locked
Troubleshooting Internet Based Client Management RRS feed

  • Question

  • Hi,

    I am hoping someone can help me to troublshoot an internet facing site system which I am trying to configure for internet based client management. We are running a single SCCM 2012 primary site and now want to introduce an internet facing site system to service clients on the internet.

    I have follwed the technet guide and thought I had everything in place for it to work but then took a laptop home last night to which I had deployed a software package but alas nothing happened. I was initiating a machine policy retrieval and watching the execmgr.log but no activity was being logged.

    I am wondering what my first port of call is to begin troubleshooting what is wrong?

    A few things I can check off:

    The site system has its FQDN specified and published in public DNS
    The management is configured to only allow internet connections over HTTPS
    PKI is setup - I have the web server certificate on the site system in the computer's personal certificates sections and the certificate contains the FQDN
    I have the client certificate on my internet client
    I have specified the FQDN of the internet based management point in the client agent settings
    I can telnet on port 443 to the FQDN of the management point from the internet

    One thing that may be significant is when I check the site status on my primary site the internet based management point is showing as critical with 0 bytes Total. But when I view all messages there are no errors and it reports as being online. There is also plenty of disk space on the drives.

    Any help would be appreciated. And could someone tell me how I view messages reported to the fallback status point please?

    Regards

    Jay


    • Edited by Jaysoul Wednesday, October 31, 2012 10:55 AM
    Wednesday, October 31, 2012 9:10 AM

Answers

  • What certificates do you actually have installed in the Personal Computer store in the Certificates MMC on your MP?  Your MP will need both the Web Server Certificate AND the same certificate for client authentication purposes that your clients use.

    My Personal Blog: http://madluka.wordpress.com

    • Proposed as answer by Apajove John Monday, January 7, 2013 2:55 PM
    • Marked as answer by Jaysoul Thursday, March 28, 2013 12:22 PM
    Monday, January 7, 2013 12:13 PM
  • YES YES YES YES YES YES.... YES!

    Very pleased to say that this is now working and last night I successfully downloaded and ran a small deployed package at home! :)

    Many thanks to all who assisted me in getting this sorted. I'm not sure what the problem was TBH. I ended up ripping out my internet based MP and DP from SCCM and then adding them back in, I double checked all my certs and did an independent test to make sure I could download a package over HTTPS from my internet DP internally and then I ripped out the SCCM agent from my test laptop and reinstalled it and then hey presto it was working.

    I still get this message in my locationservices log: 'Failed to retrieve DNS service record using _mssms_mp_XXX._tcp.sud-domain.domain.com lookup. DNS returned error 10060' so that was obviously a red herring and wasn't required.

    A couple of quick questions which should allow me to now get this finished off:

    !) Can I add the following as MSI installation properties into the Steup Windows and ConfigMgr step of my OSD Task Sequence in order for laptops to be ready to be used internally and externally as soon as they are built:

    CCMHOSTNAME="xxxxxx.xxx.xxx"

    FSP="xxxxxx.xxx.xxx"

    /NoCRLCheck

    /UsePKICert

    My plan was for laptops to use my central site server and DPs over HTTP when onsite and then only use the internet based MP and DP over HTTPS when they roam offsite.

    2) Is it possible for me to update existing laptops in our estate which already have the SCCM agent on them with these new settings enabling them to receive updates offsite - possibly by importing some registry keys?

    Thanks,

    Jay

    • Marked as answer by Jaysoul Thursday, March 28, 2013 12:23 PM
    Wednesday, January 30, 2013 8:54 AM

All replies

  • Hi Jay,

    I'm assuming you've spent time carefully going through the Microsoft article on creating and deploying the Certificates required for IBCM to work;

    http://technet.microsoft.com/en-us/library/gg682023 (this works, it's all good)

    If you set your Site server to accept both Intranet and Internet connections but requiring HTTPS, does your client with the cert communicate with that server OK when it is on the Intranet? Always worth getting that part working first before moving the laptop out of the office!

