locked
Problem installing new clients using HTTPS RRS feed

  • Question

  • Hello,

    I recently configured HTTPS on my 2012 site, and current clients (which were configured before switching from HTTP to HTTPS) are working just fine. New clients, however, are not installing properly. The errors in ccmsetup.log vary depending on the install switches that I choose.

    This is the error when I just run ccmsetup.exe with no switches:

    <![LOG[Sending message header '<Msg SchemaVersion="1.1"><ID>{3FF35646-E9BF-4505-880F-F3426A1263E4}</ID><SourceHost>MYSERVERNAME</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:MYSERVERNAME:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://<mp_fqdn></TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2012-08-09T14:01:06Z</SentTime><Body Type="ByteRange" Offset="0" Length="1128"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>']LOG]!><time="10:01:06.247+240" date="08-09-2012" component="ccmsetup" context="" type="0" thread="3644" file="util.cpp:2286">
    <![LOG[Client is not allowed to use PKI issued certificate thus it can not talk to HTTPS server.]LOG]!><time="10:01:06.247+240" date="08-09-2012" component="ccmsetup" context="" type="3" thread="3644" file="httphelper.cpp:795">
    <![LOG[GetHttpRequestObjects failed for verb: 'CCM_POST', url: 'https://<mp_fqdn>/ccm_system/request']LOG]!><time="10:01:06.247+240" date="08-09-2012" component="ccmsetup" context="" type="3" thread="3644" file="httphelper.cpp:942">
    <![LOG[GetDPLocations failed with error 0x80004005]LOG]!><time="10:01:06.247+240" date="08-09-2012" component="ccmsetup" context="" type="3" thread="3644" file="util.cpp:2487">
    <![LOG[Failed to get DP locations as the expected version from MP 'https://<mp_fqdn>'. Error 0x80004005]LOG]!><time="10:01:06.247+240" date="08-09-2012" component="ccmsetup" context="" type="2" thread="3644" file="ccmsetup.cpp:9542">
    <![LOG[Next retry in 10 minute(s)...]LOG]!><time="10:01:06.247+240" date="08-09-2012" component="ccmsetup" context="" type="0" thread="3644" file="ccmsetup.cpp:7554">

    Here it looks like it's trying to connect to the MP via HTTPS but the client is not allowed to use its client auth cert.

    This is ccmsetup.log when I run ccmsetup.exe /usePKIcert

    <![LOG[Running as user "SYSTEM"]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:1974">
    <![LOG[Detected 15893 MB free disk space on system drive.]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="util.cpp:621">
    <![LOG[Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again.]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:2040">
    <![LOG[No MPs were specified from commandline or the mobileclient.tcf.]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:8748">
    <![LOG[Downloading file ccmsetup.cab]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:4900">
    <![LOG[Determining source location...]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:4750">
    <![LOG[Found accessible source: \\<mp>\sms_<sitecode>\client]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:4820">
    <![LOG[Found available source \\<mp>\sms_<sitecode>\client\]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:4836">
    <![LOG[Downloading \\<mp>\sms_<sitecode>\client\ccmsetup.cab to C:\Windows\ccmsetup\ccmsetup.cab]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="4856" file="ccmsetup.cpp:4984">
    <![LOG[Download failed (5). Waiting for retry...]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="2" thread="4856" file="ccmsetup.cpp:5015">
    <![LOG[Next retry in 10 minute(s)...]LOG]!><time="10:13:52.742+240" date="08-09-2012" component="ccmsetup" context="" type="0" thread="4856" file="ccmsetup.cpp:7554">

    Here it looks like the installer is trying to download ccmsetup.cab from my MP's client share and failing. Previously (before switching to HTTP) this wasn't a problem so I don't suspect a permissions issue, however when I run procmon I do see some access denied CreateFile events against \\<mp>\sms_<sitecode>\client\ccmsetup.cab

    I see yet another error when running ccmsetup.exe /mp:<mp>

    <![LOG[Sending message header '<Msg SchemaVersion="1.1"><ID>{E85C2097-9BD6-4B92-8820-78BF973C89B6}</ID><SourceHost>CLIENTNAME</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:CLIENTNAME:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>MP</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2012-08-09T14:24:57Z</SentTime><Body Type="ByteRange" Offset="0" Length="1060"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>']LOG]!><time="10:24:57.156+240" date="08-09-2012" component="ccmsetup" context="" type="0" thread="3604" file="util.cpp:2286">
    <![LOG[CCM_POST 'HTTP://<mp>/ccm_system/request']LOG]!><time="10:24:57.156+240" date="08-09-2012" component="ccmsetup" context="" type="1" thread="3604" file="httphelper.cpp:802">
    <![LOG[Failed to receive ccm message response. Status code = 403]LOG]!><time="10:24:57.172+240" date="08-09-2012" component="ccmsetup" context="" type="2" thread="3604" file="httphelper.cpp:1689">
    <![LOG[GetDPLocations failed with error 0x80004005]LOG]!><time="10:24:57.172+240" date="08-09-2012" component="ccmsetup" context="" type="3" thread="3604" file="util.cpp:2487">
    <![LOG[Failed to get DP locations as the expected version from MP 'MP'. Error 0x80004005]LOG]!><time="10:24:57.172+240" date="08-09-2012" component="ccmsetup" context="" type="2" thread="3604" file="ccmsetup.cpp:9542">
    <![LOG[Next retry in 10 minute(s)...]LOG]!><time="10:24:57.172+240" date="08-09-2012" component="ccmsetup" context="" type="0" thread="3604" file="ccmsetup.cpp:7554">

    Here it looks like it's able to start installation but it's attempting to access the MP over HTTP - since IIS is now configured to require client certificates on that URl it will obviously fail.

