none
SCCM Clients registration Rejected By Management Point

    General discussion

  • I am having the following situation in one of our Secondary site where around 90 over machines having the same issue.

    the client clientidmanagerstartup.log shows the following error

    RegTask: Server rejected registration request: 3

    At the same when you check the MP_RegistrationManager.log in the Primary site server for the corresponding machines it shows the following error,

    A client is trying to re-register with an administrator revoked certificate: SMSID=GUID:58AA49C0-405F-452C-841C-3BB8728A6A23

    But not one machines around 80 over machines having this same issue, none of the machines certificate was revoked since the expiration date is until 2015.

    I am running on SCCM native mode with central, primary and secondary site setup.

    The following are the troubleshooting steps done so far based on my knowledge none of them works.

    1) Uninstall the SCCM client agent (ccmsetup /uninstall)

    2) removed all entries related to SCCM from registry in that machine.

    3) Removed smscfg.ini from c:\windows folder.

    4) removed the configuration manager client cert from local computer personal store.

    5) install the configuration manager cert back to local computer personal store.

    6) reinstall the SCCM agent, the error comes back.

    And I have also notice that the SMSCFG.ini file was not fully populated with SMS GUID since the client is having problem in registering with MP (RegTask: Server rejected registration request: 3)

    Need your guys kind assistance and help in the above matter.

    Regards,

    Purush

     


    Regards, Purush
    Monday, March 14, 2011 9:58 AM

All replies

  • 1st confirm that on the secondary site boundary is configured correctly...


    Joy, Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, March 14, 2011 10:35 AM
  • How are you distributing certificates to the clients? Have you manaually verified that the certificate is installed?

    Also, revocation refers to an administrative action and has nothing to do with the certificate's expiration date. You revoke a certificate (in Microsoft's PKI) from the CA console.


    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Monday, March 14, 2011 12:13 PM
  • HI Jason,

    Yup the certificate was installed in the sccm client agent machine and the certificate was not revoked in CA. the problem is it is happening in almost 85% percent of the machines in that site which is close to 90 over machines. 15 machines are okay.

    Its all started because of the following reason 

    the secondary site was down and this site was configured as protected site.

    In that site all the machines SMS agent executive service was stopped for more than a month because of a deployment which caused the entire WAN link traffic high.

    Due to the above factor since the machines are not reporting back to the server for more than 90 days the SCCM server marked this clients as absolete. Now what I have done so far is delete all this machines from the SCCM server and uninstall the clients agents from this machine and try to reinstall it again. During the reinstallation I am having this issue which I have mentioned earlier.

    On the certificates side nothing was changed as I am trying to use the same certificate which was installed in the computer personal store.


    Regards, Purush
    Tuesday, March 15, 2011 4:47 AM
  • H Joy,

    Boundaries are configured correctly as the clients can discover the management point and there is no change in Boundary.

    The problem is, it is happening in almost 85% percent of the machines in that site which is close to 90 over machines. 15 machines are okay.

    Its all started because of the following reason, 

    the secondary site was down and this site was configured as protected site.

    In that site all the machines SMS agent executive service was stopped for more than a month because of a deployment which caused the entire WAN link traffic high.

    Due to the above factor since the machines are not reporting back to the server for more than 90 days the SCCM server marked this clients as absolete. Now what I have done so far is delete all this machines from the SCCM server and uninstall the clients agents from this machine and try to reinstall it again. During the reinstallation I am having this issue which I have mentioned earlier.

    On the certificates side nothing was changed as I am trying to use the same certificate which was installed in the computer personal store.


    Regards, Purush
    Tuesday, March 15, 2011 4:50 AM
  • Hi Purush,

    few point to clearify... What is the SCCM version installed?

    can i ask you what is the method used to installed the client? (Client Push/GPO/ Direct/ imageing/Script) any error on ccm.log ? 

    Any relevent error or warning on secondary site server component status or site system status?

     

    Note: I hope you have configured boundary correctly on seconday site server, and proxy MP configured on secondary site server.Also right certificate was installed in the sccm client agent machine.


    Joy, Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, March 15, 2011 1:30 PM
  • Sounds like a call to CSS is in order because I'm not sure what's going on now and I think you've netered uncharted territory.

    Have you tried deleting and re-issuing the certs before you try to reinstall the client agent?


