locked
Client Registration - Certificate [Thumbprint xxx] issued to 'SMS' has expired. RRS feed

  • Question

  • Hey folks,

    I've done some digging on here and online and cannot find anything that's specifically fixed the issue i'm having.

    Some clients trying to register are returning errors in the MP_RegistrationManager.log with the below:

    Processing Registration request from Client 'GUID:621B013C-E74D-44D2-A6EA-DD5AF6D0E51E' MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)
    Begin validation of Certificate [Thumbprint E4404716B463F7ABE6409F0FF55E6DFE8DA6FB0A] issued to 'SMS' MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)
    Certificate [Thumbprint E4404716B463F7ABE6409F0FF55E6DFE8DA6FB0A] issued to 'SMS' has expired. MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)
    Completed validation of Certificate [Thumbprint E4404716B463F7ABE6409F0FF55E6DFE8DA6FB0A] issued to 'SMS' MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)
    MP Reg: Registration request body is invalid. MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)
    MP Reg: Registration failed. MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)
    MP Reg: Processing completed. Completion state = 0 MP_RegistrationManager 9/14/2016 11:42:01 AM 16436 (0x4034)

    The error on the local client itself is: 

    [RegTask] - Server rejected registration request: 3 ClientIDManagerStartup 9/14/2016 10:50:30 AM 4124 (0x101C)

    On one machine i went into the certs, deleted the two SMS certs and restarted the CCM service, and voila - it worked. But i want to find out what's causing several hundred other machines to do this, and if there's anything that i can do from a server level to resolve it?

    Under site management i have no client certificate set.

    What baffles me is that i  have some clients registering, and some error. I can't understand why.

    Any advice appreciated

    Jack


    Jack

    Wednesday, September 14, 2016 4:48 PM

Answers

  • The certificates are not anything centrally configured or managed; they are self-signed (and self-generated) on the clients themselves. I've never seen one of these certs generated with an expiration data of anything other than 99 years in the future. If you have clients where the cert is expired, then you've encountered an anomaly or bug. Your only course is to do exactly as you've done -- do note that this will most likely generate a new resource and resource id for these systems which will in turn affect any direct memberships for them.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Frank Dong Thursday, September 15, 2016 9:38 AM
    • Marked as answer by Frank Dong Tuesday, October 4, 2016 11:32 AM
    Wednesday, September 14, 2016 6:29 PM

All replies

  • The certificates are not anything centrally configured or managed; they are self-signed (and self-generated) on the clients themselves. I've never seen one of these certs generated with an expiration data of anything other than 99 years in the future. If you have clients where the cert is expired, then you've encountered an anomaly or bug. Your only course is to do exactly as you've done -- do note that this will most likely generate a new resource and resource id for these systems which will in turn affect any direct memberships for them.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Frank Dong Thursday, September 15, 2016 9:38 AM
    • Marked as answer by Frank Dong Tuesday, October 4, 2016 11:32 AM
    Wednesday, September 14, 2016 6:29 PM
  • I just used this post to correct this issue with a client I found that would not register. Thank you.

    Looked through the MP_RegistrationManager.log file on my MP, I saw there looks to be two other additional clients that are failing to register due to 'expired' certificates. 

    Any idea on what would be the easiest way to identify the workstations failing to register?  I have the GUIDs of the clients, but can't seem to figure out how to tie that back to a workstation.

    Thanks. 

    Thursday, April 19, 2018 4:10 PM