locked
Client certificate issues. RRS feed

  • Question

  • Hi,
     
    I was wondering if someone could give me some guidence on an issue I'm having with client installations please?
     
    In the CertificateMaintenance log files I get:

    Begin validation of Certificate [Thumbprint X] issued to 'client.domain.local' CertificateMaintenance 21/08/2012 17:13:32 4020 (0x0FB4)
    Completed validation of Certificate [Thumbprint X] issued to 'client.domain.local' CertificateMaintenance 21/08/2012 17:13:32 4020 (0x0FB4)

    for around 3 1/2 months:

    Begin validation of Certificate [Thumbprint X] issued to 'client.domain.local' CertificateMaintenance 13/12/2012 8:18:46 3852 (0x0F0C)
    Completed validation of Certificate [Thumbprint X] issued to 'client.domain.local' CertificateMaintenance 13/12/2012 8:18:46 3852 (0x0F0C)

    After that I get the following:

    HTTP is selected for Client. The current state is 0. CertificateMaintenance 13/12/2012 8:29:18 2160 (0x0870)
    Raising pending event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
     DateTime = "20121213082918.010000+000";
     HRESULT = "0x00000001";
     ProcessID = 3184;
     ThreadID = 2160;
    };
     CertificateMaintenance 13/12/2012 8:29:18 2160 (0x0870)
    Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
     ClientID = "GUID:ac8061ff-3077-47ff-9939-b422ff834893";
     DateTime = "20121213082939.814000+000";
     HRESULT = "0x00000001";
     ProcessID = 3184;
     ThreadID = 2344;
    };
     CertificateMaintenance 13/12/2012 8:29:39 2344 (0x0928)
    Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 13/12/2012 8:30:02 900 (0x0384)
    Client is set to use HTTPS when available. The current state is 480. CertificateMaintenance 14/12/2012 8:11:12 2820 (0x0B04)

    What is state 480? I'm guessing this is has something to do with it? Maybe confirming it can't select a certificate?
     
    If I look in the SCCM control panel applet I can see that "Client Certificate = None".
     
    If I push the client to the PC from the SCCM console, the client is successfully installed, but the status of the certificate doesn't change. I have site-wide client push enabled and can see that the client is also being successfully installed every morning after the PC is switched on.
     
    If I manually uninstall the client before pushing it from the SCCM console it installs correctly and "Client Certificate = PKI"
     
    About 1/3 of my clients are shown in the console to have no client installed. These are on PCs that I know where working at the time they were delivered to the desktop. They are all built from a pretty basic task sequence and they all have their site assigned via GPO and I can see that they are all assigned in the SCCM console.
     
    I'd really like to get to the root cause of this as I don't want to have to manually uninstall and re-installed the client on all the affected computers, only to find that I'm in the same position a few months down the line.


    • Edited by WorkProfile Friday, January 18, 2013 10:10 AM formatting
    Friday, January 18, 2013 10:01 AM

All replies

  • I'm having something similar happen. I'm trying to upgrade a 2007 R2 client to 2012 SP1. I have HTTPS only on with a certificate on both ends. I have installed the client fine onto the server itself using the client-push installation. It won't push to the problem computer for some reason so I'm running ccmsetup.exe manually. Why is the client trying to use HTTP instead of HTTPS? I saw the following log right after the port identification section:

    <![LOG[HTTP is selected for Client. The current state is 0.]LOG]!><time="10:44:51.393+300" date="02-01-2013" component="ccmsetup" context="" type="1" thread="3476" file="ccmutillib.cpp:412">

    Then the log finally ends with:

    <![LOG[CCM_POST 'HTTP://<siteserver>/ccm_system/request']LOG]!><time="10:44:51.908+300" date="02-01-2013" component="ccmsetup" context="" type="1" thread="3476" file="httphelper.cpp:807">

    <![LOG[Failed to receive ccm message response. Status code = 403]LOG]!><time="10:44:51.908+300" date="02-01-2013" component="ccmsetup" context="" type="2" thread="3476" file="httphelper.cpp:1694">

    I don't know if this matters too:   the allowHTTP being True, where can that be changed? where does the ClientLocationInfo come from?

      <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="0">


    • Edited by Cliff Steinman Friday, February 1, 2013 4:18 PM formatting
    Friday, February 1, 2013 3:56 PM