none
SCCM 2012 - Client auf Primary Site Server RRS feed

 > 

  • Frage

  • Question
    Anmelden
    0
    Anmelden

    Hallo,

    ich bekomme den Agent auf dem Primary Site Server nicht ans laufen. Somit funktioniert SCEP auch nicht (Policys etc.)

    Der Agent zeigt unter "General" bei "Client certificate": "None" an obwohl eins verfügbar ist.

    Desweiteren steht unter "Actions" nur "Machine Policy"... und "User Policy..."

    Ich kenne dieses verhalten beim OSD, wenn sich der Client noch im Provisioning Mode hängt.

    Was kann ich tun um den Client auch am Primary Server ans laufen zu bringen?

    Donnerstag, 14. März 2013 09:06
    |

Antworten

  • Question
    Anmelden
    0
    Anmelden

    So bin mal wieder einen kleinen Schritt vorwärts gekommen.

    Der Fehler auf beiden Site Systemen liegt definitiv am Zertifikat.

    Es sind zwei Zertifikate auf den beiden Systemen vom Typ "Client Authentication (1.3.6.1.5.5.7.3.2)" vorhanden.

    • ConfigMgr Client Certificate (hat auch jeder Client per Enrollment bekommen)
    • ConfigMgr Client Distribution Point Certificate

    Das zweite (Distribution Point) hat zusätzlich die Möglichkeit den priv Key zu exportieren. Wenn ich dieses nun in der Zertifikat MMC deaktiviere, den Dienst SMS Agent Host neustarte und kurz warte funktioniert es.

    Im Configuration Manager Client steht nun auch "PKI" anstatt "None" bei Client Certificate.

    Diese Vorgehensweise kann ja aber nicht so gedacht sein, warum funktioniert das nicht wenn ich zwei Zertifikate vom gleichen Typ habe, wie habt ihr das gemacht?


    Montag, 29. April 2013 13:42
    |

Alle Antworten

  • Question
    Anmelden
    0
    Anmelden

    Hallo,

    was sagt denn die ClientLocation.log und clientauth.log?

    Donnerstag, 14. März 2013 09:16
    |
  • Question
    Anmelden
    0
    Anmelden
    ClientAuth.log ist ein Management Point Logfile und hat mit dem Client an sich nichts zu tun.
    Wie hast Du denn den Client überhaupt installiert? Ist der MP im http oder https Modus (da Du von Zertifikation schreibst)? Ist der Client denn einer Site assigned (siehe Control Panel Applet -> Site)?

    Torsten Meringer | http://www.mssccmfaq.de

    Donnerstag, 14. März 2013 09:45
    |
    Beantworter
  • Question
    Anmelden
    0
    Anmelden

    Installation ist im Native Mode (HTTPS). Client ist der Site zugeordnet (es gibt nur eine, im AD gepublished).

    Hatte bis gerade vermutet, dass der Client mit der Installation des Primary Site Servers automatisch installiert wurde.

    Es kann aber auch sein, dass ich diesen per Client Push oder Software Update Point based Installation installiert habe.

    Es sieht so aus als ob er nicht das vorhandene Client Zertifikat [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] verwenden will.

    Hier noch ein Ausschnitt aus der ccmsetup-ccmeval.log:

    ==========[ ccmsetup started in process 4964 ]==========	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Running on platform X64	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Updated security on object C:\Windows\ccmsetup\cache\.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Launch from folder C:\Windows\ccmsetup\cache\	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CcmSetup version: 5.0.7804.1000	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Running on OS (6.1.7601). Service Pack (1.0). SuiteMask = 272. Product Type = 3	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Ccmsetup command line: C:\Windows\ccmsetup\cache\ccmsetup.exe /evaluate:client	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Loaded command line: C:\Windows\ccmsetup\cache\ccmsetup.exe "/runservice" "/config:C:\Windows\ccmsetup\MobileClientUnicode.tcf"	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
SslState value: 224	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMHTTPPORT:    80	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMHTTPSPORT:    443	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMHTTPSSTATE:    63	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMHTTPSCERTNAME:    	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
FSP:    	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMCERTISSUERS:    CN=ROOTCA-CORP; DC=corp; DC=intern	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMFIRSTCERT:    1	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
HTTPS is enforced for Client. The current state is 63.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Begin searching client certificates based on Certificate Issuers	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Certificate Issuer 1 [CN=ROOTCA-CORP; DC=corp; DC=intern]	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Analyzing 1 Chain(s) found	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Chain has Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Chain has Certificate [Thumbprint B74BA297803BA21615753C8C598DBADB829F8861] issued to 'SUBCA-CORP'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Chain has Certificate [Thumbprint 05EE8C5956C9D1FB1FD4E130E2C27FF13901C91C] issued to 'ROOTCA-CORP'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CRL check enabled. 	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Verification of Certificate chain returned 00000000	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Analyzing 1 Chain(s) found	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Chain has Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Chain has Certificate [Thumbprint B74BA297803BA21615753C8C598DBADB829F8861] issued to 'SUBCA-CORP'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Chain has Certificate [Thumbprint 05EE8C5956C9D1FB1FD4E130E2C27FF13901C91C] issued to 'ROOTCA-CORP'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CRL check enabled. 	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Verification of Certificate chain returned 00000000	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Completed searching client certificates based on Certificate Issuers	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Begin to select client certificate	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
2 certificate(s) found in the 'MY' certificate store.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
The 'MY' of 'Local Computer' store has 2 certificate(s). Using custom selection criteria based on the machine name.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Machine name is 'SRV050.corp.intern'.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
There are no certificate(s) that meet the criteria.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Performing search that includes SAN2 extensions...	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Checking if certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern' is valid for ConfigMgr usage.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
The Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern' has 'Client Authentication' capability.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Checking if certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern' is valid for ConfigMgr usage.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
The Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern' has 'Client Authentication' capability.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
>>> Client selected the PKI Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Raising event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130313234822.806000+000";
	HRESULT = "0x00000000";
	ProcessID = 4964;
	ThreadID = 7336;
};
	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Failed to submit event to the Status Agent. Attempting to create pending event.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Raising pending event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130313234822.806000+000";
	HRESULT = "0x00000000";
	ProcessID = 4964;
	ThreadID = 7336;
};
	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Successfully submitted pending event to WMI.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CCMCERTID:    MY;74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Config file:      C:\Windows\ccmsetup\MobileClientUnicode.tcf	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Retry time:       10 minute(s)	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
MSI log file:     C:\Windows\ccmsetup\Logs\client.msi.log	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
MSI properties:    INSTALL="ALL" SMSSITECODE="Q01" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="63" CCMCERTISSUERS="CN=ROOTCA-CORP; DC=corp; DC=intern" CCMFIRSTCERT="1" CCMCERTID="MY;74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D"	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Source List:	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
                  \\SRV050.corp.intern\SMSClient	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
                  \\SRV050.CORP.INTERN\SMSClient	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
MPs:	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
                  HTTPS://SRV050.corp.intern	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
Ccmsetup will run as an evaluation.	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)
CcmSetup is exiting with return code 0	ccmsetup	14.03.2013 00:48:22	7336 (0x1CA8)

    Donnerstag, 14. März 2013 10:15
    |
  • Question
    Anmelden
    0
    Anmelden

    Der Client wird bei Installation einer Site nicht automatisch installiert. Schau Dir mal zusätzlich das ClientIDManagerStartup.log an.

    Torsten Meringer | http://www.mssccmfaq.de

    Donnerstag, 14. März 2013 10:31
    |
    Beantworter
  • Question
    Anmelden
    0
    Anmelden

    Ich habe keinen Ordner C:\Windows\CCM.

