locked
MP has rejected the request because Client certificate has expired RRS feed

  • Question

  • Hi,

    I'm getting a lot of warning logged for 'SMS_MP_CONTROL_MANAGER' component (around 20 an hour). The message body is:
    "MP has rejected the request because Client(SMSID = GUID:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX) certificate has expired." Message ID:5446

    The site is in Native mode running SCCM SP2 (Version: 4.00.6487.2000) on Windows Server 2003 SP2. The affected site server is holding following roles: Assets Intelligence Synchronization Point, Distribution Point, Management Point, Reporting Point, Software Update Point.

    I've run a following SQL query to determine which system is affected:
    select Name0 from v_r_system where SMS_Unique_Identifier0 = 'GUID:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX'
    And it's a Management Point itself. I've tried to determinate which certificate is causing a problem but I can't find any errors. I've checked:
    - Machine certificate
    - Primary site server Document signing certificate
    - Management point & Software update point certificate
    - PXE boot point certificate

    All certificates are valid. I've also checked CertificateMaintenance.log on site server and there're no errors.
    Can someone explain why these warning appear and how to fix this issue. These errors started one week ago.


    I've already review following topics and no luck so far:
    http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/d88ccd6b-a6a2-42f3-ad58-67806dae0f57
    http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/5d5fa42a-0087-4bdf-8fe2-045618bfee43
    http://social.technet.microsoft.com/Forums/en-US/configmgradminconsole/thread/a30f6c24-022e-43a7-97c8-8d8f857bc0ed
    http://social.technet.microsoft.com/Forums/en/configmgrgeneral/thread/a990d76f-83a9-4d89-aeec-de466a757c4f

    Any help appreciate.

    Tuesday, April 27, 2010 10:58 AM

Answers

  • Did someone mess with the certificate or remove it and then put it back?  Or has the certificate expired at the CA but was never filtered down to the Server.  Do you have a Root Certificate that is on the machine, if the root cert for your AD expired you might check that one out.  I would run through your Certificate Store on the machine and look at all the certificates for your servers and roots to see if one of those are expired and therefore causing the problem. 

    MMC>Certificates and run through the personal store, trusted Root Certification authorities, Intermediate Certification authorities/Certificates

    You will start to see your clients picking this up too soon I am sure.

     

     


    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    • Marked as answer by santospl Tuesday, May 4, 2010 10:13 AM
    Tuesday, April 27, 2010 1:08 PM
  • Couple of other things to try - this sounds to me like it's the client authentication certificate on the management point so using the Certificates MMC on the local computer, Computer store, Personal\Certificates, check the certificates with "Client Authentication" in the Intended Purposes column and the Expiration Date.  Have a look to see how many certificates there are in this store with this client authentication purpose listed, and if more than one, check which certificate selection criteria you're using in Configuration Manager.

    I know you said that all the certificates look valid, but try running Sccmnativemodereadiness.exe on this computer and check the results in the corresponding log file or report:  http://technet.microsoft.com/en-us/library/bb680986.aspx  This uses the same Configuration Manager logic for checking certificates and can be more reliable than using the Certificates MMC. 

    Because you're seeing this error in the SMS_MP_CONTROL_MANAGER component, it sounds like the check against the mangement point is failing - which in itself doesn't stop native mode communication from working. Check MPControl.log for errors (you will see the management point go through the list of available certificates and should finally see "Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK").  If the check fails because it can't find a good certificate, the status of the management point goes red in the console because Configuration Manager can't confirm whether it's functional/online.  Have you tried stopping and restarting the management point?

    Assuming there is a Configuration Manager client on this computer, is it receiving policy?  Try restarting the client on this computer and checking ClientIDManagerStartup.log.  It's possible that the behavior for selecting a certificate is different for a client than the management point check.  For example, if you have the certificate selection criteria of the longest validity period, I know that the client goes through this selection process with every packet that it sends, and so it can quickly select a new certificate - but I don't know how often the management point reselects a client certificate for the self-check. 

    • Marked as answer by santospl Tuesday, May 4, 2010 10:13 AM
    Tuesday, April 27, 2010 4:10 PM
  • Hi Lads,

    Thank you for all answers and sorry for delay on this.

    To answer first post. Yes someone mess with certificate and that was me. Computer certificates in our domain are auto enrolled and due to renewal every 6 months. Since this cert has also 'Server Authentification' capabilities I'm using it for my Software Update point as well. Therefore it also reside in Trusted Root Certification Authorities store on every PC (deployed through GPO). So I have to renew it every 6 months and then deploy it again.
    The error described in first post appeared in my SCCM infrastructure before few months ago but I didn't linked it to cert renewal. It cleared itself after few days so I didn't pay much attention to it.
    I obviously checked all certs as stated in your post but all of them are valid.

    To answer second post. There is only one cert with 'Client Authentification' capabilities in Personal store. The selection criteria is 'Subject contains string: mydomain.net'. I've also run Sccmnativemodereadiness.exe tool on affected computer but the report was empty.
    The MPControl.log shows following entries:
    "Certificate has "SSL Client Authentication" capability.   
    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK
    Http test request succeeded.
    Successfully performed Management Point availability check against local computer.
    CryptVerifyCertificateSignatureEx returned error 0x80090006."

