Sign in
Microsoft.com
 
System Center Configuration Manager TechCenter
 
 
 
System Center Configuration Manager TechCenter > System Center Configuration Manager Forums > Configuration Manager Internet Clients and Native Mode > SCCM (configmgr) 2007 Native Mode Client Install Fails on SCVMM and Hyper-V Hosts due to Certificate Error
Ask a questionAsk a question
Search Forums:
 

AnswerSCCM (configmgr) 2007 Native Mode Client Install Fails on SCVMM and Hyper-V Hosts due to Certificate Error

  • Thursday, November 05, 2009 8:53 PMJason Ogle Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hello.
    I'm running configmgr 2007 with SP2 RTM and the R2 components. Using native mode and the software update point as the client install mehod fails on my VMM 08 R2 server. It also fails on all of my Server 2008 R2 hyper-v hosts. The cause of the failure is that when the client installer looks for the client certificates it uses the first one that matches, as configured under site properties. The problem there is that the first cert to match is the self-signed certificate from VMM, named SCVMM_CERTIFICATE_KEY_CONTAINER<fqdn of hyper-v host>.

    Is this a known issue?

    Are there any known workarounds?

    So far the answer has been to uninstall the VMM certificate from the store. I haven't seen any adverse affects from this yet, but I assume the VMM server/client install puts it there for a reason.
     

Answers

  • Saturday, November 07, 2009 7:16 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Difficult to answer whether it's a "known issue", because it depends on your definition of this.  Configuration Manager has to select a client certificate when there is more than one available and part of the native mode design recognizes that other certificates might be installed for other products, so it includes a certificate selection criteria.  If the current certificate selection criteria results in an invalid certificate being selected, then have a look to see if any of the others will result in the right certificate selected: http://technet.microsoft.com/en-us/library/bb632325.aspx 

    If you've selected the options "Check only certificate purpose" together with "Select any certificate that matches", Configuration Manager selects the certificate with the longest validity period. If the self-signed certificate has a really high value for the validity period, this certificate selection criteria clearly isn't going to work for your scenario.  Not knowing VMM, I can't comment on the consequences of deleting the VMM certificate and like you, I would have to assume that it's installed for a reason so deleting it as a workaround is risky. 

    Probably your best bet is to use an attribute in the SAN as your certificate selection criteria, which might require that you modify your PKI certificate template.  However, if you're going to use attributes, make sure that the value you use doesn't contain spaces (see http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/11/02/native-mode-certificate-selection-criteria-cannot-use-attributes-with-spaces.aspx).


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
    • Marked As Answer byJason Ogle Saturday, November 07, 2009 9:37 PM
    •  
     

All Replies

  • Saturday, November 07, 2009 7:16 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Difficult to answer whether it's a "known issue", because it depends on your definition of this.  Configuration Manager has to select a client certificate when there is more than one available and part of the native mode design recognizes that other certificates might be installed for other products, so it includes a certificate selection criteria.  If the current certificate selection criteria results in an invalid certificate being selected, then have a look to see if any of the others will result in the right certificate selected: http://technet.microsoft.com/en-us/library/bb632325.aspx 

    If you've selected the options "Check only certificate purpose" together with "Select any certificate that matches", Configuration Manager selects the certificate with the longest validity period. If the self-signed certificate has a really high value for the validity period, this certificate selection criteria clearly isn't going to work for your scenario.  Not knowing VMM, I can't comment on the consequences of deleting the VMM certificate and like you, I would have to assume that it's installed for a reason so deleting it as a workaround is risky. 

    Probably your best bet is to use an attribute in the SAN as your certificate selection criteria, which might require that you modify your PKI certificate template.  However, if you're going to use attributes, make sure that the value you use doesn't contain spaces (see http://blogs.technet.com/wemd_ua_-_sms_writing_team/archive/2008/11/02/native-mode-certificate-selection-criteria-cannot-use-attributes-with-spaces.aspx).


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
    • Marked As Answer byJason Ogle Saturday, November 07, 2009 9:37 PM
    •  
     
  • Saturday, November 07, 2009 9:37 PMJason Ogle Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Thanks for the reply, Carol. I'll take a look at using alternate methods to identifying the proper configmgr client certificate.

    As as a side note to the adverse affects of removing the VMM certificate, I'm unable to complete a successful quick migration from one host to another.
    Jason Ogle MCITP Enterprise Administrator