    Nur D:\Program Files\SMS_CCM\Logs wo auch eine ClientIDManagerStartup.log existiert.
    Der ORdner stammt aber von der Installation der Primary Site.

    Ist die trotzdem die Richtige Log?

    Donnerstag, 14. März 2013 10:56
    |
  • Question
    Anmelden
    0
    Anmelden
    Das ist schon das richtige Log.
    Der ConfigMgr-Client wird normalerweise nach %windir%\CCM installiert. Ausnahme: der Management Point wurde vorher installiert. Die MP-Files landen dann auf der gleichen Ebene wie das ConfigMgr-Installationsverzeichnis in SMS_CCM. MP und Client teilen sich Komponenten, also finden sich die Client-Logs in den Verzeichnissen des MPs.

    Torsten Meringer | http://www.mssccmfaq.de

    Donnerstag, 14. März 2013 12:09
    |
    Beantworter
  • Question
    Anmelden
    0
    Anmelden

    OK, Danke für die Info mit den Logs, das war mir neu.

    Im Log erkenne ich, dass er das "ConfigMgr Client Distribution Point Certificate" anstatt "ConfigMgr Client Certificate" auswählt.

    Sind beide vom Typ Client Authentication (erste Zertifikat ist nur mit erlaubtem .pfx Export) sollte daher eigentlich auch funktionieren.

    Hier die Log:

    [----- STARTUP -----]	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
Running query 'SELECT * FROM CCM_Service_HostedApplication WHERE Type="Server"' against namespace: '\\SRV050\ROOT\ccm\Policy\Machine'	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
CCMExec is currently hosting a server application.	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
PopulateRegistrationHint: Client has an SMSID, certificates, and has never set the hint in the current version, setting the hint.	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
Retrieved Certificate ID from registry successfully	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
PopulateRegistrationHint: Using the Certificate selected by the current version of SCCM to set the hint.	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
HTTPS is enforced for Client. The current state is 63.	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
Begin searching client certificates based on Certificate Issuers	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
Certificate Issuer 1 [CN=ROOTCA-CORP; DC=corp; DC=intern]	ClientIDManagerStartup	12.03.2013 14:35:05	6476 (0x194C)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed searching client certificates based on Certificate Issuers	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin to select client certificate	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
>>> Client selected the PKI Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Raising event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130312133506.192000+000";
	HRESULT = "0x00000000";
	ProcessID = 6908;
	ThreadID = 6476;
};
	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Failed to submit event to the Status Agent. Attempting to create pending event.	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Raising pending event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130312133506.192000+000";
	HRESULT = "0x00000000";
	ProcessID = 6908;
	ThreadID = 6476;
};
	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
PopulateRegistrationHint: Registration hint successfully populated.	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Deleted Certificate ID from registry successfully	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin searching client certificates based on Certificate Issuers	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Certificate Issuer 1 [CN=ROOTCA-CORP; DC=corp; DC=intern]	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed searching client certificates based on Certificate Issuers	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin to select client certificate	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
>>> Client selected the PKI Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Raising event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130312133506.389000+000";
	HRESULT = "0x00000000";
	ProcessID = 6908;
	ThreadID = 6476;
};
	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Failed to submit event to the Status Agent. Attempting to create pending event.	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Raising pending event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130312133506.389000+000";
	HRESULT = "0x00000000";
	ProcessID = 6908;
	ThreadID = 6476;
};
	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Client PKI cert is available.	ClientIDManagerStartup	12.03.2013 14:35:06	6476 (0x194C)
Initializing registration renewal for potential PKI issued certificate changes.	ClientIDManagerStartup	12.03.2013 14:35:20	6420 (0x1914)
Succesfully intialized registration renewal.	ClientIDManagerStartup	12.03.2013 14:35:20	6420 (0x1914)
[RegTask] - On co-located client and site role. Posting async registration task.	ClientIDManagerStartup	12.03.2013 14:35:20	6420 (0x1914)
[RegTask] - Co-located with site role. Waiting for full service startup before registering.	ClientIDManagerStartup	12.03.2013 14:35:20	6420 (0x1914)
Read SMBIOS (encoded): 56004D0077006100720065002D00340032002000310031002000610037002000310030002000660031002000610036002000340034002000340065002D0036003700200030003500200066003200200062003800200032003900200034003900200037006500200031003000	ClientIDManagerStartup	12.03.2013 14:35:22	5084 (0x13DC)
Evaluated SMBIOS (encoded): 56004D0077006100720065002D00340032002000310031002000610037002000310030002000660031002000610036002000340034002000340065002D0036003700200030003500200066003200200062003800200032003900200034003900200037006500200031003000	ClientIDManagerStartup	12.03.2013 14:35:22	5084 (0x13DC)
No SMBIOS Changed	ClientIDManagerStartup	12.03.2013 14:35:22	5084 (0x13DC)
SMBIOS unchanged	ClientIDManagerStartup	12.03.2013 14:35:22	5084 (0x13DC)
SID unchanged	ClientIDManagerStartup	12.03.2013 14:35:22	5084 (0x13DC)
HWID unchanged	ClientIDManagerStartup	12.03.2013 14:35:24	5084 (0x13DC)
GetSystemEnclosureChassisInfo: IsFixed=FALSE, IsLaptop=FALSE	ClientIDManagerStartup	12.03.2013 14:35:24	5084 (0x13DC)
Windows To Go requires a minimum operating system of Windows 8	ClientIDManagerStartup	12.03.2013 14:35:24	5084 (0x13DC)
Computed HardwareID=2:E661F43B3BA0F1E209E4BB3CBED44A1E314FEC4E
	Win32_SystemEnclosure.SerialNumber=<empty>
	Win32_SystemEnclosure.SMBIOSAssetTag=<empty>
	Win32_BaseBoard.SerialNumber=None
	Win32_BIOS.SerialNumber=VMware-42 11 a7 10 f1 a6 44 4e-67 05 f2 b8 29 49 7e 10
	Win32_NetworkAdapterConfiguration.MACAddress=00:50:56:91:2F:4E	ClientIDManagerStartup	12.03.2013 14:35:24	5084 (0x13DC)
Persisted hardware IDs in CCM_ClientIdentificationInformation=@:
	HardwareID1=2:E661F43B3BA0F1E209E4BB3CBED44A1E314FEC4E
	HardwareID2=ED58A605010000FA	ClientIDManagerStartup	12.03.2013 14:35:24	5084 (0x13DC)
RenewalTask: Executing renewal task.	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Begin searching client certificates based on Certificate Issuers	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Certificate Issuer 1 [CN=ROOTCA-CORP; DC=corp; DC=intern]	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Based on Certificate Issuer 'ROOTCA-CORP' found Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Completed searching client certificates based on Certificate Issuers	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Begin to select client certificate	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Begin validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Completed validation of Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Begin validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Completed validation of Certificate [Thumbprint C773712432F8295F914DD519FB497D610B5DE19C] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
>>> Client selected the PKI Certificate [Thumbprint 74BE55CFC63D4C1FDCA3220146B71C9EC6605C3D] issued to 'SRV050.corp.intern'	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Raising event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	ClientID = "GUID:D6C22A0F-E50A-41D5-882F-D771E17821CC";
	DateTime = "20130312133526.678000+000";
	HRESULT = "0x00000000";
	ProcessID = 6908;
	ThreadID = 5084;
};
	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Client PKI cert is available.	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
RenewalTask: Certificate has changed, initiating a renewal.	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Aborting any pending registration.	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
Re-registration/renewal initiated. Restarting the service.	ClientIDManagerStartup	12.03.2013 14:35:26	5084 (0x13DC)
RegEndPoint: Event notification: CCM_RemoteClient_Reassigned	ClientIDManagerStartup	12.03.2013 14:35:26	2300 (0x08FC)
RegEndPoint: Received notification for site assignment change from '<none>' to 'Q01'.	ClientIDManagerStartup	12.03.2013 14:35:26	2300 (0x08FC)
[RegTask] - Renewal processing is cancelled.	ClientIDManagerStartup	12.03.2013 14:36:54	3608 (0x0E18)