    I'll keep digging into this issue but I was wondering if anybody has any advice. Am I missing some additional installation switches? I haven't tried /native yet because I didn't see anything about it in the 2012 documentation.

    Thanks,
    Nick

    Thursday, August 9, 2012 3:11 PM

Answers

  • It looks like you are manually running directly from the client sub-folder.

    If so, that's generally bad practice because that folder does not have proper permissions applied to it and you should not modify the default permissions of any folders installed by ConfigMgr. You should copy that folder, share it out, and add the proper permissions including read rights for Domain Computers (that is what is specifically failing in your second set of logs above, error code 5 = "Access Denied").


    Jason | http://blog.configmgrftw.com

    • Marked as answer by _nickb Thursday, August 9, 2012 6:49 PM
    Thursday, August 9, 2012 4:21 PM
  • Figured it out...it was a registry problem on 2(!!) of my clients. The key HKLM\Software\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode was set to the SCCM 2007 site code that I am migrating from. I changed this to the 2012 site code and restarted SMS Agent Host, after which it registered perfectly. Hopefully I won't see much more of this problem.

    Thanks again Jason for the advice.


    • Edited by _nickb Thursday, August 9, 2012 6:49 PM
    • Marked as answer by _nickb Thursday, August 9, 2012 6:49 PM
    Thursday, August 9, 2012 6:48 PM

All replies

  • It looks like you are manually running directly from the client sub-folder.

    If so, that's generally bad practice because that folder does not have proper permissions applied to it and you should not modify the default permissions of any folders installed by ConfigMgr. You should copy that folder, share it out, and add the proper permissions including read rights for Domain Computers (that is what is specifically failing in your second set of logs above, error code 5 = "Access Denied").


    Jason | http://blog.configmgrftw.com

    • Marked as answer by _nickb Thursday, August 9, 2012 6:49 PM
    Thursday, August 9, 2012 4:21 PM
  • Thanks Jason, it looks like that was my installation problem. Interesting enough because before switching to HTTPS I was able to install the client manually from the client share.

    The client now installs correctly, but I'm having another problem with client registration. ClientIDManagerSetup.log shows these lines:

    <![LOG[Client PKI cert is available.]LOG]!><time="12:41:33.261+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="4152" file="ccmgencert.cpp:3596">
    <![LOG[Generated a new Signing certificate]LOG]!><time="12:41:34.511+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="4152" file="ccmid.cpp:1093">
    <![LOG[Generated a new Encryption certificate]LOG]!><time="12:41:34.526+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="4152" file="ccmid.cpp:1137">
    <![LOG[Initializing registration renewal for potential PKI issued certificate changes.]LOG]!><time="12:42:15.277+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="regtask.cpp:508">
    <![LOG[Succesfully intialized registration renewal.]LOG]!><time="12:42:15.433+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="regtask.cpp:550">
    <![LOG[[RegTask] - Executing registration task synchronously.]LOG]!><time="12:42:15.433+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="regtask.cpp:915">
    <![LOG[Read SMBIOS (encoded): 56004D0077006100720065002D00340032002000330034002000320063002000340031002000640030002000390038002000350063002000620034002D0035003900200035003500200032006300200063006300200033006200200032006300200033006300200066003600]LOG]!><time="12:42:15.840+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="smbiosident.cpp:118">
    <![LOG[Evaluated SMBIOS (encoded): 56004D0077006100720065002D00340032002000330034002000320063002000340031002000640030002000390038002000350063002000620034002D0035003900200035003500200032006300200063006300200033006200200032006300200033006300200066003600]LOG]!><time="12:42:15.840+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="smbiosident.cpp:184">
    <![LOG[No SMBIOS Changed]LOG]!><time="12:42:15.840+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="smbiosident.cpp:65">
    <![LOG[SMBIOS unchanged]LOG]!><time="12:42:15.840+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="ccmid.cpp:657">
    <![LOG[SID unchanged]LOG]!><time="12:42:15.840+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="ccmid.cpp:674">
    <![LOG[HWID unchanged]LOG]!><time="12:42:16.918+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="ccmid.cpp:691">
    <![LOG[RegTask: Failed to refresh site code. Error: 0x80070032]LOG]!><time="12:42:18.402+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="2" thread="7372" file="regtask.cpp:217">
    <![LOG[Sleeping for 297 seconds before refreshing location services.]LOG]!><time="12:42:20.402+240" date="08-09-2012" component="ClientIDManagerStartup" context="" type="1" thread="7372" file="regtask.cpp:192">

    Bizarre that it can't find a site code because I specified ccmsetup.exe /usePKIcert SMSSITECODE=<XYZ>. The ConfigMgr client UI also shows "Client certificate: None" which is rather concerning. On the server end, MP_RegistrationManager.log hasn't changed in several hours either. I haven't done much digging beyond that yet.
    Thursday, August 9, 2012 4:49 PM
  • You (or someone else) probably changed the default permissions on the client folder to allow the manual client install and it got reset when switching to HTTPS -- exactly why you shouldn't use this default folder.

    As for not finding the site code, you should check the logs on the MP, specifically MP_RegistrationManager.log.


    Jason | http://blog.configmgrftw.com

    Thursday, August 9, 2012 5:51 PM
  • Figured it out...it was a registry problem on 2(!!) of my clients. The key HKLM\Software\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode was set to the SCCM 2007 site code that I am migrating from. I changed this to the 2012 site code and restarted SMS Agent Host, after which it registered perfectly. Hopefully I won't see much more of this problem.

    Thanks again Jason for the advice.


    • Edited by _nickb Thursday, August 9, 2012 6:49 PM
    • Marked as answer by _nickb Thursday, August 9, 2012 6:49 PM
    Thursday, August 9, 2012 6:48 PM