    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Tuesday, March 15, 2011 3:40 PM
  • I have managed to resolve the issue by following a sequence in client uninstall procedure and then reinstall. The following are the sequence, 1) uninstall the client agent ccmsetup /uninstall 2) remove the entries of CCMsetup and SMS from registry HKLM 3) remove the Config mgr cert from computer personal store 4) remove the smscfg.ini from windows folder 5) restart the machine Installion process wait for the client pc to auto enroll config mgr client cert from CA reinstall the client The client registration successfully went through. I suspect is because the client no matter how many times you reinstall it tries use the old GUID to register with MP without even knowing that client has been marked as absolete in the SCCM primary site server. If you restart the and perform the above steps it will flush the cache and try to register with a mp and get the new GUID from the MP and then it successfully registers it. I hope the above steps will help someone who has the same problem like me.
    Regards, Purush
    Thursday, March 17, 2011 4:46 AM
  • Hi Joy,

    I have managed to resolve the issue by following a sequence in client uninstall procedure and then reinstall.

    The following are the sequence,

    1) uninstall the client agent ccmsetup /uninstall
    2) remove the entries of CCMsetup and SMS from registry HKLM
    3) remove the Config mgr cert from computer personal store
    4) remove the smscfg.ini from windows folder
    5) restart the machine

    Installion process
    wait for the client pc to auto enroll config mgr client cert from CA
    reinstall the client

    The client registration successfully went through. I suspect is because the client no matter how many times you reinstall it tries use the old GUID to register with MP without even knowing that client has been marked as absolete in the SCCM primary site server.

    If you restart the and perform the above steps it will flush the cache and try to register with a mp and get the new GUID from the MP and then it successfully registers it.

    I hope the above steps will help someone who has the same problem like me


    Regards, Purush
    Thursday, March 17, 2011 4:48 AM
  • I had a similar issue and resolved the issue in SCCM 2012 SP1.

    It occured on windows 2008 clients that had a third party certificate in the Computer -> personal certificate store. I copied the two certificates from the SMS folder to the personal certificates store and the issue resolved.

    Thursday, March 14, 2013 11:39 AM
  • I am having the same issue with a server 2012 client, but in our case, a third-party certificate in the "Personal" store of the local computer had been created by an install/configure of Symantec Backup Exec 2012. It is a self-signed cert, with what looks like a self-signed root. (Not a known root, but one specific to that server.)

    Trying to resolve this, I found the two certificates in the SMS "folder" (Logical Store Name) of the Local Computer account's certificate stores. (Used mmc.exe -> Certificates -> Local Computer) I right-clicked and copied the two certs in the "SMS" folder/store that are labeled as 'issued to' and 'issued by' "SMS"; then I pasted them into the "Personal" folder/store. I did not remove the third-party certificate, yet.

    I uninstalled sccm, then re-installed after a reboot. Still was getting the error regarding an invalid certificate.

    I exported the third-party cert, with private key and all extended properties, to back it up. Then I deleted it. VIOLA! The client successfully registered, and data started populating.

    After waiting about 40 minutes, making sure everything was going well, I imported the third-party certificate back in - since BE2012 is probably not going to work properly without it. ARGH! The errors about a failure in client certificate immediately started in the SMS_MP_CONTROL_MANAGER site component status message viewer. I deleted it back out again, and it stopped creating those errors.

    So the big question right now is - HOW DO I TELL THE SCCM CLIENT TO USE ONE OF THE 'SMS' Certifcates instead of A THIRD-PARTY CERTIFICATE? WHY IS IT EVEN DOING THAT IN THE FIRST PLACE? Or is it presenting all certificates in that store, and failing when any one of them cannot be resolved to a known root?

    The only work-around I can think of trying is to import the self-signed root found into the trusted store of the management point. Which I am not going to do, not at this point. This may snowball into having to do this for a bunch of clients.

    Does anyone have any additional information on this?

    Thanks!
    Thursday, July 25, 2013 7:48 PM
  • Up against this same problem right now. So far McAfee EPO and Blackberry server both use certs in the Personal store that SCCM tries to use to register the client. Why? Don't know yet.
    Friday, August 02, 2013 7:17 PM
  • I was running into this same problem.

    In the SCCM Console -> Administration -> Site Configuration -> Sites. Right click on your site(s) and edit the properties. In the Client Computer Communication tab if you have "Use PKI client certificate (client authentication capability) when available" selected then you can modify the client certificate selection criteria.

    Thursday, September 05, 2013 7:51 PM