locked
SCCM 2012 SMS_MP_CONTROL_MANAGER warning: MP has rejected registration request due to failure in client certificate (Subject Name: XXXXXX) RRS feed

  • Question

  • I am busy with implementing the PKI infrastructure for SCCM 2012 R2 and see following warning in the SMS_MP_CONTROL_MANAGER component logs:

    MP has rejected registration request due to failure in client certificate (Subject Name: XXXXX) chain validation. If this is a valid client, Configuration Manager Administrator needs to place the Root Certification Authority and Intermediate Certificate Authorities in the MPÆs Certificate store or configure Trusted Root Certification Authorities in primary site settings. The operating system reported error 2148204809: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 

    I created the certificate from Client Authentication template and added enroll to domain computers group. Then I set a GPO for auto-enrolling the certificate. 

    But if check the personal certificate store on our site server. I see more certificates of the purpose "Client Authentication". I also have the Client DP certificate here and the expiration date is later then for my client certificate. I know you have the option to specify the subject name in the client communication settings of the site. But they are empty in both certificates. Now it's still on allow http or https but we see it says PKI on newly installed configuration Manager clients

    I hope someone can point me in the right direction.

    Monday, November 10, 2014 2:22 PM

Answers

  • Hi Robben,

    Try to re-installing clients using the resetkeyinformation=true option and see how it goes.

    If this doesn't work, on the administration Page, select “Site” and right click the MP site. On the Client Computer Communication tab, for Site System Setttings, select “HTTPS or HTTP”. For Client computer Settings, uncheck Use PKI client certifcate (clinet authentication capability) when avaliable. Then add the root Cert of the certificate into trusted root store on MP and Site server.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Joyce L Thursday, December 4, 2014 10:31 AM
    Wednesday, November 19, 2014 1:33 PM

All replies

  • Tuesday, November 11, 2014 6:36 AM
  • Hello,

    In the MP_RegistrationManager.log is see alot of the following messages:

    Processing Registration request from Client 'GUID:75073000-9553-4C4E-A4AC-A8C31E9ED1DD' MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)
    Begin validation of Certificate [Thumbprint D8DFA182A1D48302162585114203DFF278D94396] issued to 'SMS' MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)
    Certificate [Thumbprint D8DFA182A1D48302162585114203DFF278D94396] issued to 'SMS' has expired. MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)
    Completed validation of Certificate [Thumbprint D8DFA182A1D48302162585114203DFF278D94396] issued to 'SMS' MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)
    MP Reg: Registration request body is invalid. MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)
    MP Reg: Registration failed. MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)
    MP Reg: Processing completed. Completion state = 0 MP_RegistrationManager 12/11/2014 11:01:52 308 (0x0134)

    This means that the certificate on the client has expired? But the Client certificate has not yet expired in certificate services. Or is this the self signed certificate we used before setting up the PKI to work with SCCM. 

    So if I check the client with that Guid in SCCM. the client reports as inactive. I can connect to the PC and the ClientIDManagerStartup.log has the following messages:

    GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=TRUE ClientIDManagerStartup 12/11/2014 10:56:53 3128 (0x0C38)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 12/11/2014 10:56:53 3128 (0x0C38)
    Computed HardwareID=2:0567FC7E0E5003BA3CDC132072CEE3278EA26C01
    Win32_SystemEnclosure.SerialNumber=CNU431BNV9
    Win32_SystemEnclosure.SMBIOSAssetTag=CNU431BNV9
    Win32_BaseBoard.SerialNumber=PDXVC001X6Z4WO
    Win32_BIOS.SerialNumber=CNU431BNV9
    Win32_NetworkAdapterConfiguration.MACAddress=<Not used on laptop> ClientIDManagerStartup 12/11/2014 10:56:53 3128 (0x0C38)
    [RegTask] - Client is not registered. Sending registration request for GUID:75073000-9553-4C4E-A4AC-A8C31E9ED1DD ... ClientIDManagerStartup 12/11/2014 10:56:53 3128 (0x0C38)
    [RegTask] - Server rejected registration request: 3 ClientIDManagerStartup 12/11/2014 10:56:53 3128 (0x0C38)