    When you are looking at the Configuration Manager 2012 agent in the control panel on the IB client when it is outside the Intranet, does it say "Currently Internet" and seeing "PKI" for the client certificate?

    Do you have a firewall/TMG/ISA server sat in the middle between your IB client and the HTTPS site system?  If so, you'll need to find the mechanism to throw on a Client Authentication certificate (with the exportable private key - like the Distribution Point/OSD certificate) otherwise the HTTPS site server won't accept the request from the client as the client cert gets lost.  Testing normal HTTPS comms which uses the Server Authentication Certificate isn't a suitable test for outside connectivity when you've got a man in the middle.


    My Personal Blog: http://madluka.wordpress.com


    • Edited by MadLuka Wednesday, October 31, 2012 2:11 PM
    Wednesday, October 31, 2012 2:10 PM
  • Hi MadLuka,

    Thanks for the reply. I will take a look at the link and make sure I've met the PKI requirements (I'm pretty sure I have)

    To answer your questions:

    The agent said 'Currently Intranet' before I took it home last night
    The agent said 'Currently Internet' and 'PKI' for certificate when I took it home last night

    The laptop picked up the deployed package as soon as I plugged it into the intranet network this morning. I have one internal site system with Management Point / Distribution Point setup for HTTP and then another site system internet facing with Management Point and Distribution Point setup for HTTPS.

    And finally YES - we do have a firewall between the IB client and the HTTPS site server so maybe this is where the problem lies?

    Wednesday, October 31, 2012 2:20 PM
  • Hi MadLuka,

    Thanks for the reply. I will take a look at the link and make sure I've met the PKI requirements (I'm pretty sure I have)

    To answer your questions:

    The agent said 'Currently Intranet' before I took it home last night
    The agent said 'Currently Internet' and 'PKI' for certificate when I took it home last night

    The laptop picked up the deployed package as soon as I plugged it into the intranet network this morning. I have one internal site system with Management Point / Distribution Point setup for HTTP and then another site system internet facing with Management Point and Distribution Point setup for HTTPS.

    And finally YES - we do have a firewall between the IB client and the HTTPS site server so maybe this is where the problem lies?

    There will likely be some FW config to do, how messy that gets depends on the FW product I guess!  Here's a doc from ConfigMgr 2007, but the principle is the same; http://technet.microsoft.com/en-us/library/cc707697(TechNet.10).aspx

    Sticking a site server in a DMZ might also be considered an option, all rules in place etc. etc.


    My Personal Blog: http://madluka.wordpress.com

    Wednesday, October 31, 2012 3:47 PM
  • I've just read this:

    Using the Fallback Status Point to Identify Native Mode Communication Problems

    Because the fallback status point accepts unauthenticated communications, it accepts state messages from native mode clients when PKI certificate issues prevent communication between the client and its management point. Examples of state messages a client might send to a fallback status point to identify problems with native mode communication include the following:

    • There is no valid client certificate.
    • There is more than one possible valid client certificate without an appropriate certificate selection configuration specified.
    • A server certificate needed for native mode communication fails to chain successfully to the trusted root certification.
    • A server certificate needed for native mode communication is expired.
    • A server certificate needed for native mode communication is revoked.

    I know this refers to 2007 but where would I find these messages in 2012 is my laptop client has reported connection problems?


    • Edited by Jaysoul Thursday, November 1, 2012 8:46 AM
    Thursday, November 1, 2012 8:46 AM
  • I've been reliably informed that our firewall will not interfere with the certificate as it does not inspect the packets so I am ruling that out.

    How can I troublshoot this?

    I don't think I have a Fallback Status Point configured on my internet client - I didn't specify one at installation anyway. If I uninstall the client and then reinstall specifying a FSP will I then get status messages potentially detailing what the connection problem is?

    Friday, November 2, 2012 8:52 AM
  • BUMP!
    Tuesday, November 6, 2012 9:19 AM
  • Check locationservices.log on the client and mpcontrol.log on the management point. Have you confirmed that the client when on the Internet can access the CRL for the Internet-based management point certificate (or tried disabling CRL checking on the client)?

