Donnerstag, 17. Mai 2012 16:54
I have to reinstall the Site Server signing certificate. Now i am seeing below error "SMS Policy Provider has failed to sign one or more policy assignments. It will retry this operation automatically". Please advise what i could have missed. I have the CA server on different forest.
Also, IS MachineKeySet = True a mandatory property for Site SErver certificate. How to enable it while requesting certificate using Web link (Certsrv)..
Thanks in advance...
Donnerstag, 17. Mai 2012 22:11I was able to find solution to above problem by using certreq command. However now sccm clients are not receiving policies. They are sending HW inventory. No seeing any errors. BTW what all logs should i refer to in this case. Please advise.
Samstag, 19. Mai 2012 16:07Moderator
Does this apply (from http://technet.microsoft.com/en-us/library/bb680839.aspx)?Native Mode Clients Become Unmanaged When They Use a New Site Server Signing Certificate
If a Configuration Manager 2007 client uses a new site server signing certificate that chains to a different root certificate than was used with the previous site server signing certificate, the client will not accept the new site server signing certificate when it receives policies signed with the new certificate.
This will occur if the root certificate for the site server signing certificate changes from the client's point of view—for example, in the following circumstances:
- If you move a Configuration Manager 2007 client from one Configuration Manager 2007 hierarchy to another (for example, a company merger).
- If you configure the site to use a new site server signing certificate from a different root certification authority than the one that issued the previous site server signing certificate.
- You renew your root certificate with a new key pair and then issue a new site server signing certificate.
This behavior provides security prevention against clients accepting a new site server signing certificate from a compromised management point. In this scenario, clients will not attempt to download the new site server signing certificate and will reject the policy they have downloaded, sending an error to the management point to alert the administrator to the fact that policy authorization failed.
Either delete the copy of the previous site server signing certificate on the Configuration Manager client, or uninstall or reinstall the client.
For more information about this scenario and remedial actions, see Renewing or Changing the Site Server Signing Certificate.
- Als Antwort markiert Sabrina ShenModerator Dienstag, 29. Mai 2012 07:37