Sign in
Microsoft.com
 
System Center Configuration Manager TechCenter
 
 
 
System Center Configuration Manager TechCenter > System Center Configuration Manager Forums > Configuration Manager Internet Clients and Native Mode > Some Clients Not Accepting PKI Certificate for Native Mde
Ask a questionAsk a question
Search Forums:
 

AnswerSome Clients Not Accepting PKI Certificate for Native Mde

  • Saturday, September 26, 2009 12:01 PMDavid Kraxner Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    I realize that the PKI implentation is outside the scope of this formum, but thought I would post this in hopes that someoine else might have had this problem and provide some guidance on a resolution.
    I am in the process of readying my SCCM environment for switching to native mode from mixed mode. I have used the "Step-By-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode Windows Server 2008 Certification Authority" to setup my environment for issuing PKI certificates as part of the preparation to making the switch to native mode. When I run the report "Summary information of clients capable of native mode communication" I have four laptops that fall into the classification of "Native Mode Incapable Clients" and show an error code of -2147220864 , which I believe translates to "A valid certificate was not found in the certificate store".
    When I use the "Certificates" MMC snap-in to check the certificate store, there are not any certificates listed under "personal/certificates" as there is for all of the other PC's in my environment.
    The commonality amongst these four laptpos are that they are all new Lenovo T500 laptops. They are in the same orgainzational unit as other PC's that do auto accept the PKI certificates. The event logs on the PC's do not show any errors.
    Thanks in advance for anyone that might make a suggestion on how to further troubleshoot this problem and/or provide a work-around on getting the needed certificate installed.
     

Answers

  • Friday, October 02, 2009 1:51 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Yes - see http://technet.microsoft.com/en-us/library/cc872789.aspx#BKMK_webserver32008:

    1. Restart the member server to ensure it can access the certificate template with the configured permission.

    2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

    4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

    5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

    6. In the Add or Remove Snap-ins dialog box, click OK.

    7. In the console, expand Certificates (Local Computer), and then click Personal.

    8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

    9. On the Before You Begin page, click Next.

    10. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

    11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

    12. Close Certificates (Local Computer).

    These exact steps also work for Vista (obviously no need for #1 and for #10 you would select the client authentication certificate template you prepared).  If you have Windows XP, the interface is just slightly different but it's very easy to work it out.


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
     

All Replies

  • Wednesday, September 30, 2009 10:52 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi David - since nobody else is jumping in with "Yes, I've seen this and this is what I did to fix it" I will suggest that on one of these computers you try manually requesting the certificate using the Certificates MMC in the same way that the step-by-step does for the Web server certificate.  If certificate deployment isn't working by Group Policy then it probably won't this way either, but it might give you an informative error message.

    Another place to ask for help with troubleshooting Certificate Services is the Windows Security forum: http://social.technet.microsoft.com/forums/en-US/winserversecurity/threads/ 


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
     
  • Thursday, October 01, 2009 5:27 PMDavid Kraxner Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Carol - I certainly appreciate the response. However I am not following you on the "manually requesting the certificate using the Certificates MMC in the same way that the step-by-step does for the Web server certificate". Would you be so kind as to refer to the page number or section title on thwe step-by-step?

    Again, my thanks.
     
  • Friday, October 02, 2009 1:51 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Yes - see http://technet.microsoft.com/en-us/library/cc872789.aspx#BKMK_webserver32008:

    1. Restart the member server to ensure it can access the certificate template with the configured permission.

    2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.

    3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.

    4. In the Certificate snap-in dialog box, select Computer account, and then click Next.

    5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.

    6. In the Add or Remove Snap-ins dialog box, click OK.

    7. In the console, expand Certificates (Local Computer), and then click Personal.

    8. Right-click Certificates, click All Tasks, and then click Request New Certificate.

    9. On the Before You Begin page, click Next.

    10. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.

    11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.

    12. Close Certificates (Local Computer).

    These exact steps also work for Vista (obviously no need for #1 and for #10 you would select the client authentication certificate template you prepared).  If you have Windows XP, the interface is just slightly different but it's very easy to work it out.


    - Carol


    This posting is provided “AS IS” with no warranties and confers no rights
     
  • Tuesday, October 20, 2009 10:36 PMCarol BaileyMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    David - do you have an update for this thread?