    Friday, November 9, 2012 4:36 PM
  • Thanks for the reply Carol. I have just checked the locationservices.log on the client and these lines appears to detail the problem:

    <![LOG[LSGetManagementPointsForSite: Domain Joined Client is Internet Enabled]LOG]!><time="17:24:04.765+00" date="11-09-2012" component="LocationServices" context="" type="1" thread="4624" file="lsad.cpp:2235">

    <![LOG[Begin checking Alternate Network Configuration]LOG]!><time="17:24:04.812+00" date="11-09-2012" component="LocationServices" context="" type="1" thread="4624" file="ccmiputil.cpp:1069">

    <![LOG[Failed to send management point list Location Request Message to (FQDN of IBMP)]LOG]!><time="17:24:05.264+00" date="11-09-2012" component="LocationServices" context="" type="2" thread="4624" file="lssecurity.cpp:5258">

    <![LOG[LSUpdateInternetManagementPoints: No internet MPs were retrieved from internet MP, retaining previous list.]LOG]!><time="17:24:05.264+00" date="11-09-2012" component="LocationServices" context="" type="2" thread="4624" file="lsad.cpp:2405">

    <![LOG[There is no AMP for site code '###'. Nulling existing entry in WMI]LOG]!><time="17:24:05.264+00" date="11-09-2012" component="LocationServices" context="" type="1" thread="4624" file="lsad.cpp:3536">

    <![LOG[Persisted Default Management Point Locations locally]LOG]!><time="17:24:05.280+00" date="11-09-2012" component="LocationServices" context="" type="1" thread="4624" file="lsad.cpp:3630">

    Friday, November 9, 2012 5:33 PM
  • Failed to send management point list Location Request Message to (FQDN of IBMP)]

    Anyone help troubleshoot this error in the locationservices.log ?

    After looking online I have now disabled the CRL check on the server and during install of the client but this message still appears and I have no connection to my internet MP.

    Thanks,

    JAy

    Wednesday, November 14, 2012 9:11 PM
  • BUMP!
    Monday, November 19, 2012 3:56 PM
  • Hi Jay, you didn't say if the Management Points FQDN was resolvable while you are on the internet? Is this the case? That log snippet suggests it couldn't contact it.

    Monday, November 19, 2012 10:01 PM
  • Hi Jay, you didn't say if the Management Points FQDN was resolvable while you are on the internet? Is this the case? That log snippet suggests it couldn't contact it.

    I did say in my original post that I can telnet on port 443 to the FQDN of the management point from the internet.

    Does this not prove that the FQDN is resolving?

    Jay

    Tuesday, November 20, 2012 8:37 AM
  • Tried again and have this DNS error in location services.log

    <![LOG[Failed to retrieve DNS service record using _mssms_mp_(sitecode)._tcp.domain lookup. DNS returned error 9852]LOG]!><time="09:37:01.123+00" date="11-22-2012" component="LocationServices" context="" type="2" thread="4944" file="lsad.cpp:2845">

    This is in the client location log:

    <![LOG[Current Internet Management Point is internetMP.FQDN with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>]LOG]!><time="20:17:49.212+00" date="11-21-2012" component="ClientLocation" context="" type="1" thread="3372" file="smsclientclass.cpp:1165">


    • Edited by Jaysoul Thursday, November 22, 2012 9:51 AM
    Thursday, November 22, 2012 9:45 AM
  • Huh?

    DNS_ERROR_NO_DNS_SERVERS
    9852 (0x267C)

    No DNS servers configured for local system.

    Anything in the clients event log during this time? Any indications that the IP settings are incorrectly set?

    Monday, November 26, 2012 3:05 PM
  • Huh?

    DNS_ERROR_NO_DNS_SERVERS
    9852 (0x267C)

    No DNS servers configured for local system.

    Anything in the clients event log during this time? Any indications that the IP settings are incorrectly set?

