locked
Particular MP not working with PKI RRS feed

  • Question

  • We have 2 management points, split by Boundary Groups: 1 for desktops, 1 for servers. SCCM is running 2012 R2 CU4. Clients use PKI for certificates to connect to our SCCM MP. This works OK for desktops:  in the SCCM control panel, it shows “Client certificate: PKI

    However, servers (assigned to other MP) get  Client Certificate: None” Servers don’t get software. In the SCCM console, the SCCM client is “Installed”, but “Inactive

    For an inactive server, I traced the following logs:

    IIS:
    x.x.168.164 CCM_POST /ccm_system_windowsauth/request - 80 - x.x.68.21 ccmhttp 401 2 5 1509 0

    x.x.168.164 CCM_POST /ccm_system_windowsauth/request - 80 domain\servername$ x.x.68.21 ccmhttp 200 0 0 4042 31
    x.x.168.164 GET /SMS_MP/.sms_aut MPLIST 80 - x.x.68.21 SMS+CCM+5.0 200 0 0 942 0

    x.x.168.164 GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 80 - x.x.68.21 SMS+CCM+5.0 200 0 0 3806 15

    CertificateMaintenance.log
    Failed to verify signature of message received from MP using name 'servername.domain.LOCAL'

    ClientIDManagerStartup.log
    RegTask: Failed to send registration request message. Error: 0x87d00309

    RegTask: Failed to send registration request message. Error: 0x87d00309

    LocationServices.log:
    Failed to verify message. Sending MP [servername.domain.local] not in cached MPLIST.

    Failed to verify message. Sending MP [servername] not in cached MPLIST.

    ClientAuth.log:
    Error signing client message (0x80004005).

    CAS.log
    Software Distribution site settings (CCM_SoftwareDistributionClientConfig) policy does not yet exist on the client.
    If the client is not yet registered, this is expected behavior.

    When I create an extra boundary which redirects servers to the Desktop MP, they register correctly. I then remove the extra boundary, and the SCCM client continues to work. I get updates and software without issues, and the “Client Certificate” in the SCCM console is still “PKI”.

    Since everything works OK with the Desktop MP, the problem MUST be in our Server MP.
    I therefor reinstalled the Management Point role, but the issue still exists.

    Any help how to further troubleshoot this? Should I delete certificates from the server. Are permissions in IIS not set correctly?
    Since the server also functions as Distribution Point, I prefer solving the issue rather than bulding a new server as MP.

    Thanks




    • Edited by .Christian Friday, August 3, 2018 1:15 PM
    Thursday, March 10, 2016 1:19 PM

All replies

  • Are both MPs configured to use HTTPS?

    Do they each have their own unique server auth cert?

    Do all managed servers have their own unique client auth cert?

    HTTP 401.2 = "Unauthorized: Logon Failed Due to Server Configuration with No Authentication"

    Is there a specific reason you are trying to segregate the MPs?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, March 10, 2016 2:10 PM
  • Hi Jason, thnx for your response. In the end, we've decided to create a Premier Support call.

    It looks like there's an issue with the fqdn and certificate, but we did not find the answer yet...




    • Edited by .Christian Friday, August 3, 2018 1:14 PM
    Tuesday, April 5, 2016 9:42 AM