locked
SCCM 2012 Client install for workgroup/internet only machine RRS feed

  • Question

  • I am trying to figure out what piece I am missing in this grand scheme... I have a customer who has an environment he wants to expand so he can manage remote machines that are non-domain joined, internet only machines. I am staging this implementation in a test environment first, and I have the basic certs for the client and server created on the internal CA. I have setup the DP and MP to do HTTPS/HTTP intranet/internet. Everything is running from one primary. I have 2 nics configured, one for the internal network, one facing outwards. For internal AD joined machines they are getting the cert ok, and it is showing up in the client that it is connecting with the PKI designated. 
      
    I created some test machines that are only on the internet facing side of the test environment, and created host file entries to point to the primary. I can get to the application catalog through https, so 443 traffic is passing. 
      
    I have copied down the client install locally to the designated machine, exported the root CA and installed it, and exported the site signing cert (saved into the local client source directory). The command I am running fails in ccmsetup.log with an 80070002. 
      
    ccmsetup /source:path /usepkicert /nocrlcheck SMSSITECODE=XXX CCMHOSTNAME=EXTERNAL.FQDN.COM SMSSIGNCERT=SCCM-SITE-SIGNING.CER SMSMP=EXTERNAL.FQDN.COM 
      
    A gold star to anyone who can fill in the blank to what I am missing, doing wrong, etc. 
      
    Thanks! 
    Ben 
    Tuesday, October 2, 2012 7:58 PM

All replies

  • What does ccmsetup.log tell?

    Torsten Meringer | http://www.mssccmfaq.de

    Wednesday, October 3, 2012 2:57 PM
  • I modified my install switches slightly: 

    ccmsetup /usePKICert /NOCRLCheck /mp:https://external.fqdn.com SMSSITECODE=XXX CCMHOSTNAME=EXTERNAL.FQDN.COM

    I am still getting errors... ccmsetup.log:

    ==========[ ccmsetup started in process 1624 ]========== ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    CcmSetup version: 5.0.7711.0000 ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    Running on OS (5.1.2600). Service Pack (3.0). SuiteMask = 256. Product Type = 1 ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    Ccmsetup command line: ccmsetup /usePKICert /NOCRLCheck /mp:https://external.fqdn.com SMSSITECODE=PS1 CCMHOSTNAME=external.fqdn.com ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    Command line parameters for ccmsetup have been specified.  No registry lookup for command line parameters is required. ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    Command line: ccmsetup /usePKICert /NOCRLCheck /mp:https://external.fqdn.com SMSSITECODE=PS1 CCMHOSTNAME=external.fqdn.com ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    SslState value: 448 ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    No version of the client is currently detected. ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    Updated security on object C:\WINDOWS\ccmsetup\. ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    A Fallback Status Point has not been specified.  Message with STATEID='100' will not be sent. ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    ccmsetup is shutting down ccmsetup 10/3/2012 4:24:57 PM 3348 (0x0D14)
    Sent stop request to ccmsetup service ccmsetup 10/3/2012 4:24:57 PM 2120 (0x0848)
    Shutdown has been requested ccmsetup 10/3/2012 4:25:00 PM 2300 (0x08FC)
    Shutdown has been requested ccmsetup 10/3/2012 4:25:00 PM 2300 (0x08FC)
    A Fallback Status Point has not been specified.  Message with STATEID='301' will not be sent. ccmsetup 10/3/2012 4:25:00 PM 3348 (0x0D14)
    CcmSetup failed with error code 0x80004004 ccmsetup 10/3/2012 4:25:00 PM 3348 (0x0D14)
    ccmsetup service is stopped. ccmsetup 10/3/2012 4:25:00 PM 2120 (0x0848)
    Successfully deleted the ccmsetup service ccmsetup 10/3/2012 4:25:05 PM 2120 (0x0848)
    Successfully created the ccmsetup service ccmsetup 10/3/2012 4:25:05 PM 2120 (0x0848)
    ==========[ ccmsetup started in process 2204 ]========== ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    CcmSetup version: 5.0.7711.0000 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Running on OS (5.1.2600). Service Pack (3.0). SuiteMask = 256. Product Type = 1 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Ccmsetup command line: "C:\WINDOWS\ccmsetup\ccmsetup.exe" /runservice "/usePKICert" "/NOCRLCheck" "/mp:https://external.fqdn.com" "SMSSITECODE=PS1" "CCMHOSTNAME=external.fqdn.com" ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Command line parameters for ccmsetup have been specified.  No registry lookup for command line parameters is required. ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Command line: "C:\WINDOWS\ccmsetup\ccmsetup.exe" /runservice "/usePKICert" "/NOCRLCheck" "/mp:https://external.fqdn.com" "SMSSITECODE=PS1" "CCMHOSTNAME=external.fqdn.com" ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    SslState value: 448 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    CCMHTTPPORT:    80 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    CCMHTTPSPORT:    443 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    CCMHTTPSSTATE:    448 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    CCMHTTPSCERTNAME:     ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    FSP:     ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    CCMFIRSTCERT:    1 ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Config file:       ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Retry time:       10 minute(s) ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    MSI log file:     C:\WINDOWS\ccmsetup\client.msi.log ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    MSI properties:    SMSSITECODE="PS1" CCMHOSTNAME="external.fqdn.com" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="448" CCMFIRSTCERT="1" ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Source List: ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    MPs: ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
                      https://external.fqdn.com ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    No version of the client is currently detected. ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Updated security on object C:\WINDOWS\ccmsetup\. ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    A Fallback Status Point has not been specified.  Message with STATEID='100' will not be sent. ccmsetup 10/3/2012 4:25:06 PM 1452 (0x05AC)
    Successfully started the ccmsetup service ccmsetup 10/3/2012 4:25:06 PM 2120 (0x0848)
    CcmSetup is exiting with return code 0 ccmsetup 10/3/2012 4:25:06 PM 2120 (0x0848)
    Running as user "SYSTEM" ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Detected 121610 MB free disk space on system drive. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Only one MP https://external.fqdn.com is specified. Use it. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Searching for DP locations from MP(s)... ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Unable to retrieve AD site membership LocationServices 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Local machine is not a member of an AD domain LocationServices 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    DhcpGetOriginalSubnetMask entry point not supported. LocationServices 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Begin checking Alternate Network Configuration LocationServices 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Finished checking Alternate Network Configuration LocationServices 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Adapter {E2A5EF8B-BDB1-40E7-A8AF-385476C0628C} is DHCP enabled. Checking quarantine status. LocationServices 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Sending message body '<ContentLocationRequest SchemaVersion="1.00">
      <ClientPackage/>
      <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="0">
        <ADSite Name=""/>
        <Forest Name=""/>
        <Domain Name=""/>
        <IPAddresses>
    <IPAddress SubnetAddress="192.168.200.0" Address="192.168.200.104"/>
        </IPAddresses>
      </ClientLocationInfo>
    </ContentLocationRequest>
    ' ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Sending message header '<Msg SchemaVersion="1.1"><ID>{D10528C5-26DE-42A1-A5EE-71F1F30EAB7A}</ID><SourceHost>WINDOWSXP-32</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:WINDOWSXP-32:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://external.fqdn.com</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2012-10-03T20:25:07Z</SentTime><Body Type="ByteRange" Offset="0" Length="974"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>' ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    CCM_POST 'https://external.fqdn.com/ccm_system/request' ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Begin searching client certificates based on Certificate Issuers ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Completed searching client certificates based on Certificate Issuers ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Begin to select client certificate ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    1 certificate(s) found in the 'MY' certificate store. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Only one certificate present in the certificate store. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Begin validation of Certificate [Thumbprint 77DF2F8CE6A21A1B7F95D3472B770F90697876F7] issued to 'windowsxp-32' ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    The Certificate [Thumbprint 77DF2F8CE6A21A1B7F95D3472B770F90697876F7] issued to 'windowsxp-32' has 'Client Authentication' capability. ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    Completed validation of Certificate [Thumbprint 77DF2F8CE6A21A1B7F95D3472B770F90697876F7] issued to 'windowsxp-32' ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    >>> Client selected the PKI Certificate [Thumbprint 77DF2F8CE6A21A1B7F95D3472B770F90697876F7] issued to 'windowsxp-32' ccmsetup 10/3/2012 4:25:07 PM 2756 (0x0AC4)
    [CCMSETUP] AsyncCallback(): ----------------------------------------------------------------- ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    [CCMSETUP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    [CCMSETUP]                : dwStatusInformationLength is 4
    ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    [CCMSETUP]                : *lpvStatusInformation is 0x8
    ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    [CCMSETUP]            : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
    ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    [CCMSETUP] AsyncCallback(): ----------------------------------------------------------------- ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    GetDPLocations failed with error 0x80072f8f ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    Failed to get DP locations as the expected version from MP 'https://external.fqdn.com'. Error 0x80072f8f ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    Next retry in 10 minute(s)... ccmsetup 10/3/2012 4:25:08 PM 2756 (0x0AC4)
    Wednesday, October 3, 2012 8:38 PM
  • Could you just use the /source parameter (http://technet.microsoft.com/en-us/library/gg699356.aspx) for testing purposes? This will eliminate the "GetDPLocations failed" error.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, October 4, 2012 7:37 AM
  • I tried that again, using /source, and also included CCMALWAYSINF=1. The install goes ok this time. The log shows no major errors, and the client shows: Client certificate: None  Connection Type: Always Internet  SMS:PS1.

    When I look at the Personal Certs, the cert I created and imported is there.

    I used the steps on this page to create the cert request: http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/


    Thursday, October 4, 2012 1:18 PM
  • I modified my install switches slightly: 

    ccmsetup /usePKICert /NOCRLCheck /mp:https://external.fqdn.com SMSSITECODE=XXX CCMHOSTNAME=EXTERNAL.FQDN.COM

    Was that just a type-o or have you been using that?

    Friday, October 5, 2012 1:10 AM
  • I've tried both now, /source:"c:\path" and /mp:https://external.fqdn.com
    Friday, October 5, 2012 2:35 PM