locked
Internet client not using certificate or seeing distribution point RRS feed

  • Question

  • I have an sccm 2012 (non sp1 yet) installation that had originally been configured for intranet only. I have created a distribution point to accept internet traffic, with a NAT for ports 80 and 443. I can get to the IIS pages from the WAN. 

    I have the distribution point certificate with a domain based CA - built as specified in the documentation. I have followed these articles (http://www.apajove.com/index.php/blog/item/49-generating-configmgr-client-certificates-when-auto-enrolment-isn%E2%80%99t-possible and http://www.apajove.com/index.php/blog/item/26-sccm-2012-internet-based-client-deployment) to prepare the remote clients for the agent. The remote laptops were joined to the domain when built but never connect to it. I have an install script that installs the client but I have a few problems. First is that the client does not see its certificate in the configuration manager settings in the control panel.  Also, The logs show that it doesn't find the distribution point.

    The script that installs the client is:

    @echo off

    @echo Adding Trusted Root Certificate

    Certutil -addstore -f "ROOT" "%~dp0MyTrustedRoot.cer"

    @echo Import Client Certificate

    Certutil -p "agoodpassword" -importpfx "%~dp0clientcerts\%computername%.pfx"

    @echo Install ConfigMgr Client

    "%~dp0\client\ccmsetup.exe" /source:%~dp0clientcerts\client /mp:https://sccm.acme.com /usePKICert /NOCRLCheck SMSSITECODE=GDC CCMHOSTNAME=https://sccm.acme.com CCMHTTPSTATE=31

    And the ccmsetup.log: 

    Thanks!



