locked
Clustered Server Node Clients Being Rejected by the MP RRS feed

  • Question

  • Hello Everyone,

    Here is the scenario. We were in the process of rolling out SCCM 2012 R2 SP1. All roles are on a single server. We had deployed the SCCM client to all workstations and servers in our domain, including our 4-Node cluster array. All servers and clients were reporting back to the MP and things were progressing fine.

    SP3 was applied to SQL Server 2012 which hosts the SCCM database. This caused a massive issue with SCCM which made it unusable. After some troubleshooting with Microsoft, and because we weren't that far along in our deployment, it was decided to restart with a fresh deployment of SCCM on the same server. The redeployment was done with a clean database and a newly downloaded copy of SCCM Version 1511. The existing SCCM 2012 R2 SP1 clients were left on all the workstations and servers. The install and configuration completed successfully with no issues.

    After the install and configuration, all SCCM clients began reporting into SCCM. Hardware and software were being reported and the clients were upgrading themselves to the latest client version. However, the servers in the cluster never registered as having reporting in.

    Upon checking Monitoring > Component Status > SMS_MP_CONTROL_MANAGER, I see that the servers are trying to report in but the MP is rejecting them with the following message:

    MP has rejected a message from client GUID:<Server GUID> because it was not signed using the hash algorithm that is required by this site.

    There are multiple messages coming in from the same four GUIDs. I have confirmed that these are the GUIDs of the node servers. I have uninstalled the client software and reinstalled it on one node server as a test but am still getting these messages in the log with its corresponding GUID. In the meantime, all other workstations and servers are communicating properly with SCCM and we have even begun performing new OSDs and software updates with no issues.

    I have attempted researching this issue online for the past two days but have found no reference to it. If anyone has any ideas as to what is different with cluster clients, I would be grateful. Thanks!

    Brett

    Wednesday, June 8, 2016 7:13 PM

Answers

  • I got pulled away from this but wanted to touch back with our progress on this. Our original SCCM server ran into issues when we tried to put a non-Microsoft monitoring application on it. Combine that with the fact that it was on hardware that wouldn't be upgradable to Server 2016 (which was needed for SCVMM 2016), it was decided to install the latest version of SCCM onto a new server. Since then the cluster nodes have responded normally to the new SCCM server. Not sure if something was fixed/patched from 2012 to SCCM 2016 but our issue has been resolved. Thanks to everyone for your contributions.
    • Marked as answer by Brett.Biggs Thursday, February 8, 2018 3:19 PM
    Wednesday, April 12, 2017 9:16 PM

All replies

  • Have you reviewed clientidmanagerstartup.log on the clients and MP_CliReg.log on the MP?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, June 8, 2016 8:08 PM
  • Jason,

    Thank you for your reply. I had checked the clientidmanagerstartup.log and it reports that its trying to register every 5 minutes but says that the server is rejecting the registration request. The following is repeating:

    GetSystemEnclosureChassisInfo: IsFixed=FALSE, IsLaptop=FALSE

    Computed HardwareID=2:8C14B656BE83E7C75A5B9C869962DF2BE4DB8650
     Win32_SystemEnclosure.SerialNumber=<empty>
     Win32_SystemEnclosure.SMBIOSAssetTag=<empty>
     Win32_BaseBoard.SerialNumber=<empty>
     Win32_BIOS.SerialNumber=MXQ523012R
     Win32_NetworkAdapterConfiguration.MACAddress=EC:B1:D7:75:31:74

    [RegTask] - Client is not registered. Sending registration request for GUID:C937A707-08B6-48CD-9F27-63058A1326C2 ...

    [RegTask] - Server rejected registration request: 3

    Sleeping for 267 seconds before refreshing location services.

    As for the MP_CliReg.log file on the MP, I do not see that file in the C:\Program Files\Microsoft Configuration Manager\Logs folder. Perhaps I am not looking in the right place for it?

    Wednesday, June 8, 2016 8:34 PM
  • That's because it's not necessarily located there.

    It's an MP log file and can be located in other places.

    Is your MP on the site server? If so, there should be a SMS_CCM\Logs folder under C:\Program Files for MP logs.

    Did you really install ConfigMgr on the C drive though?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, June 8, 2016 8:42 PM
  • Jason,

    Thank you for the info. SCCM is still pretty new to us. I was able to locate the log. Unfortunately, there were no errors recorded in it.

    Yes, we installed SCCM on C: but all other data (Sources, Images, Packages, Updates, etc.) are located on separate iSCSI drives. The server we have it running on is pretty hefty for managing about 150 devices though (16 cores, 44GB RAM) so I don't believe there will be any performance issues. Of course I am always open to suggestions and others' experience with the product.

    Any other places that I can look to see why these four servers are giving hash algorithm errors? The only difference between these servers and the rest of the devices in our domain is that they are nodes in a failover cluster. I attempted to research if there were any special considerations with adding a SCCM client to Windows cluster nodes before installing the clients but didn't find anything. They were reporting to the previous SCCM instance normally before SP3 was installed to SQL 2012 and everything went sideways. That's what has me scratching my head.