    From a command prompt I can telnet on port 443 to the FQDN of the management point from the internet. Does this not prove that the FQDN is resolving? Any other way I can troubleshoot this,

    Jay


    Wednesday, December 19, 2012 3:27 PM
  • Yes it does, another way to confirm is to use the NSLOOKUP command and tapping in that FQDN ...

    It really is saying the MP is not responding properly, Carol Bailey referred to the MPCONTROL log on the Management Point that the Client is trying to use, you didn't mention the results of checking this log, can you have a look to see if there any indications of MP failure?

    You've confirmed your DNS is OK, all that is left is certificates and the MP.


    Rob Marshall | UK | My Blog | WMUG

    Thursday, December 20, 2012 12:22 PM
  • Thanks for the reply Rob. Just checking the MPCONTROL log on my internet facing MP and it's not looking too healthy. Here is an extract:

    Successfully performed Management Point availability check against local computer.

    SSL is enabled.

    Client authentication is also enabled.

    CRL Checking is also enabled.

    Machine name is 'xxxxxxxxxxxxxxxxx'.

    There are no certificate(s) that meet the criteria.

    Performing machine FQDN to SAN2 search.

    Begin validation of Certificate [Thumbprint faa16b3fafafc817b74a2d6b36fb83e99bb6280e] issued to xxxxxxxxxxxx'

    Certificate has "SSL Client Authentication" capability.

    Completed validation of Certificate [Thumbprint faa16b3fafafc817b74a2d6b36fb83e99bb6280e] issued to 'xxxxxxxxxxxxx'

    Certificate doesn't have SAN2 extension.

    >>> Selected Certificate [Thumbprint faa16b3fafafc817b74a2d6b36fb83e99bb6280e] issued to 'xxxxxxxxxxxxx'for HTTPS Client Authentication

    Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error

    Sent summary record of SMS Management Point on ["Display=\\xxxxxxxxxxxxxx\"]MSWNET:["SMS_SITE=SU2"]\\xxxxxxxxxxxxx\ to E:\SMS\MP\OUTBOXES\sitestat.box\6coo3t2j.SUM, Availability 1, 157283324 KB total disk space , 156702232 KB free disk space, installation state 0.

    Http test request failed, status code is 500, 'Internal Server Error'.

    Successfully performed Management Point availability check against local computer.

    Checking the current CLR Enabled configuration setting for the configured SQL Server hosting the database.

    Getting the CLR Enabled value from the configured SQL database.

    Attempting to connect to the configured SQL database.

    *** [28000][18456][Microsoft][SQL Server Native Client 10.0][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    *** [28000][18456][Microsoft][SQL Server Native Client 10.0][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

    *** Failed to connect to the SQL Server.

    Failed to get connection to the configured SQL database.

    Failed to connect to the configured SQL database.

    Failed to get the current CLR Enabled configuration setting for the configured SQL Server hosting the database.

    Thursday, December 20, 2012 4:01 PM
  • *** [28000][18456][Microsoft][SQL Server Native Client 10.0][SQL Server]Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.


    That usually indicates an SQL SPN issue, so double check the SPN settings.

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, December 20, 2012 4:21 PM
  • I can look into that but I'm not really sure about it!

    My intranet management point is on a seperate box the the SQL database and obviously has no problems with communication so does this not suggest SPN settings are OK?

    Thursday, December 20, 2012 4:52 PM
  • OK so I seem to have gotten over the SQL connection issue by changing the properties of the MP to use a dedicated domain account for the SQL connection.

    The problem on the MP now seems to be with the certificate.

    Client authentication is also enabled.

    CRL Checking is also enabled.

    Machine name is 'xxxx.xxxxx.xxxxx.xxx'.

    There are no certificate(s) that meet the criteria.

    Performing machine FQDN to SAN2 search.

    Certificate doesn't have SAN2 extension.

    Using custom selection criteria based on the machine NetBIOS name.

    Machine name is 'xxxxxxxxxx'.

    Skipping this certificate which is not valid for ConfigMgr usage.

    There are no certificate(s) that meet the criteria.

