locked
SCCM client fails to register correctly RRS feed

  • Question

  • I'm new to ConfigMgr and am building an SCCM 2012 environment at the moment. We don't have an internal PKI so I've configured the environment to use HTTP rather than HTTPS. I've tried pushing a client to a PC in our environment and the client appears to install successfully. However, I see the following error on the server.

    MP has rejected registration request due to failure in client certificate (Subject Name: <COMPUTER NAME>) chain validation. If this is a valid client, Configuration Manager Administrator needs to place the Root Certification Authority and Intermediate Certificate Authorities in the MPÆs Certificate store or configure Trusted Root Certification Authorities in primary site settings. The operating system reported error 2148204810: A certificate chain could not be built to a trusted root authority.

    In the Assets and Compliance -> Devices view SCCM says the PC does not have a client installed and I am unsure as to how to proceed. Any suggestions as to how to get things working would be very much appreciated.

    Thanks.

    Monday, September 17, 2012 1:47 PM

Answers

  • Do you have a auto-enrolled certificate to domain clients?

    Think its pretty safe to test disabling of the option. As you dont have  a internal PKI infrastructure anyhow, site systems shouldnt currently be communicating over HTTPS

    • Marked as answer by Andy_M Tuesday, September 18, 2012 2:07 PM
    Tuesday, September 18, 2012 11:58 AM
  • After I uninstalled the AIS client I rebooted my PC. I then went into the Local Computer certificate store to find that the certificate had been removed. I then checked the SCCM console and my computer had successfully registered itself with SCCM. Many thanks to Per and Torsten for their assistance with fixing this one.
    • Marked as answer by Andy_M Tuesday, September 18, 2012 2:07 PM
    Tuesday, September 18, 2012 2:07 PM

All replies

  • Have you added any client push installation parameters?
    What does ClientIDManagerStartup.log (on the client) tell?

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, September 17, 2012 1:52 PM
  • The only change to the default client push parameters I made was to specify the Client Push Installation Account.

    I've checked and the ClientIDManagerStartup.log doesn't appear to exist in the %WINDIR%\SysWOW64\CCM\Logs folder. In fact, the %WINDIR%\SysWOW64\CCM\Logs folder doesn't seem to exist, even though this is a 64-bit OS (Win 7 Pro x64) that I'm trying to install the client on.

    Monday, September 17, 2012 2:27 PM
  • %windir%\ccm\Logs

    Torsten Meringer | http://www.mssccmfaq.de

    Monday, September 17, 2012 2:32 PM
  • Looking in the right place makes things so much simpler. Thanks.

    <![LOG[GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=TRUE]LOG]!><time="15:31:18.401-60" date="09-17-2012" component="ClientIDManagerStartup" context="" type="1" thread="6752" file="ccmid.cpp:210">
    <![LOG[Computed HardwareID=2:39879E8C26912C2067F5572C95884A5B2ADD8B8E
     Win32_SystemEnclosure.SerialNumber=#######
     Win32_SystemEnclosure.SMBIOSAssetTag=<empty>
     Win32_BaseBoard.SerialNumber=/#######/##############/
     Win32_BIOS.SerialNumber=#######
     Win32_NetworkAdapterConfiguration.MACAddress=<Not used on laptop>]LOG]!><time="15:31:18.401-60" date="09-17-2012" component="ClientIDManagerStartup" context="" type="1" thread="6752" file="ccmid.cpp:449">
    <![LOG[[RegTask] - Client is not registered. Sending registration request for GUID:D331DE2C-79CE-4DFF-9EA7-D0A17894BEFB ...]LOG]!><time="15:31:18.411-60" date="09-17-2012" component="ClientIDManagerStartup" context="" type="1" thread="6752" file="regtask.cpp:1595">
    <![LOG[[RegTask] - Server rejected registration request: 3]LOG]!><time="15:31:18.481-60" date="09-17-2012" component="ClientIDManagerStartup" context="" type="3" thread="6752" file="regtask.cpp:1662">
    <![LOG[Sleeping for 223 seconds before refreshing location services.]LOG]!><time="15:32:34.504-60" date="09-17-2012" component="ClientIDManagerStartup" context="" type="1" thread="6752" file="regtask.cpp:192">

    Monday, September 17, 2012 2:39 PM
  • Are you using HTTPS for communication to the MP, or HTTP chosen?
    Tuesday, September 18, 2012 11:10 AM
  • The MP is set to use the HTTP option, rather than the HTTPS option.
    Tuesday, September 18, 2012 11:13 AM
  • On the site properties, under the Client Computer Communication tab, the 'Use PKI client certificate (client authentication capability) when available' checkbox is selected. This sounds like it could be the cause of my problem, but like I say I am new to SCCM and am nervous of breaking the server. Should this be turned on in the scenario where I do not have a PKI and am not using HTTPS? My inclination is to turn this off and see if this fixes the issue, but I would like a little guidance on this before I go ahead and do it.

    Thanks.

    Tuesday, September 18, 2012 11:38 AM
  • Do you have a auto-enrolled certificate to domain clients?

    Think its pretty safe to test disabling of the option. As you dont have  a internal PKI infrastructure anyhow, site systems shouldnt currently be communicating over HTTPS

    • Marked as answer by Andy_M Tuesday, September 18, 2012 2:07 PM
    Tuesday, September 18, 2012 11:58 AM
  • We don't intentionally do anything with certificates. However, on a hunch I checked the Local Computer certificate store and under personal is a certificate with my computer name. This appears to have been issued by SC_Online_Issuing which after a little online digging appears to be related to the Asset Inventory Service from MDOP. I'm wondering if this is what's causing the problem. I'm going to remove this certificate and the AIS client and see if it then allows my client to register correctly. If that doesn't work I'll then go down the route of clearing the checkbox on the site.
    Tuesday, September 18, 2012 1:50 PM
  • After I uninstalled the AIS client I rebooted my PC. I then went into the Local Computer certificate store to find that the certificate had been removed. I then checked the SCCM console and my computer had successfully registered itself with SCCM. Many thanks to Per and Torsten for their assistance with fixing this one.
    • Marked as answer by Andy_M Tuesday, September 18, 2012 2:07 PM
    Tuesday, September 18, 2012 2:07 PM