locked
Certificate installed on the server but not seen by SCCM: error 121 RRS feed

  • Question

  • Hello,

    I noticed the certificate was installed:

    but SCCM does not see it

    Is it a communication problem between the Client and the Certificate server? or between the client and the MPs?

    Does each client needs access to the certificate server or only the site sever?

    The error on the console has changed from 53 to 121...

    Begin to select client certificate											ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Begin validation of Certificate [Thumbprint DDAF4353AE59816451B3F8DDC5DF99F7B5FD4145] issued to 'OSFPGDS01.ad'		ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Completed validation of Certificate [Thumbprint DDAF4353AE59816451B3F8DDC5DF99F7B5FD4145] issued to 'OSFPGDS01.ad'	ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Begin validation of Certificate [Thumbprint 938F3DEFC7899BD637E7FFB24EC2D76A050D4DFA] issued to 'osfpgds01.ad'		ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Certificate [Thumbprint 938F3DEFC7899BD637E7FFB24EC2D76A050D4DFA] issued to 'osfpgds01.ad' has expired.			ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Completed validation of Certificate [Thumbprint 938F3DEFC7899BD637E7FFB24EC2D76A050D4DFA] issued to 'osfpgds01.ad'	ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    >>> Client selected the PKI Certificate [Thumbprint DDAF4353AE59816451B3F8DDC5DF99F7B5FD4145] issued to 'OSFPGDS01.ad'	ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    	DateTime = "20180106010601.251000+000";
    	HRESULT = "0x00000000";
    	ProcessID = 2920;
    	ThreadID = 4824;
    };
    															ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Client PKI cert is available.												ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    RenewalTask: Client hasn't been registered yet. Reseting registration to pick up new changes.				ClientIDManagerStartup	1/5/2018 5:06:01 PM	4824 (0x12D8)
    Windows To Go requires a minimum operating system of Windows 8								ClientIDManagerStartup	1/5/2018 5:06:53 PM	3356 (0x0D1C)
    GetSystemEnclosureChassisInfo: IsFixed=FALSE, IsLaptop=FALSE								ClientIDManagerStartup	1/5/2018 5:06:53 PM	3356 (0x0D1C)
    Windows To Go requires a minimum operating system of Windows 8								ClientIDManagerStartup	1/5/2018 5:06:53 PM	3356 (0x0D1C)
    Computed HardwareID=2:3509D3C34ECEF0A95E92409B8219EF0D138364BC
    	Win32_SystemEnclosure.SerialNumber=<empty>
    	Win32_SystemEnclosure.SMBIOSAssetTag=<empty>
    	Win32_BaseBoard.SerialNumber=<empty>
    	Win32_BIOS.SerialNumber=2UX834000G      
    	Win32_NetworkAdapterConfiguration.MACAddress=00:21:5A:D6:1F:6A							ClientIDManagerStartup	1/5/2018 5:06:53 PM	3356 (0x0D1C)
    [RegTask] - Client is not registered. Sending registration request for GUID:837EA9D6-BF16-481B-95D9-D352708843B5 ...	ClientIDManagerStartup	1/5/2018 5:06:53 PM	3356 (0x0D1C)
    RegTask: Failed to send registration request message. Error: 0x87d00231							ClientIDManagerStartup	1/5/2018 5:06:58 PM	3356 (0x0D1C)
    RegTask: Failed to send registration request. Error: 0x87d00231								ClientIDManagerStartup	1/5/2018 5:06:58 PM	3356 (0x0D1C)

    http://servername.domain.com/SMS_MP/.sms_aut?mpcert and http://servername.domain.com/SMS_MP/.sms_aut?mplist

    are failing with error 403

    boundaries and boundary group are correct...

    the check box from Site Properties which disable CRL check is already unchecked.

    A lot of articles asked to repair or remove/reinstall the MP... but I don't have any error in the SMS_MP_CONTROL_MANAGER !!!

    Thanks,
    Dom


    Security / System Center Configuration Manager Current Branch / SQL




    • Edited by Felyjos Monday, January 8, 2018 9:19 PM
    Monday, January 8, 2018 8:03 PM

Answers

  • There's nothing unusual here are far as the cert goes. If the client isn't registered, then it won't ever show a cert. You need to continue you're troubleshooting from your original thread (at https://social.technet.microsoft.com/Forums/en-US/d99efcc7-473d-442f-acd2-720855fde0c2/client-push-cannot-access-the-mps-80072f8f?forum=configmanagerdeployment#5d1ce569-3062-4410-85ed-c635489971e0) instead of chasing symptoms.

    A 403 from the browser is expected if you haven't supplied a client cert.


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by Felyjos Thursday, January 11, 2018 5:31 PM
    Monday, January 8, 2018 9:44 PM