    Failed to retrieve client certificate. Error -2147467259

    Call to HttpSendRequestSync failed for port 443 with -2147467259 error code.

    My ConfigMgr Web Server Certificate is in place on the MP and it has the FQDN specified in the Subject Alternative name property - so I am not sure why it is not picking this certificate up as being valid.

    Incidentally the machine name is different from the FQDN because the machine name has a sub-domain included in the ful name - would this cause a problem?

    Friday, December 21, 2012 4:09 PM
  • Can anyone offer any assistance on why my MP is not picking up my web server certificate?

    Here is the mpcontrol.log:

    Client authentication is also enabled.

    CRL Checking is also enabled.

    Machine name is 'xxxx.xxxxx.xxxxx.xxx'.

    There are no certificate(s) that meet the criteria.

    Performing machine FQDN to SAN2 search.

    Certificate doesn't have SAN2 extension.

    Using custom selection criteria based on the machine NetBIOS name.

    Machine name is 'xxxxxxxxxx'.

    Skipping this certificate which is not valid for ConfigMgr usage.

    There are no certificate(s) that meet the criteria.

    Failed to retrieve client certificate. Error -2147467259

    Call to HttpSendRequestSync failed for port 443 with -2147467259 error code.

    Monday, January 7, 2013 9:52 AM
  • OK - so I've just tried re-issuing the web server certificate onto my management point. This time I have included both the intranet FQDN and the internet FQDN in the DNS alternative name section. E.g. mp.sub-domain.domain.com and mp.domain.com. This has changed the output in the mpcontrol log slightly but it is still failing:

    SSL is enabled.

    Client authentication is also enabled.

    CRL Checking is also enabled.

    Machine name is 'mp.sub-domain.domain.com'.

    There are no certificate(s) that meet the criteria.

    Performing machine FQDN to SAN2 search.

    Begin validation of Certificate [Thumbprint ee22bb822d3ac3d3fe9cc4be5643063cfb66cf35] issued to mp.sub-domain.domain.com

    Certificate doesn't have "SSL Client Authentication" capabilities.

    Completed validation of Certificate [Thumbprint ee22bb822d3ac3d3fe9cc4be5643063cfb66cf35] issued to mp.sub-domain.domain.com

    Certificate doesn't have SAN2 extension.

    Using custom selection criteria based on the machine NetBIOS name.

    There are no certificate(s) that meet the criteria.

    Any ideas?

    Monday, January 7, 2013 10:42 AM
  • What certificates do you actually have installed in the Personal Computer store in the Certificates MMC on your MP?  Your MP will need both the Web Server Certificate AND the same certificate for client authentication purposes that your clients use.

    My Personal Blog: http://madluka.wordpress.com

    • Proposed as answer by Apajove John Monday, January 7, 2013 2:55 PM
    • Marked as answer by Jaysoul Thursday, March 28, 2013 12:22 PM
    Monday, January 7, 2013 12:13 PM
  • BINGO! I only had the 'Web server certificate for site systems that run IIS' on my MP. Adding the client authentication certificate has overcome this problem in the log file.

    Now to retest deploying a package to an internet client!

    I did get these warning (not sure if it is cause for concern)

        WARNING: Could not read registry key HKEY_LOCAL_MACHINE\Software\Microsoft\SMS\MPFDM\Inboxes\ on the server, The operating system reported error 2: The system cannot find the file specified.

    I must say I don't know if it is just me and maybe I just don't know enough about certificates but the step by step deployment documentation doesn't make it clear that the client authentication cert needs to be on the MP:

    Client certificate for Windows computers

    This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers.

    For the steps to configure and install this certificate, see Deploying the Client Certificate for Windows Computers in this topic.

    Monday, January 7, 2013 2:07 PM
  • Glad I could help.  If your issue has been answered please feel free to mark it as answered so that the thread status is updated. :-)

    My Personal Blog: http://madluka.wordpress.com

    Monday, January 7, 2013 3:10 PM
  • Thanks MadLuka.

    I will just wait until I have tested a deployment to an internet client to make sure there are no further issues. Then I will give credit where it's due!