    ==========[ ccmsetup started in process 3832 ]========== ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CcmSetup version: 5.0.7711.0000 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Running on OS (6.1.7600). Service Pack (0.0). SuiteMask = 256. Product Type = 1 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Ccmsetup command line: C:\Windows\ccmsetup\ccmsetup.exe /evaluate:all ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Loaded command line: C:\Windows\ccmsetup\ccmsetup.exe "/runservice" "/source:C:\temp\clientcerts\client" "/mp:https://sccm.acme.com" "/usePKICert" "/NOCRLCheck" "SMSSITECODE=GDC" "CCMHOSTNAME=https://sccm.acme.com" "CCMHTTPSTATE=31" ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    SslState value: 448 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CCMHTTPPORT:    80 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CCMHTTPSPORT:    443 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CCMHTTPSSTATE:    448 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CCMHTTPSCERTNAME:     ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    FSP:     ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CCMFIRSTCERT:    1 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Client is set to use HTTPS when available. The current state is 448. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Begin searching client certificates based on Certificate Issuers ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Completed searching client certificates based on Certificate Issuers ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Begin to select client certificate ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    1 certificate(s) found in the 'MY' certificate store. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Only one certificate present in the certificate store. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Begin validation of Certificate [Thumbprint 9FE78A2FAC53CCA3312D72FF48C1712FC403F0DE] issued to 'labvm21.am.corp.acme.com' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    The Certificate [Thumbprint 9FE78A2FAC53CCA3312D72FF48C1712FC403F0DE] issued to 'labvm21.am.corp.acme.com' has 'Client Authentication' capability. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Completed validation of Certificate [Thumbprint 9FE78A2FAC53CCA3312D72FF48C1712FC403F0DE] issued to 'labvm21.am.corp.acme.com' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    >>> Client selected the PKI Certificate [Thumbprint 9FE78A2FAC53CCA3312D72FF48C1712FC403F0DE] issued to 'labvm21.am.corp.acme.com' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    DateTime = "20130529044052.334000+000";
    HRESULT = "0x00000000";
    ProcessID = 3832;
    ThreadID = 1724;
    };
    ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Failed to submit event to the Status Agent. Attempting to create pending event. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    DateTime = "20130529044052.334000+000";
    HRESULT = "0x00000000";
    ProcessID = 3832;
    ThreadID = 1724;
    };
    ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Successfully submitted pending event to WMI. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CCMCERTID:    MY;9FE78A2FAC53CCA3312D72FF48C1712FC403F0DE ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Config file:       ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Retry time:       10 minute(s) ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    MSI log file:     C:\Windows\ccmsetup\client.msi.log ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    MSI properties:    SMSSITECODE="GDC" CCMHOSTNAME="https://sccm.acme.com" CCMHTTPSTATE="31" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="448" CCMFIRSTCERT="1" CCMCERTID="MY;9FE78A2FAC53CCA3312D72FF48C1712FC403F0DE" ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Source List: ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    MPs: ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
                      https://sccm.acme.com ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Ccmsetup will run as an evaluation. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Found a local ccmsetup.cab. A new one will not be downloaded. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    C:\Windows\ccmsetup\ccmsetup.cab is Microsoft trusted. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Successfully extracted manifest file C:\Windows\ccmsetup\ccmsetup.xml from file C:\Windows\ccmsetup\ccmsetup.cab. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Loading manifest file: C:\Windows\ccmsetup\ccmsetup.xml ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Successfully loaded ccmsetup manifest file. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/vcredist_x86.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/vcredist_x64.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/vc50727_x86.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/vc50727_x64.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/WindowsUpdateAgent30-x86.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/WindowsUpdateAgent30-x64.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/msxml6.msi' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/msxml6_x64.msi' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/msrdcoob_x86.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/msrdcoob_amd64.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'pkgmgr.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'dism.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'wimgapi.msi' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/MicrosoftPolicyPlatformSetup.msi' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/MicrosoftPolicyPlatformSetup.msi' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/WindowsFirewallConfigurationProvider.msi' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/WindowsFirewallConfigurationProvider.msi' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/Silverlight.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/wic_x86_enu.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/wic_x64_enu.exe' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/dotNetFx40_Client_x86_x64.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'SCEPInstall.exe' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'i386/client.msi' is not applicable. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item 'x64/client.msi' is applicable. Add to the list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'i386/vcredist_x86.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'i386/vcredist_x86.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/vcredist_x64.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'x64/vcredist_x64.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/vc50727_x64.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Upgrade code '{A8D19029-8E5C-4E22-8011-48070F9E796E}': product = '{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}', installed = 1, version = 8.0.61000 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Checking '{A8D19029-8E5C-4E22-8011-48070F9E796E}' version '8.0.61000' expecting >= '8.0.61000'. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'x64/vc50727_x64.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/WindowsUpdateAgent30-x64.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Checking file 'C:\Windows\system32\wuapi.dll' version '7.4.7600.0226' expecting >= '7.4.7600.226'. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'x64/WindowsUpdateAgent30-x64.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/msxml6_x64.msi' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Checking file 'C:\Windows\system32\msxml6.dll' version '6.30.7600.16723' expecting >= '6.10.1129.0'. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'x64/msxml6_x64.msi' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'dism.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    File 'C:\Windows\system32\msrdc.dll' exists. Discovery passed ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'dism.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/MicrosoftPolicyPlatformSetup.msi' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Upgrade code '{19B9818B-7432-49E9-BC02-B126025EE235}': product = '{376CBB7C-A86E-400D-8702-ABA2EFDE35D7}', installed = 1, version = 1.2.3520.0 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Checking '{19B9818B-7432-49E9-BC02-B126025EE235}' version '1.2.3520.0' expecting >= '1.2.3520.0'. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'x64/MicrosoftPolicyPlatformSetup.msi' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/WindowsFirewallConfigurationProvider.msi' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    File 'C:\Windows\ccmsetup\WindowsFirewallConfigurationProvider.msi' exists. Discovery passed ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'x64/WindowsFirewallConfigurationProvider.msi' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'i386/Silverlight.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    32-bit Hive selected ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'i386/Silverlight.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'i386/dotNetFx40_Client_x86_x64.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'i386/dotNetFx40_Client_x86_x64.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'SCEPInstall.exe' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Checking file 'C:\Windows\ccmsetup\SCEPInstall.exe' version '2.2.0903.0000' expecting >= '2.2.903.0'. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Detected item 'SCEPInstall.exe' ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Discovering whether item 'x64/client.msi' exists. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    Item x64/client.msi has not been installed yet. Put to pending install list. ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)
    CcmSetup is exiting with return code 0 ccmsetup 5/29/2013 12:40:52 AM 1724 (0x06BC)

    Wednesday, May 29, 2013 2:00 PM