    Sleeping for 270 seconds before refreshing location services. ClientIDManagerStartup 12/11/2014 10:57:22 3128 (0x0C38)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 12/11/2014 11:01:53 3128 (0x0C38)
    GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=TRUE ClientIDManagerStartup 12/11/2014 11:01:53 3128 (0x0C38)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 12/11/2014 11:01:53 3128 (0x0C38)
    Computed HardwareID=2:0567FC7E0E5003BA3CDC132072CEE3278EA26C01
    Win32_SystemEnclosure.SerialNumber=CNU431BNV9
    Win32_SystemEnclosure.SMBIOSAssetTag=CNU431BNV9
    Win32_BaseBoard.SerialNumber=PDXVC001X6Z4WO
    Win32_BIOS.SerialNumber=CNU431BNV9
    Win32_NetworkAdapterConfiguration.MACAddress=<Not used on laptop> ClientIDManagerStartup 12/11/2014 11:01:53 3128 (0x0C38)
    [RegTask] - Client is not registered. Sending registration request for GUID:75073000-9553-4C4E-A4AC-A8C31E9ED1DD ... ClientIDManagerStartup 12/11/2014 11:01:53 3128 (0x0C38)
    [RegTask] - Server rejected registration request: 3 ClientIDManagerStartup 12/11/2014 11:01:53 3128 (0x0C38)
    Sleeping for 269 seconds before refreshing location services. ClientIDManagerStartup 12/11/2014 11:02:23 3128 (0x0C38)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 12/11/2014 11:06:53 3128 (0x0C38)
    GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=TRUE ClientIDManagerStartup 12/11/2014 11:06:53 3128 (0x0C38)

    I have this for several clients. Can u please say what I will need to do next?

    Kind regards,

    Robben


    Wednesday, November 12, 2014 10:10 AM
  • This means that the certificate on the client has expired? But the Client certificate has not yet expired in certificate services. Or is this the self signed certificate we used before setting up the PKI to work with SCCM. 

    Hi,

    You could try to run CMHttpsReadiness.exe on the client and check the result from the CMHttpsReadiness.log.

    What is CMHttpsReadiness.exe?

    Have you checked MPControl.log as you're seeing the rejection error in the SMS_MP_CONTROL_MANAGER component? If the MP is ok, you could see the message - "Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK"

    Best Regards,

    Joyce


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    • Proposed as answer by Joyce L Friday, November 14, 2014 9:16 AM
    Thursday, November 13, 2014 3:02 AM
  • I get this error when I try to run the readiness tool on the client:

    This version of HttpsReadiness.exe is not compatible with the version of Windows you're running. Check your computer's system information to see whether you need a x86 (32-bit) or x64 (64-bit) version of the program, and then contact the software publisher.

    The pc is Win7 x86 and the tool I found under the installation dir of Configuration Manager. But I only found one. Is there a x86 version available somwhere as well.

    In mpcontrol.log the only check is performed on port 80, because we haven't fully cut http communication yet. It's still set to http or https in the options.


    Monday, November 17, 2014 8:18 AM
  • Hi Robben,

    Try to re-installing clients using the resetkeyinformation=true option and see how it goes.

    If this doesn't work, on the administration Page, select “Site” and right click the MP site. On the Client Computer Communication tab, for Site System Setttings, select “HTTPS or HTTP”. For Client computer Settings, uncheck Use PKI client certifcate (clinet authentication capability) when avaliable. Then add the root Cert of the certificate into trusted root store on MP and Site server.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by Joyce L Thursday, December 4, 2014 10:31 AM
    Wednesday, November 19, 2014 1:33 PM