    Wednesday, June 8, 2016 9:36 PM
  • My Surface will run ConfigMgr for 150 devices, so no, you shouldn't run into any issues there.

    Do the nodes happen to have the same client authentication certificate installed on them?

    Do they show up as resources in ConfigMgr at all?

    Are they domain joined?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, June 8, 2016 9:40 PM
  • Jason,

    Yes, they have the same client certificate. I created a SCCM Client Certificate template and have deployed them per Microsoft instructions:

    https://technet.microsoft.com/en-us/library/gg682023.aspx

    When I check Configuration Manager properties on workstations, both older and new OSD, I see that they are using PKI in the Client certificate under properties under the General tab. Currently the MP is configured for HTTP connections. The previous installation had been configured for HTTPS for future inclusion of Mac workstations here but we hadn't gotten that far yet. The clients on the cluster nodes have None listed as the client certificate. I wouldn't think this would be an issue since these nodes are members of the domain SCCM is in. This was what all the clients were initially showing when I set up the first instance of SCCM and hadn't rolled out the SCCM Certificates.

    The devices appear in ConfigMgr because they have been inventoried through AD (all the nodes are domain joined). However some General Information and no Client Activity information is available.

    Have I got you scratching your head yet? :-)


    • Edited by Brett.Biggs Wednesday, June 8, 2016 10:21 PM Misspelling
    Wednesday, June 8, 2016 10:20 PM
  • So, do they all have the exact same client auth certificate though?

    If you are deploying certs using a Microsoft Enterprise PKI using a cert template, then the answer should be no unless someone has manually copied the cert around.

    None is expected to be listed in the control panel applet if the clients aren't functioning yet which is the case.

    If you check the properties of the resources corresponding to these systems, are they approved?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, June 9, 2016 1:38 AM
  • Jason,

    Sorry for the delay in reply. We are using a cert template and group policy to auto deploy the SCCM certs so, no, all certificates deployed to each workstation and server are unique. I attempted deleting  and requesting a new cert on one of the affected nodes to see if that was the issue but the issue and warnings in the logs persist.

    My apologies, but I am unclear what you mean about checking the properties of the resources corresponding to these systems. The Approve, Block and Unblock options are greyed out on the device. Are there some other properties for the device that I should be looking for?

    Again, thanks for your assistance with this.

    Friday, June 10, 2016 3:10 PM
  • Same issue with 2012 R2 cluster nodes

    ClientIDManagerStartup

    <![LOG[[RegTask] - Server rejected registration request: 3

    LocationServices

    <![LOG[Name: 'ZVSCCM01.xxxx.xx.es' HTTPS: 'N' ForestTrust: 'Y'

    >> MP is configured to use HTTP and HTTPS

    >> On SCCM console, these errors: MP has rejected a message from client GUID:5833BB39-827B-4D59-83D4-64D41DC9FDAE because it was not signed using the hash algorithm that is required by this site.

    Monday, December 12, 2016 9:53 AM
  • I've found other servers (not cluster nodes) have same problem..I've found that SCCM client finds other certificates on local store and it tries to use it....I think...
    Monday, December 12, 2016 10:03 AM
  • I've solved this issue on some computers unckecking "Require SHA-256" on "Signing and Encryption" tab on Site properties...
    • Edited by Rivers75 Monday, December 12, 2016 10:33 AM
    Monday, December 12, 2016 10:33 AM
  • The client sometimes does pick a wrong certificate to use and if that cert happens to use SHA-1 while you have the SHA-256 option enabled, it will cause message rejections as you are seeing. I've seen most notably with Hyper-V nodes and SCVMM since VMM uses SHA-1.

    You can try specifying a specific certificate store to use under Client Computer Communications -> Modify instead of turning off SHA-256 option.

    Monday, December 12, 2016 1:53 PM
  • Which certificate store should i use ?? It concerns all computers

    • Edited by Rivers75 Monday, December 12, 2016 2:08 PM
    Monday, December 12, 2016 2:08 PM
  • I've selected a "Root CA specified" on "Trusted Root Certification Authorities". By this way, when SCCM client doesn't found a valid certificate issued by that CA, it uses a self-signed. We have an internal CA.
    Tuesday, December 13, 2016 6:05 AM
  • I got pulled away from this but wanted to touch back with our progress on this. Our original SCCM server ran into issues when we tried to put a non-Microsoft monitoring application on it. Combine that with the fact that it was on hardware that wouldn't be upgradable to Server 2016 (which was needed for SCVMM 2016), it was decided to install the latest version of SCCM onto a new server. Since then the cluster nodes have responded normally to the new SCCM server. Not sure if something was fixed/patched from 2012 to SCCM 2016 but our issue has been resolved. Thanks to everyone for your contributions.
    • Marked as answer by Brett.Biggs Thursday, February 8, 2018 3:19 PM
    Wednesday, April 12, 2017 9:16 PM