locked
Manual SCCM agent installation unsuccessful - certificate missing RRS feed

  • Question

  • Hi

    WARNING, I have only worked with SCCM for a few weeks, be good to me :)

    I'm having trouble getting some of our servers to connect to the management point, after a manual installation of the SCCM agent with this script:

    \\10.xx.xx.xx\Public\Client\CCMSETUP.EXE /noservice SMSSITECODE=VSM

    I think the problem is the certificate. This is the screenshot of a server that works:

    This is the screenshot of one that fails:

    I'm not sure how to troubleshoot this issue. please help

    • Edited by CesarTabares Thursday, November 8, 2012 10:20 PM
    Thursday, November 8, 2012 10:16 PM

Answers

  • I have found the solution to this problem, there was a certificate for a complete another purpose in the Computer Certificate Store - Personal folder, and the SCCM agent tried to use this for trusting/authentication
    I did a request for a new one from AD, and it worked!

    Freddy

    • Marked as answer by CesarTabares Monday, November 12, 2012 9:28 AM
    Monday, November 12, 2012 9:28 AM

All replies

  • Can you please check these logs on failed client: ccmsetup.log, ClientIDManagerStartup.log

    This posting is provided "AS IS", provides no warranties, and confers no rights. -Praveen S.

    Thursday, November 8, 2012 10:58 PM
  • Can you please check in ClientIDManagerStartup.log whether client is registered or not. If not crosscheck the boundaries and boundary group for client.
    Thursday, November 8, 2012 11:02 PM
  • Thx so far, this is what I see in the ClientIDManagerStartup.log

    GetSystemEnclosureChassisInfo: IsFixed=FALSE, IsLaptop=FALSE

    Computed HardwareID=2:EC29E459583D569DAA5792F1F869BE3F4B848DAE
     Win32_SystemEnclosure.SerialNumber=<empty>
     Win32_SystemEnclosure.SMBIOSAssetTag=<empty>
     Win32_BaseBoard.SerialNumber=None
     Win32_BIOS.SerialNumber=VMware-42 2f 62 ac bb d4 b1 35-fb 41 15 be 22 10 5c b1
     Win32_NetworkAdapterConfiguration.MACAddress=00:50:56:AF:04:8D

    [RegTask] - Client is not registered. Sending registration request for GUID:35C56A6A-9EB7-4564-AFF1-DEF91E48BDAA ...

    [RegTask] - Server rejected registration request: 3

    This message repeats every 5 minutes

    What I have tried so far is to delete smscfg.ini and restart SMS Agent Host service, didnt help

    I found a suggestion to remove the Client authentication and SMS certificates, and request new ones, does this sound like  a solution? Haven't tried it yet!

    What should I check next?

    Friday, November 9, 2012 9:36 AM
  • Check MP_ClientRegistration.log (not sure about the exact name right now) on the MP.

    Torsten Meringer | http://www.mssccmfaq.de

    Friday, November 9, 2012 12:18 PM
  • Couldn't find the MP_ClientRegistration.log file, but I found a file called MP_RegistrationManager.log on one of our management points, which says:

    Processing Registration request from Client 'GUID:16914673-12A7-44DD-BAFB-A6F5D1738150'

    Begin validation of Certificate [Thumbprint 5BFA5D39F2C819E8F7DC7BF48631EB0E2501D197] issued to 'Visma User Directory VSNREPAPP001'

    Completed validation of Certificate [Thumbprint 5BFA5D39F2C819E8F7DC7BF48631EB0E2501D197] issued to 'Visma User Directory VSNREPAPP001'

    MP Reg: Client in-band certificate is not valid due to failures in certificate chain validation, Raising status event. Failure HR = 0x800b0109, In-band Cert SubjectName = VBSTESTCERT

    Raising event:
    [SMS_CodePage(850), SMS_LocaleID(1044)]
    instance of MpEvent_CertInvalidChain
    {
     ClientID = "GUID:5D5B7E3C-5146-4ADF-A4F2-406F6F76645A";
     DateTime = "20121110170449.629000+000";
     MachineName = "ADMCMROLE001.ADM.DATAKRAFTVERK.NO";
     ProcessID = 1164;
     SiteCode = "VSM";
     SubjectName = "VBSTESTCERT";
     ThreadID = 2796;
     Win32ErrorCode = 2148204809;
    };

    MP Reg: Registration request body is invalid.

    MP Reg: Registration failed.