    Initially I thought that last row is the answer but after reading this: http://blogs.technet.com/configmgrteam/archive/2009/01/20/cryptverifycertificatesignatureex-returned-error-0x80090006-what-does-this-mean.aspx it appears that it's 'good error'.
    The client wasn't checking for policies correctly - the machine didn't pull the last set of updates. Also rebooting of sccm client/management point server didn't resolve the issue.

    The issue was resolved by uninstalling sccm client on site server and installing it again. I'm positive now that a renewed certificate was an issue here (even though the errors start coming in after 2 weeks). SCCM had to cached old cert somehow and it didn't use the renewed one. I think that reinstalling sccm client forced server to use a proper cert.

    Thank you again for your help on this. You both pointed me into right direction.
    • Marked as answer by santospl Tuesday, May 4, 2010 10:13 AM
    Tuesday, May 4, 2010 10:13 AM

All replies

  • Did someone mess with the certificate or remove it and then put it back?  Or has the certificate expired at the CA but was never filtered down to the Server.  Do you have a Root Certificate that is on the machine, if the root cert for your AD expired you might check that one out.  I would run through your Certificate Store on the machine and look at all the certificates for your servers and roots to see if one of those are expired and therefore causing the problem. 

    MMC>Certificates and run through the personal store, trusted Root Certification authorities, Intermediate Certification authorities/Certificates

    You will start to see your clients picking this up too soon I am sure.

     

     


    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
    • Marked as answer by santospl Tuesday, May 4, 2010 10:13 AM
    Tuesday, April 27, 2010 1:08 PM
  • Couple of other things to try - this sounds to me like it's the client authentication certificate on the management point so using the Certificates MMC on the local computer, Computer store, Personal\Certificates, check the certificates with "Client Authentication" in the Intended Purposes column and the Expiration Date.  Have a look to see how many certificates there are in this store with this client authentication purpose listed, and if more than one, check which certificate selection criteria you're using in Configuration Manager.

    I know you said that all the certificates look valid, but try running Sccmnativemodereadiness.exe on this computer and check the results in the corresponding log file or report:  http://technet.microsoft.com/en-us/library/bb680986.aspx  This uses the same Configuration Manager logic for checking certificates and can be more reliable than using the Certificates MMC. 

    Because you're seeing this error in the SMS_MP_CONTROL_MANAGER component, it sounds like the check against the mangement point is failing - which in itself doesn't stop native mode communication from working. Check MPControl.log for errors (you will see the management point go through the list of available certificates and should finally see "Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK").  If the check fails because it can't find a good certificate, the status of the management point goes red in the console because Configuration Manager can't confirm whether it's functional/online.  Have you tried stopping and restarting the management point?

    Assuming there is a Configuration Manager client on this computer, is it receiving policy?  Try restarting the client on this computer and checking ClientIDManagerStartup.log.  It's possible that the behavior for selecting a certificate is different for a client than the management point check.  For example, if you have the certificate selection criteria of the longest validity period, I know that the client goes through this selection process with every packet that it sends, and so it can quickly select a new certificate - but I don't know how often the management point reselects a client certificate for the self-check. 

    • Marked as answer by santospl Tuesday, May 4, 2010 10:13 AM
    Tuesday, April 27, 2010 4:10 PM
  • Any update on this?
    Monday, May 3, 2010 3:13 PM
  • Hi Lads,

    Thank you for all answers and sorry for delay on this.

    To answer first post. Yes someone mess with certificate and that was me. Computer certificates in our domain are auto enrolled and due to renewal every 6 months. Since this cert has also 'Server Authentification' capabilities I'm using it for my Software Update point as well. Therefore it also reside in Trusted Root Certification Authorities store on every PC (deployed through GPO). So I have to renew it every 6 months and then deploy it again.
    The error described in first post appeared in my SCCM infrastructure before few months ago but I didn't linked it to cert renewal. It cleared itself after few days so I didn't pay much attention to it.
    I obviously checked all certs as stated in your post but all of them are valid.

    To answer second post. There is only one cert with 'Client Authentification' capabilities in Personal store. The selection criteria is 'Subject contains string: mydomain.net'. I've also run Sccmnativemodereadiness.exe tool on affected computer but the report was empty.
    The MPControl.log shows following entries:
    "Certificate has "SSL Client Authentication" capability.   
    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK
    Http test request succeeded.
    Successfully performed Management Point availability check against local computer.
    CryptVerifyCertificateSignatureEx returned error 0x80090006."

    Initially I thought that last row is the answer but after reading this: http://blogs.technet.com/configmgrteam/archive/2009/01/20/cryptverifycertificatesignatureex-returned-error-0x80090006-what-does-this-mean.aspx it appears that it's 'good error'.
    The client wasn't checking for policies correctly - the machine didn't pull the last set of updates. Also rebooting of sccm client/management point server didn't resolve the issue.

    The issue was resolved by uninstalling sccm client on site server and installing it again. I'm positive now that a renewed certificate was an issue here (even though the errors start coming in after 2 weeks). SCCM had to cached old cert somehow and it didn't use the renewed one. I think that reinstalling sccm client forced server to use a proper cert.

    Thank you again for your help on this. You both pointed me into right direction.
    • Marked as answer by santospl Tuesday, May 4, 2010 10:13 AM
    Tuesday, May 4, 2010 10:13 AM