP and auto assign the profile and assign to the TV account

Hopw this information helps

SIR

Hello @DomLan,

Thank you for your answer, indeed this is the best nickname

Okay i will check what @RogerH wrote and see if that can help...

I already tried to install Teamviewer 12 while uninstalling oldest versions first and also delete the differents trees in various registrie's hives created by Teamviewer (my test machine is 64 bit) :

HKLM\SOFTWARE\Wow6432Node\Teamviewer

HKCU\Software\TeamViewer

but that didn't help... I wonder also which account he will try to put automatically because it's specified nowhere (email address of an existing Teamviewer account, or anything else...)

Anyway, i will read first the comments and get back to you !

SIR

Dear @DomLan,

I read carefully and tried some instructions of @RogerH but that didn't solve my issue. He is more speaking about the Assignment Tool and not really about how to configure the SCP..

I had the version 8 of TV installed on my test computer but i never had a SCP made in my Active Directory for Teamviewer because i didn't need in the past.

I uninstall completely the TV 8 of my test machine (deleted registry keys, folder in C:\Program files..., etc...) and redeploy trought GPO but that still not working.

Any further ideas ?

SIR

Hi @RogerH

Thank you for the update,

Did you create a TeamViewer_Settings.reg file on a test computer, and include that with the correctly named MSI file ?

Yes i exported a .REG file from a TV Host with my basic parameters that i want to set to all my future clients. I did configure:

Administrator password for editing the settings of the TeamViewer Host
Personal password for unattended access.

For all the other options, i want to apply them using the Teamviewer's policies that you can create in the TV Management Console.

Yes i did, i named my .MSI file with the correct configuration ID i have in my TV Mangement Console: "TeamViewer_Host-idc<myConfigID>.msi"

Properly configured SCP

I used the Teamviewer official documentation to creat at first manually the SCP with all the mentionned parameters. Seeing that wasn't working, i ran secondly the "TrustConfigID.ps1" with a domain admin account. The script worked and created the SCP in the location as expected (CN=System, DC=domain, DC=com,)

I tried also to add the SCP at the root (DC=domain, DC=com,) but that didnt worked either.

I added my configuration ID in the SCP without the "-idc" of course.

Properly configured and named TeamViewer_Settings.reg in same folder as the MSI file

Yes i put the .MSI and the .REG file in the same folder. The name of my REG file is exaclty the same as you mentionned, because if you change it, the file won't be read by the .MSI when it's installing.

The MSI is deployed and installed correctly as well as the .REG file(i am sure because the TV Host prompts me the password i set in the .REG file when i try to access the configuration options).

If I logged in with a LOCAL account that had Admin rights, it would prompt me to allow the host to be assigned to the TV account (when you login with a local account immediately after TV is installed, it 'ignores' the SCP
If I logged in with an AD account, then TV would read the SCP and auto assign the profile and assign to the TV account

I always did connect with a domain account on my test machine. I never made any connections with local accounts. I connected with a non-admin account and admin account but that didn't changed anything.

It's really annoying because i can't see where i made a mistake..

RogerH

Hmmmm - it seems that you did everything correctly from what you describe, so I can't think of what is not working. I assume that after installing the host with the .REG file, the host IS launching automatically? If so, and you go into Options on the host, does it show that it has been added to the relevant TV account ?

SIR

Yes the program starts automatically but none account are added.

I verified in my TeamViewer Management Console and i didn't found the trace of any old record for this machine who where maybe still hanging there or so..

That's really blowing my mind...

I will open a ticket at the Teamviewer support i guess, because i have tried everything and i can't see what is wrong ! Thank you for your time @RogerH and @DomLan

RogerH

Best of luck @SIR - Please keep us updated on what hte solution turns out to be

SIR

A ticket has been openend at the support.

I will keep the topic up to date when a fix will be found

RogerH

I'm glad that you got your issue resolved. I'm not 100% convinced on the solution though.

I have the option "Allow account assignment without confirmation" checked, and I am NOT using the Assignment Tool (because it doesn't work reliably, plain and simple). However, when logging in with an AD account after installing the Host, SCP automatically adds the machine to the correct account, and all that is required is that an admin needs to login and allow Easy Access.

SIR

Mmmh that's curious because the only parameter that the teamviewer's support technician asked me to change was this checkbox and then everything worked as intended. He also verified all the other parameters (SCP, custom host module, ...) and everything was correct.

I never used the SCP before, so maybe if you have already added machines using the SCP, a parameter is maybe written in the registry somewhere and then the "Assignment tool checkbox" has no more effects even you let the checkbox ticked in your host's customizations..

Did you try to install it on a fresh install of Windows who never had a custom Teamviewer Host installed ?

RogerH

SCP is working find in my environment for new and old machines alike.

SIR

:smileyfrustrated:

Okay then i don't know why it wasn't working for me, despite it's certain that the uncheck of the checkbox fixed somehow my issue... The Teamviewer's support told me that i had to uncheck this checkbox if i use SCP and it fixed my case.

I don't know every parameters in your environnment for TV and maybe you have some differences that make work the SCP even with the checkbox ticked ?