Sign in
Microsoft.com
 
System Center Configuration Manager TechCenter
 
 
 
System Center Configuration Manager TechCenter > System Center Configuration Manager Forums > Configuration Manager Internet Clients and Native Mode > Possible incorrectly named certificate on the Internet facing site system
Ask a questionAsk a question
Search Forums:
 

AnswerPossible incorrectly named certificate on the Internet facing site system

  • Wednesday, November 04, 2009 11:46 AMJames_Tiger_Woods Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    This is an extension to the question I asked earlier. I think the problem I have is related to certificates as I am now getting some other errors.

    In the mpcontrol log, I have an error about certificates not being in the MY store. Resolved that, but now I get these:

    The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' of 'Local Computer' store.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    The 'MY' of 'Local Computer' store has 2 certificate(s).~Using custom selection criteria based on the machine name.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Machine name is '2k3internet'.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    There are no certificate(s) that meet the criteria.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Performing machine FQDN to SAN2 search.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Certificate doesn't have SAN2 extension.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Found a certificate with subject name as ‘sccm-ent.SCCM_ENT.local’, but will continue to look for the certificate with subject name as ‘2k3internet’.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Using custom selection criteria based on the machine NetBIOS name.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Machine name is '2K3INTERNET'.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    There are no certificate(s) that meet the criteria.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Call to HttpSendRequestSync failed for port 443 with an error code.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Successfully performed Management Point availability check against local computer.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    Initialization still in progress.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)

    The plot thickens. In the mpretry log, I've gone from this:

     Hinv Retry: ******************* Start of Task *********************    RetryManager    04/11/2009 11:07:28    2788 (0x0AE4)
    CMPDBConnection::Init(): IDBInitialize::Initialize() failed with 0x80004005    RetryManager    04/11/2009 11:08:31    2788 (0x0AE4)
    =======================================    RetryManager    04/11/2009 11:08:31    2788 (0x0AE4)

    MPDB ERROR - CONNECTION PARAMETERS
    SQL Server Name     : SCCM-ENT
    SQL Database Name   : SMS_SC0
    Integrated Auth     : True

    MPDB ERROR - EXTENDED INFORMATION
    MPDB Method         : Init()
    MPDB Method HRESULT : 0x80004005
    Error Description   : [DBNETLIB][ConnectionOpen (Connect()).]SQL Server does not exist or access denied.
    OLEDB IID           : {0C733A8B-2A1C-11CE-ADE5-00AA0044773D}
    ProgID              : Microsoft OLE DB Provider for SQL Server

    MPDB ERROR - INFORMATION FROM DRIVER
    Native Error no.  : 17
    Error State       : 1
    Class (Severity)  : 16
        RetryManager    04/11/2009 11:08:31    2788 (0x0AE4)
    =======================================
        RetryManager    04/11/2009 11:08:31    2788 (0x0AE4)
    Hinv Retry: IMPDBConnection::Init() for class failed.    RetryManager    04/11/2009 11:08:31    2788 (0x0AE4)
    To this:
    Hinv Retry: ******************* Start of Task *********************    RetryManager    04/11/2009 11:18:31    2176 (0x0880)
    Hinv Retry: Loaded class definition map; DB policy timestamp: 2009-05-27 21:56:17.597    RetryManager    04/11/2009 11:18:36    2176 (0x0880)
    Hinv Retry: Normalized DB policy timestamp: 20090527215617.000000+000.    RetryManager    04/11/2009 11:18:36    2176 (0x0880)
    Hinv Retry: Looking for retry files in C:\SMS\mp\outboxes\hinv.box\retry\*.hml    RetryManager    04/11/2009 11:18:36    2176 (0x0880)
    Hinv Retry: no files found in the HINV retry directory    RetryManager    04/11/2009 11:18:36    2176 (0x0880)
    Hinv Retry: ******************* End of Task *********************    RetryManager    04/11/2009 11:18:36    2176 (0x0880)
    Not sure how, but I'm happy so far.

    The error in the MPControl log is as at the beginning which suggests that the certificate is wrong.

    However, the Internet facing machine isn't in the same domain so the certificate that I brought over (the Web and Client) originates from the domain/machine as the Primary server. As a result, the name is incorrect, which I assume is why I get this:
    Found a certificate with subject name as ‘sccm-ent.SCCM_ENT.local’, but will continue to look for the certificate with subject name as ‘2k3internet’.    SMS_MP_CONTROL_MANAGER    04/11/2009 11:01:18    4012 (0x0FAC)
    What do I need to check or do as I can't find anything anywhere to help...
     

Answers

  • Thursday, November 05, 2009 2:26 AMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    The certificate selection relates to the client-side and not the server-side on the native mode management point.  This is used to monitor the health of the site system and actually, isn't critical to the functionality of a native mode site.  Errors in MPControl.log can be misleading, so I wouldn't worry about these unless native mode clients aren't getting policy and/or the site system status for the management point shows Red. I'm guessing that the latter applies to you. 

    The certificate requirements in the subject/SAN for the client is different from those of the server.  For the client, the value simply has to be unique in your enterprise and the FQDN is usually the easiest way to achieve this.  When there is more than 1 valid client certificate that can be used by Configuration Manager, it has to pick one to use.  From the log it looks like it finds 2 certificates that include "client authentication" capability and the certificate selection criteria fails to identify a certificate. 

    There are a couple of ways to resolve this so that the management point successfully identifies a client certificate to use.  The first is to check whether you really need both certificates - for example, do you have a separate client certificate and a Web server certificate that includes client authentication?  If so, consider deleting the client certificate or redeploying the Web server certificate so that it has server authentication only and then delete the previous one.  Or, configure the certificate selection criteria appropriately.  What works well for most customers running SP1 and later is (assuming that the site is publishing to AD): "Check only certificate purpose" together with "Select any certificate that matches" in the Site Properties, Site Mode tab.


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
     

All Replies

  • Thursday, November 05, 2009 2:26 AMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    The certificate selection relates to the client-side and not the server-side on the native mode management point.  This is used to monitor the health of the site system and actually, isn't critical to the functionality of a native mode site.  Errors in MPControl.log can be misleading, so I wouldn't worry about these unless native mode clients aren't getting policy and/or the site system status for the management point shows Red. I'm guessing that the latter applies to you. 

    The certificate requirements in the subject/SAN for the client is different from those of the server.  For the client, the value simply has to be unique in your enterprise and the FQDN is usually the easiest way to achieve this.  When there is more than 1 valid client certificate that can be used by Configuration Manager, it has to pick one to use.  From the log it looks like it finds 2 certificates that include "client authentication" capability and the certificate selection criteria fails to identify a certificate. 

    There are a couple of ways to resolve this so that the management point successfully identifies a client certificate to use.  The first is to check whether you really need both certificates - for example, do you have a separate client certificate and a Web server certificate that includes client authentication?  If so, consider deleting the client certificate or redeploying the Web server certificate so that it has server authentication only and then delete the previous one.  Or, configure the certificate selection criteria appropriately.  What works well for most customers running SP1 and later is (assuming that the site is publishing to AD): "Check only certificate purpose" together with "Select any certificate that matches" in the Site Properties, Site Mode tab.


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
     
  • Thursday, November 12, 2009 1:18 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Any update on this?
     
  • Monday, November 23, 2009 6:38 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    This has been open for a couple of weeks now with no further updates so marking as answered.