locked
Issues connecting client to server RRS feed

  • Question

  • I've got a couple of PXE OSD task sequences that we've been using for a while, and for some reason lately we seem to be having problem where one out of every few machines gets a client certificate generated, but the control panel client tool never shows that there is a certificate. 

    The value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\PKICertReady is 0, and setting this to 1 doesn't change anything.

    I have even deleted the client certificates and the smscfg.ini, ccmsetup /uninstall, remove the computer from the AD and from Devices in SCCM, and reinstalling didn't fix it.

    I have noticed that on a working machine, after the certs are created, CertificateMaintenance.log tries to validate the certificates. On the non-working clients, they never begin validation.

    Here is a copy of CertificateMaintenance.log:

    HTTPS is enforced for Client. The current state is 63. CertificateMaintenance 3/31/16 1:43:48 PM 2280 (0x08E8)
    Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 3/31/16 1:44:20 PM 976 (0x03D0)
    Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 3/31/16 1:46:01 PM 1628 (0x065C)
    Creating Signing Certificate... CertificateMaintenance 3/31/16 1:46:21 PM 2356 (0x0934)
    Successfully created certifcate CertificateMaintenance 3/31/16 1:46:22 PM 2356 (0x0934)
    Creating Encryption Certificate... CertificateMaintenance 3/31/16 1:46:22 PM 2356 (0x0934)
    Successfully created certifcate CertificateMaintenance 3/31/16 1:46:22 PM 2356 (0x0934)

    I've searched around quite a bit and found a lot of client-server suggestions, but in many cases the best answer was to disable https. I'm supposed to use the PKI infrastructure here, so that wasn't a viable solution for me. Does anybody have any idea what I'm missing? It feels like a huge waste of time to reimage a machine 2-3 times before the client picks up the server and everything fits together properly.

    Thanks,

    -Andrew

    Wednesday, April 20, 2016 2:33 PM

Answers

  • Ultimately, ConfigMgr has nothing to do with deploying PKI certs to your clients. You'll have to troubleshoot that process. Assuming you are using a Microsoft Enterprise CA and auto-deployment, then you'll need to trouble your GPOs for this.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by EightyHD Friday, April 29, 2016 3:36 PM
    Wednesday, April 20, 2016 4:03 PM

All replies

  • Ultimately, ConfigMgr has nothing to do with deploying PKI certs to your clients. You'll have to troubleshoot that process. Assuming you are using a Microsoft Enterprise CA and auto-deployment, then you'll need to trouble your GPOs for this.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by EightyHD Friday, April 29, 2016 3:36 PM
    Wednesday, April 20, 2016 4:03 PM
  • This was the push in the right direction I needed. The domain admins here set up a new certificate authority and I never got notification of it. 

    After importing that to my site's configuration, the issue was resolved.

    Friday, April 29, 2016 3:36 PM