    MP Reg: Processing completed. Completion state = 0

    Here's an image of the agent data at the moment:

    Below is one of the log entries in the SCCM console:

    MP has rejected registration request due to failure in client certificate (Subject Name: VBSTESTCERT) chain validation. If this is a valid client, Configuration Manager Administrator needs to place the Root Certification Authority and Intermediate Certificate Authorities in the MP's Certificate store or configure Trusted Root Certification Authorities in primary site settings. The operating system reported error 2148204809: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 

    Sadly, I'm not very familiar with certificate troubleshooting, any ideas?

    Could a clue be that in some cases, in the client properties, it shows a GUID, and in other cases it doesn't?

    • Edited by CesarTabares Saturday, November 10, 2012 7:26 PM
    Saturday, November 10, 2012 5:27 PM
  • I have found the solution to this problem, there was a certificate for a complete another purpose in the Computer Certificate Store - Personal folder, and the SCCM agent tried to use this for trusting/authentication
    I did a request for a new one from AD, and it worked!

    Freddy

    • Marked as answer by CesarTabares Monday, November 12, 2012 9:28 AM
    Monday, November 12, 2012 9:28 AM
  • Hi Cesar

    How you did this??  Im having the exactly same problem with a server with another certificate.

    Thanks


    MCTS - SCCM

    Wednesday, December 5, 2012 11:07 AM
  • I posted the following in another thread that dealt with kind of the same issue.  Or one of multiple issues that were occurring with my clients:

    https://social.technet.microsoft.com/Forums/en-US/aa0e6328-189b-4bda-b6e8-2bdcdbba463b/client-deployment-issue-server-rejected-registration-request?forum=configmanagerdeployment&prof=required

    Posting it here in case that thread has issues.

    ---

    As I didn't see a resolution on most of the sites I checked for this issue, I just wanted to post my fix in case it helps anyone else.

    Per acole83's response, I had around 10 machines out of 200 that had the same exact issue.  In checking the MP_RegistrationManager.log, there were "MP Reg" errors for each one.

    For each error, I compared the Certificate Thumbprint in the "Begin validation of Certificate [Thumbprint ###] issued to 'server.local'" to the Thumbprint information in the Properties of the Certificate in the Personal store.  In my case, each certificate was the one with the server name, assigned Intended Purposes of "<All>".

    I then dragged this certificate to Trusted Root Certification Authorities --> Certificates.

    At that point, for 9 out of the 10 servers, SCCM began to automatically update the client with all needed information.  On the "Configuration Manager Properties":  4 tabs turned into 7; Client Certificate changed from "None" to "Self-Signed"; the Components and Actions tab fully populated; etc.  The MP_RegistrationManager.log and ClientIDManagerStartup.log no longer reported errors for these servers.

    I did have to perform one client reinstall for the 10th server, but did so without an uninstall and the server began responding properly SCCM.  Honestly, it may have registered by itself, but I was impatient and just performed the reinstall to get things moving.

    I then moved the certificate from Trusted Root Certification Authorities --> Certificates back to Personal --> Certificates.  At no point did I have any issues with communication or applications on the server.  Of course, I did test this out on my development servers, prior to performing these steps for the production servers.

    I then went through and performed an "Update Membership" on the Device Collections the servers were a member of.  All servers are now receiving their Client Settings, Policies, Patches, and Maintenance Windows as assigned.

    Definitely an idea that I didn't think would work, but did so for our environment.  Hopefully it helps someone else.

    Tuesday, April 12, 2016 1:05 AM
  • I had this issue as well when servers have self signed certs in their personal store AND you have Use PKI client certificate enabled in the Primary Site Properties > Client Computer Communication.  If you don't use PKI, you can uncheck this default setting and then reinstall the SCCM client on the server.

    


    • Edited by Phil_GoCubs Wednesday, August 10, 2016 2:48 PM
    • Proposed as answer by Shane_Curtis Friday, June 23, 2017 4:10 PM
    • Unproposed as answer by Shane_Curtis Friday, June 23, 2017 4:10 PM
    • Proposed as answer by Shane_Curtis Friday, June 23, 2017 4:12 PM
    Wednesday, August 10, 2016 2:33 PM
  • Phil's suggestion worked great for me. I unchecked the box, restarted the agent, and refreshed machine policy and it got its self-signed certificate and started working fine. Thanks!

    Shane Curtis

    Friday, June 23, 2017 4:12 PM