locked
SCCM Client not picking up right certificate during installation RRS feed

  • Question

  • Hello There,

    I am installing configuration manager client ccmsetup.exe manually on client computers. Some of the computers are having multiple certificates in machine's personal store and SCCM client is generating SMS certificate in SMS store.

    now the problem is that on the machines having multiple certificates SCCM client is not able to choose proper cert and thus its failing.

    How can I force the client to choose SMS cert? I know I can use a property in Client configuration in SCCM console, but I am not using push method so this is not feasible for me.

    Here is the ClientIDManagerStartup log.


    MCTS|MCSE|MCSA:Messaging|CCNA

    Wednesday, July 20, 2016 3:35 AM

Answers

All replies

  • Have you tried using CCMSetup.exe with the client.msi parameter CCMCERTSEL ?

    https://technet.microsoft.com/en-au/library/gg699356.aspx


    Nick | https://brotechcm2012.wordpress.com/

    Wednesday, July 20, 2016 4:16 AM
  • Hi Nick,

    That parameter can only be used when deploying SCCM from the console (push installation). I am not using push installation due to some constraints. I want to deploy it manually on the client.

    Thanks


    MCTS|MCSE|MCSA:Messaging|CCNA

    Wednesday, July 20, 2016 5:18 AM
  • Have you tested that? You can use the client.msi set up properties with ccmsetup.exe

    CCMSetup.exe [Ccmsetup properties] [client.msi setup properties]

    Nick | https://brotechcm2012.wordpress.com/

    Wednesday, July 20, 2016 5:36 AM
  • nope its not working. I ran command ccmsetup.exe CCMCERTSEL="Subject:SMS"

    but it made a partial install. And now only a service name ccmsetup is running which I can't remove using ccmsetup.exe /uninstall


    https://www.udemy.com/mastering-dns-on-windows-server-2012-r2/?couponCode=code100 MCTS|MCSE|MCSA:Messaging|CCNA


    Wednesday, July 20, 2016 9:42 AM
  • Are you using HTTPS client communication?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, July 20, 2016 1:37 PM
  • Hi Jasan,

    I am not using HTTPS.


    https://www.udemy.com/mastering-dns-on-windows-server-2012-r2/?couponCode=code100 MCTS|MCSE|MCSA:Messaging|CCNA

    Thursday, July 21, 2016 3:37 AM
  • So no need for PKI certs at all then.

    What command line / push parameters were used?


    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, July 21, 2016 5:56 AM
  • HI Torsen,

    Even if we are not using HTTPs communication, SCCM client require a self signed certificate in order to register with the Site server. So self signed cert is being generated but on systems having multiple certificates, client is not choosing the right certificate. (Please check the first post and logs)

    I am not pushing client, instead I am manually running ccmsetup.exe. Even I tried with push installation using parameter CCMCERTSEL="Subject:SMS" but no luck.

    Is their any way I can force client to pick the desired certificate while installing the client.

    Ideally if MS has configured the SCCM to generate a self signed certificate name "SMS" then they should have configure the client to pick SMS subject name certificate as prefer cert.


    https://www.udemy.com/mastering-dns-on-windows-server-2012-r2/?couponCode=code100 MCTS|MCSE|MCSA:Messaging|CCNA


    Thursday, July 21, 2016 7:04 AM
  • Change your site settings on the Client Communication tab so that clients don't ever try to use PKI certs.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, July 21, 2016 1:07 PM
  • Change your site settings on the Client Communication tab so that clients don't ever try to use PKI certs.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    yes! This was the fix for me. Thank you!
    Friday, November 16, 2018 1:10 AM