    Jay

    Monday, January 7, 2013 3:25 PM
  • OK so unfortunately despite apparently sorting out the certificates on my MP and ironing out the issues highlighted in the mpcontrol.log my internet client is still failing to install a deployed package.

    On the CCM Agent:

    The Connection Type is correctly displaying: currently internet

    The internet based management point (FQDN) is correctly configured in the network settings

    From a command prompt I can successfully complete an nslookup against the MP's machine name which reveals its IP.

    This is what the locationservices.log is reporting:

    <![LOG[Failed to retrieve DNS service record using _mssms_mp_su2._tcp.sub-domain.domain.com lookup. DNS returned error 10060]LOG]!><time="20:54:55.863+00" date="01-08-2013" component="LocationServices" context="" type="2" thread="4468" file="lsad.cpp:2845">

    <![LOG[No lookup MP(s) from DNS]LOG]!><time="20:54:55.863+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:1995">

    <![LOG[Attempting to retrieve default management points from lookup MP(s) via HTTPS]LOG]!><time="20:54:55.879+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:2181">

    <![LOG[LSGetManagementPointsForSiteFromManagementPoint: Client is on Internet, skipping Intranet MP list request.]LOG]!><time="20:54:55.879+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lssecurity.cpp:5513">

    <![LOG[Unable to retrieve compatible MP(s) from AD]LOG]!><time="20:54:55.879+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:2229">

    <![LOG[LSGetManagementPointsForSite: Domain Joined Client is Internet Enabled]LOG]!><time="20:54:55.879+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:2235">

    <![LOG[LSUpdateInternetManagementPoints]LOG]!><time="20:54:55.879+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:2385">

    <![LOG[Current AD site of machine is Xxxxxxxx]LOG]!><time="20:54:55.894+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:601">

    <![LOG[Unable to retrieve AD forest + domain membership]LOG]!><time="20:54:55.894+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:664">

    <![LOG[Begin checking Alternate Network Configuration]LOG]!><time="20:54:55.894+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="ccmiputil.cpp:1069">

    <![LOG[Finished checking Alternate Network Configuration]LOG]!><time="20:54:55.910+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="ccmiputil.cpp:1146">

    <![LOG[Failed to retrieve DNS service record using _mssms_mp_XXX._tcp.sud-domain.domain.com lookup. DNS returned error 10060]LOG]!><time="20:54:56.097+00" date="01-08-2013" component="LocationServices" context="" type="2" thread="3388"

    <![LOG[No reply received]LOG]!><time="20:54:56.206+00" date="01-08-2013" component="LocationServices" context="" type="3" thread="912" file="lsutils.cpp:808">

    <![LOG[Failed to create Location Request Message body]LOG]!><time="20:54:56.206+00" date="01-08-2013" component="LocationServices" context="" type="3" thread="912" file="ccmpkglocation.cpp:144">

    <![LOG[No Location Reply received from internet_MP_FQDN]LOG]!><time="20:54:56.347+00" date="01-08-2013"

    <![LOG[LSUpdateInternetManagementPoints: No internet MPs were retrieved from internet MP, retaining previous list.]LOG]!><time="20:54:56.362+00" date="01-08-2013" component="LocationServices" context="" type="2" thread="4468" file="lsad.cpp:2405">

    <![LOG[There is no AMP for site code 'XXX'. Nulling existing entry in WMI]LOG]!><time="20:54:56.362+00" date="01-08-2013" component="LocationServices" context="" type="1" thread="4468" file="lsad.cpp:3536">

    <![LOG[No Location Reply received from internet_MP_FQDN]LOG]!><time="20:54:56.596+00" date="01-08-2013" component="LocationServices" context="" type="2" thread="3388" file="lssecurity.cpp:5262">component="LocationServices" context="" type="2" thread="4468" file="lssecurity.cpp:5262">

    Where am I going wrong!?