    Donnerstag, 14. März 2013 12:46
    |
  • Question
    Anmelden
    0
    Anmelden
    Das ist schon das richtige Log.
    Der ConfigMgr-Client wird normalerweise nach %windir%\CCM installiert. Ausnahme: der Management Point wurde vorher installiert. Die MP-Files landen dann auf der gleichen Ebene wie das ConfigMgr-Installationsverzeichnis in SMS_CCM. MP und Client teilen sich Komponenten, also finden sich die Client-Logs in den Verzeichnissen des MPs.

    Torsten Meringer | http://www.mssccmfaq.de

    lässt sich das auch wieder umschwenken? mp deinstallieren, client drauf, mp installieren?
    Donnerstag, 14. März 2013 13:26
    |
  • Question
    Anmelden
    0
    Anmelden
    lässt sich das auch wieder umschwenken? mp deinstallieren, client drauf, mp installieren?
    Ja, geht.

    Torsten Meringer | http://www.mssccmfaq.de

    Donnerstag, 14. März 2013 13:36
    |
    Beantworter
  • Question
    Anmelden
    0
    Anmelden

    Hallo,

    ist die Thematik noch aktuell?

    Gruss,
    Raul

    Raul Talmaciu, MICROSOFT 
    Bitte haben Sie Verständnis dafür, dass im Rahmen dieses Forums, welches auf dem Community-Prinzip „IT-Pros helfen IT-Pros“ beruht, kein technischer Support geleistet werden kann oder sonst welche garantierten Maßnahmen seitens Microsoft zugesichert werden können.

    Montag, 18. März 2013 11:03
    |
  • Question
    Anmelden
    0
    Anmelden

    Ja, habe gerade auch festgestellt, dass die gleiche Situation auch auf einem Verteilungspunkt auftritt.

    Jemand eine Idee?

    Dienstag, 19. März 2013 12:44
    |
  • Question
    Anmelden
    0
    Anmelden

    Heute folgendes noch versucht, leider erfolglos.

    - SCEP client deinstalliert

    - SCCM client deinstalliert

    - Server neugestartet

    - SCCM Client installiert (beides versucht - Push und per Update Service) --> Situation wie ganz oben beschrieben

    "Der Agent zeigt unter "General" bei "Client certificate": "None" an obwohl eins verfügbar ist.

    Desweiteren steht unter "Actions" nur "Machine Policy"... und "User Policy..."

    Dienstag, 9. April 2013 14:32
    |
  • Question
    Anmelden
    0
    Anmelden

    So bin mal wieder einen kleinen Schritt vorwärts gekommen.

    Der Fehler auf beiden Site Systemen liegt definitiv am Zertifikat.

    Es sind zwei Zertifikate auf den beiden Systemen vom Typ "Client Authentication (1.3.6.1.5.5.7.3.2)" vorhanden.

    • ConfigMgr Client Certificate (hat auch jeder Client per Enrollment bekommen)
    • ConfigMgr Client Distribution Point Certificate

    Das zweite (Distribution Point) hat zusätzlich die Möglichkeit den priv Key zu exportieren. Wenn ich dieses nun in der Zertifikat MMC deaktiviere, den Dienst SMS Agent Host neustarte und kurz warte funktioniert es.

    Im Configuration Manager Client steht nun auch "PKI" anstatt "None" bei Client Certificate.

    Diese Vorgehensweise kann ja aber nicht so gedacht sein, warum funktioniert das nicht wenn ich zwei Zertifikate vom gleichen Typ habe, wie habt ihr das gemacht?


    Montag, 29. April 2013 13:42
    |