locked
A client is trying to re-register with an administrator revoked certificate RRS feed

  • Question

  • HI All,

    I have an Azure based server that will not register correctly in SCCM 2012, it is our IBCM server and has been working OK but our 3rd  party support team tried to uninstall the client on this server a 5 other DP’s (I have fixed those and the clients has PKI certificate) but also uninstall the roles, which has been unsuccessful and now there are the site server and component server roles still installed.

    I am unable to install the SCCM client successfully and the certificate says “None” rather than PKI which all my other servers have installed, I have tried the suggestions from

    https://social.technet.microsoft.com/Forums/en-US/48d496ee-4869-4cef-8cd0-9dcab843e373/sccm-2012-r2-client-on-distribution-point-doesnt-complete-registration-solved?forum=configmanagerdeployment

    and also from

    https://social.technet.microsoft.com/Forums/systemcenter/en-US/08119f92-fba7-43b1-bdb1-1b4d72963ff7/sccm-clients-registration-rejected-by-management-point which involved

    • The following are the sequence,

    1) uninstall the client agent ccmsetup /uninstall
    2) remove the entries of CCMsetup and SMS from registry HKLM
    3) remove the Config mgr cert from computer personal store
    4) remove the smscfg.ini from windows folder
    5) restart the machine

    Installion process
    wait for the client pc to auto enroll config mgr client cert from CA
    reinstall the client

    The client registration successfully went through. I suspect is because the client no matter how many times you reinstall it tries use the old GUID to register with MP without even knowing that client has been marked as absolete in the SCCM primary site server.

    If you restart the and perform the above steps it will flush the cache and try to register with a mp and get the new GUID from the MP and then it successfully registers it.

    So at the moment my IBCM server is not working and I cannot get the client installed

    MP_Registration.log is below, all other clients get installed OK.

    Processing Registration request from Client 'GUID:8EC3C75A-AA8D-4421-8725-446FF891EF02'            MP_RegistrationManager          11/13/2014 5:13:27 AM           10172 (0x27BC)

    Begin validation of Certificate [Thumbprint AF0D7B12263DC9EF764750519884992CAA53FBE0] issued to 'SMS'            MP_RegistrationManager          11/13/2014 5:13:27 AM           10172 (0x27BC)

    Completed validation of Certificate [Thumbprint AF0D7B12263DC9EF764750519884992CAA53FBE0] issued to 'SMS'            MP_RegistrationManager          11/13/2014 5:13:27 AM           10172 (0x27BC)

    A client is trying to re-register with an administrator revoked certificate: SMSID='GUID:8EC3C75A-AA8D-4421-8725-446FF891EF02'.           MP_RegistrationManager          11/13/2014 5:13:27 AM           10172 (0x27BC)

    Any ideas?? A support call is needed I think…


    many thanks


    • Edited by MisterD101 Thursday, November 13, 2014 10:51 AM
    Thursday, November 13, 2014 10:41 AM

Answers

  • Hi Jason,

    thank you for the response, I called support and it turns out that SCCM was actively revoking certs, so when a new one was created it automatically revoked it for this server for some reason, all other clients on the network installed OK, it was particular to this server, so we had to delete from the DB all revoked certs even though in the SQL view there were no certificates or SMSGUIDS related to the server itself.

    So running

    select

    *fromclientkeydatawhereisrevoked='1'


    Update

    clientkeydatasetisrevoked=0 whereisrevoked=1

    resolved the issue and the client installed correctly.

    Hope this helps anyone else who experiences this issue.


    many thanks


    • Edited by MisterD101 Friday, November 14, 2014 6:45 AM
    • Marked as answer by Joyce L Monday, November 17, 2014 9:21 AM
    Friday, November 14, 2014 6:43 AM

All replies

  • I have an Azure based server that will not register correctly in SCCM 2012, it is our IBCM server many thanks



    What does that mean exactly? How does the setup look like? Where are what roles located?

    Torsten Meringer | http://www.mssccmfaq.de

    Thursday, November 13, 2014 11:06 AM
  • Hi Torsten,

    The server is in Azure but is connected via VPN so is classed as being internet based but
    is within a boundary/boundary group, so is part of our network.

    It had
    previously been used as the Internet Based Client Management Server, distribution
    point, MP and FSP, we have primary site server that uses PKI for client communication
    on HTTP/HTTPS using standard ports, it contains the following roles:

    SUP

    MP

    Asset
    Intelligence

    FSP

    <u1:p> </u1:p>

    DP

    Component
    Server

    Site System

    Site Server

    SMSProvidor

    No matter what I try, the server will not be registered and I get this error:

    A client is trying to re-register with an administrator revoked certificate: SMSID='GUID:8EC3C75A-AA8D-4421-8725-446FF891EF02'.           MP_RegistrationManager          11/13/2014 5:13:27 AM           10172 (0x27BC)


    many thanks


    • Edited by MisterD101 Thursday, November 13, 2014 11:26 AM
    Thursday, November 13, 2014 11:26 AM
  • A couple of things here.

    First, what you're doing is technically unsupported. That's not the source of your issue, just pointing it out.

    Next, client GUIDs have nothing to do with the MP and generated locally on the client based on a few pieces of information including the client authentication cert. Does the system have a client auth cert in the personal store?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, November 14, 2014 1:51 AM
  • Hi Jason,

    thank you for the response, I called support and it turns out that SCCM was actively revoking certs, so when a new one was created it automatically revoked it for this server for some reason, all other clients on the network installed OK, it was particular to this server, so we had to delete from the DB all revoked certs even though in the SQL view there were no certificates or SMSGUIDS related to the server itself.

    So running

    select

    *fromclientkeydatawhereisrevoked='1'


    Update

    clientkeydatasetisrevoked=0 whereisrevoked=1

    resolved the issue and the client installed correctly.

    Hope this helps anyone else who experiences this issue.


    many thanks


    • Edited by MisterD101 Friday, November 14, 2014 6:45 AM
    • Marked as answer by Joyce L Monday, November 17, 2014 9:21 AM
    Friday, November 14, 2014 6:43 AM
  • OK, glad that worked, but why not simply delete the client auth cert then and issue a new one?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, November 14, 2014 8:34 PM