    Tuesday, January 8, 2013 9:13 PM
  • OK - so it looks like I have no service record on the external DNS for this: _mssms_mp_su2._tcp

    Has anyone got a link to where this is documented because I must have missed it. The only thing I remember reading in the documentation was making sure that the MP FQDN was on the external DNS.

    Jay

    Wednesday, January 9, 2013 4:30 PM
  • I dont recall having to do anything with that name/record.  The last implementation I did (excluding the work getting TMG certificates forwarding etc.) simply required the customer to register a unique name with their provider which resolved to one of their existing static IP's coming into their business.

    Can you get to the https IIS default website (if enabled/allowed) of your MP from a system on an external internet link?


    My Personal Blog: http://madluka.wordpress.com

    Wednesday, January 9, 2013 5:46 PM
  • Hey MadLuka,

    To answer your question I can get to the default IIS website of my MP using HTTPS no problem.

    In rergards to the _mssms_mp_XXX_tcp service record it is mentioned on these two links albeit for SCCM 2007:

    http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/dc24a481-fdfb-4e44-8c4c-a80b920da913

    http://technet.microsoft.com/en-us/library/bb632936.aspx

    Jay

    Wednesday, January 9, 2013 8:50 PM
  • The publishing of the DNS record by the MP must have just worked in the background for me, as it was something I didn't have to do.  Do you have those SRV records for your MP?

    My Personal Blog: http://madluka.wordpress.com

    Thursday, January 10, 2013 4:34 PM
  • Believe this is for publishing to the internal DNS, and is configurable as a site option (publish to DNS) and is probably why MadLuka didn't have to configure this. I think it is on by default no?

    I was thinking a few weeks back whether you needed to do this on the public DNS, clutching at straws there really as I've not had to do that myself, or heard of others having to complete that step.

    I know the MP+WS certificate issue has been sorted, but I'd start from the top and work my way back down the list of things needed to be performed, checking my certs, my infra, accessibility, registrations, and then pour deep into those logs.

    It is so difficult to fix this kind of thing blind, all we can ask is for you to walk the list of steps again. I'm sure if MadLuka or myself was there we'd see the issue and move you on :-( I worked for CSS and had a Native Mode case come in, we spent a long time working the case, and along every step of the way there was am assumption by the client (sometimes due to misreads of the docs or because of missing info) who configured things either partially, incorrectly or correctly, we worked our way through the list of steps and untied everything and it worked.I remember his shout of "YESSSSSS!" over the phone when the test-client worked :-) Hope you get to shout that soon buddy.

    What you are implementing there is something very technical in nature and complex in implementation :-( Keep posting what you find, we continue to help!


    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Friday, January 25, 2013 12:44 PM
  • YES YES YES YES YES YES.... YES!

    Very pleased to say that this is now working and last night I successfully downloaded and ran a small deployed package at home! :)

    Many thanks to all who assisted me in getting this sorted. I'm not sure what the problem was TBH. I ended up ripping out my internet based MP and DP from SCCM and then adding them back in, I double checked all my certs and did an independent test to make sure I could download a package over HTTPS from my internet DP internally and then I ripped out the SCCM agent from my test laptop and reinstalled it and then hey presto it was working.

    I still get this message in my locationservices log: 'Failed to retrieve DNS service record using _mssms_mp_XXX._tcp.sud-domain.domain.com lookup. DNS returned error 10060' so that was obviously a red herring and wasn't required.

    A couple of quick questions which should allow me to now get this finished off:

    !) Can I add the following as MSI installation properties into the Steup Windows and ConfigMgr step of my OSD Task Sequence in order for laptops to be ready to be used internally and externally as soon as they are built:

    CCMHOSTNAME="xxxxxx.xxx.xxx"

    FSP="xxxxxx.xxx.xxx"

    /NoCRLCheck

    /UsePKICert

    My plan was for laptops to use my central site server and DPs over HTTP when onsite and then only use the internet based MP and DP over HTTPS when they roam offsite.

    2) Is it possible for me to update existing laptops in our estate which already have the SCCM agent on them with these new settings enabling them to receive updates offsite - possibly by importing some registry keys?

