Software advertisements not working in native mode
- Hi.
I´ve recently changed our SCCM server to native mode its running on a server 2008 x32 VMware.
Everything exept software advertisements are working (this has worked in the past though not in native mode). The strange thing is that ive looked trough all logs i can find both for SCCM and IIS and i cant find a single error message thats related to the problem.
All the certificates are in place as described in http://technet.microsoft.com/en-us/library/bb694035.aspx
We have small problem with our CA server its not rolling out the computer and SCCM client certificate.
The SCCM client cert works fine on server 2003 and above and the computer cert on all windows 2000 machines (witch is about 4 or 5 old computers thats hardly ever used)
When i try to request the certificates from the server on a client running Windows Vista or XP i get "RPC service unavailable". i can remote our CA server from the client no with no problems and ive checked the DCOM_ACCESS group and it looks right.
could this be the reason, if so why am i not seeing any errors on the client or the server logs?
Ive tried exporting and importing the computer and client cert to a computer running windows vista and advertised a software to this with no luck.
Last message in the advertise is SMS Offer Manager successfully processed new advertisement ........
Answers
- Did you check ClientIDManagerStartup.log on the client? If the Configuration Manager client couldn't find a suitable certificate, I would expect it to be logged here. For example: "There are no certificates in the 'MY' store." and "RegTask: Failed to get certificate. Error: 0x80040280". You should see something similar in ClientAuth.log as well. The reference to the 'MY' store is the developer term for the Personal store that you see in the Certificates MMC.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights
- Marked As Answer byCarol BaileyMSFT, ModeratorTuesday, April 07, 2009 9:45 PM
All Replies
- I'm not sure from your description whether you have a certificate problem on the client, or this really is limited to just software distribution. When you say everything except software advertisements are working, do software updates install? Is your distribution point on a different server to your management point, or do they share the same server?
Have you tried running the native mode readiness tool on the client? This will help check out the client certificate side - for example, that it has a private key and client authentication capability. For more information about running this, see http://technet.microsoft.com/en-us/library/bb680986.aspx. You can use the log file on the client in addition to the reports to check for results.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights
I ran the readiness tool and this is what i got...
<![LOG[Initializing ModeReadiness tool.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:389">
<![LOG[Setting default logging component for process.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:43">
<![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="ccmcert.cpp:204">
<![LOG[Failed to load default certificate selection criteria. (0x80004005)]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="2" thread="2288" file="modereadiness.cpp:84">
<![LOG[ModeReadiness initializiation succeeded.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:401">
<![LOG[Certificate store: MY]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:275">
<![LOG[Certificate selection criteria: <none>]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:280">
<![LOG[Select first certificate option: 1]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:285">
<![LOG[There are no certificates in the 'MY' store.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="3" thread="2288" file="ccmcert.cpp:3507">
<![LOG[Client is NOT ready for native mode.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:341">
<![LOG[Sending state message.]LOG]!><time="07:21:31.335+-120" date="04-02-2009" component="ModeReadiness" context="" type="1" thread="2288" file="modereadiness.cpp:351">
Looks like i have to sort out the CA before i can get the rest to work think i need to check the RPC filter.
But shouldent it say in any of the logs that the certificates are not in place?- Did you check ClientIDManagerStartup.log on the client? If the Configuration Manager client couldn't find a suitable certificate, I would expect it to be logged here. For example: "There are no certificates in the 'MY' store." and "RegTask: Failed to get certificate. Error: 0x80040280". You should see something similar in ClientAuth.log as well. The reference to the 'MY' store is the developer term for the Personal store that you see in the Certificates MMC.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights
- Marked As Answer byCarol BaileyMSFT, ModeratorTuesday, April 07, 2009 9:45 PM
