Sign in
Microsoft.com
 
System Center Configuration Manager TechCenter
 
 
 
System Center Configuration Manager TechCenter > System Center Configuration Manager Forums > Configuration Manager Internet Clients and Native Mode > SCCM Native Mode broken after CA migration from 2003 >> 2008
Ask a questionAsk a question
Search Forums:
 

AnswerSCCM Native Mode broken after CA migration from 2003 >> 2008

  • Monday, October 12, 2009 6:05 PMshigenobuchan Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Last week, our CA was migrated from 2003 to 2008 server.  Now, SCCM isn't working properly.  Specifically, getting the following errors in mpcontrol.log


    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Certificate doesn't have "SSL Client Authentication" capabilities.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Skipping certificate that is not valid for ConfigMgr usage.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Certificate has "SSL Client Authentication" capability.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Successfully performed Management Point availability check against local computer.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Machine name is 'sccmserver.domain.com'.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Certificate doesn't have "SSL Client Authentication" capabilities.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Skipping certificate that is not valid for ConfigMgr usage.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Certificate has "SSL Client Authentication" capability.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Http test request succeeded.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Successfully performed Device Management Point availability check against local computer.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Initialization still in progress.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:03 AM    5664 (0x1620)
    Machine name is 'sccmserver.domain.com'.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Certificate doesn't have "SSL Client Authentication" capabilities.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Skipping certificate that is not valid for ConfigMgr usage.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Certificate has "SSL Client Authentication" capability.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Successfully performed Management Point availability check against local computer.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Machine name is 'sccmserver.domain.com'.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Certificate doesn't have "SSL Client Authentication" capabilities.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Skipping certificate that is not valid for ConfigMgr usage.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    CryptVerifyCertificateSignatureEx returned error 0x80090006.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Certificate has "SSL Client Authentication" capability.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Http test request succeeded.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Successfully performed Device Management Point availability check against local computer.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)
    Initialization still in progress.    SMS_MP_CONTROL_MANAGER    10/12/2009 11:02:33 AM    5664 (0x1620)

    Thoughts?  I made sure the new CA was extended to support SAN2 attributes.
     

Answers

  • Wednesday, October 14, 2009 7:38 PMshigenobuchan Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Just an update, we ended up building a new server (2008) with the same name of the original CA server (decommissioned) and moved the CA role back to it.  After that, had to enable SAN2 extensions again, request new certificates, but it still didn't work.  Then uninstalled IIS and related SCCM roles (just uninstalling the MP didn't work) and reinstalled.  All is happy after that.
    • Marked As Answer byshigenobuchan Wednesday, October 14, 2009 7:39 PM
    •  
     

All Replies

  • Tuesday, October 13, 2009 4:44 PMshigenobuchan Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Checked the IIS logs, now getting the following:  "2009-10-13 16:40:08 W3SVC1 x.x.x.x CCM_POST /ccm_system/request - 80 - x.x.x.x ccmhttp 403 4 5"

    What does 403 4 5 mean?
     
  • Tuesday, October 13, 2009 5:48 PMTeddy Ostergaard Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    403.4 means SSL required. "Skipping certificate that is not valid for ConfigMgr usage" is what you should be concerned about.

    There is an excellent tool for debugging SSL errors on IIS, SSL Diag: http://www.microsoft.com/downloads/details.aspx?familyid=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en
    SSL Diag was made for IIS 5 & 6. If you are on IIS 7, take a peak here: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1926

     
  • Wednesday, October 14, 2009 7:38 PMshigenobuchan Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote
    Just an update, we ended up building a new server (2008) with the same name of the original CA server (decommissioned) and moved the CA role back to it.  After that, had to enable SAN2 extensions again, request new certificates, but it still didn't work.  Then uninstalled IIS and related SCCM roles (just uninstalling the MP didn't work) and reinstalled.  All is happy after that.
    • Marked As Answer byshigenobuchan Wednesday, October 14, 2009 7:39 PM
    •