    Thanks,

    Jay

    • Marked as answer by Jaysoul Thursday, March 28, 2013 12:23 PM
    Wednesday, January 30, 2013 8:54 AM
  • 1. You can only add MSI properties such as the CCMHOSTNAME (but not SMSSITECODE) to the Setup Windows and ConfigMgr step, but never the ccmsetup.exe properties like /NoCRLCheck.  From experience, I have only ever needed to specify CCMHOSTNAME=internetmp.mydomain.com

    2. I believe it is an uninstall and reinstall of the client to specify that the client can be internet based.


    My Personal Blog: http://madluka.wordpress.com


    • Edited by MadLuka Wednesday, January 30, 2013 12:30 PM
    Wednesday, January 30, 2013 12:29 PM
  • As an aside, SP1 allows more CCMSETUP properties to be used in Client Installation settings, I am not sure if this functionality is present in the TS step. Not sure if the doc's been updated to reflect that yet: http://technet.microsoft.com/en-us/library/gg699356.aspx

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Thursday, February 14, 2013 6:59 PM
  • Epic thread Jaysoul, did you get any traction, fix this?

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Friday, February 22, 2013 9:35 PM
  • Epic thread Jaysoul, did you get any traction, fix this?

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Haha. Thanks Rob!

    Yes all sorted and working now. New machines which are imaged with OSD are internet ready. The only thing I still have to test which I haven't got round to yet is whether I can update agents on the machines which were imaged without the internet based MP details simply by adding in the relevant registry keys or whether as someone suggested earlier it would need to be a reinstall of the agent.

    Jay

    Friday, March 1, 2013 2:30 PM
  • Epic thread Jaysoul, did you get any traction, fix this?


    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Haha. Thanks Rob!

    Yes all sorted and working now. New machines which are imaged with OSD are internet ready. The only thing I still have to test which I haven't got round to yet is whether I can update agents on the machines which were imaged without the internet based MP details simply by adding in the relevant registry keys or whether as someone suggested earlier it would need to be a reinstall of the agent.

    Jay


    Great, when you ready mark a few of the posts here that helped as Answers, helps anyone else coming here with the same issue :-)

    Rob Marshall | UK | My Blog | WMUG | File CM12 Feedback | CM12 Docs | CM12 Release Notes

    Thursday, March 7, 2013 7:00 PM
  • 1. You can only add MSI properties such as the CCMHOSTNAME (but not SMSSITECODE) to the Setup Windows and ConfigMgr step, but never the ccmsetup.exe properties like /NoCRLCheck.  From experience, I have only ever needed to specify CCMHOSTNAME=internetmp.mydomain.com

    2. I believe it is an uninstall and reinstall of the client to specify that the client can be internet based.


    My Personal Blog: http://madluka.wordpress.com


     So I've just got round to testing changing a SCCM client deployed pre-IBCM changes and can confirm that there is no need to uninstall and reinstall the client. All I had to do was import these regsitry keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Internet Facing]
    "Internet MP Hostname"="xxxxxxxxxxxxxxxxx"
    "Internet MP Index"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCMSetup]
    "LastSuccessfulInstallParams"="\"/runservice\" \"/mp:xxxxxxxxxxxxxx\" \"SMSSITECODE=XXX\" \"CCMHOSTNAME=xxxxxxxxxxxxxxxxxx\" \"FSP=xxxxxxxxxxxxxxxx\" \"/NoCRLCheck\""

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM\FSP]
    "HostName"="xxxxxxxxxxxxxxxxxxxxx"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM]
    "PKICertReady"=dword:00000001

    After adding these keys and provided the client has the correct certs I was able to download packages off-site successfully.

    I'll now be deploying these settings to all my laptops that were imaged before implementing IBCM.

    Thanks all.

    Jay

    Thursday, March 28, 2013 12:27 PM
  • You might want to test if those manually added registry keys stick around if you perform a repair?  Or if the CCMEVAL process initiates a repair?

    My Personal Blog: http://madluka.wordpress.com

    Friday, March 29, 2013 12:16 PM