locked
Certificate selection and site assignment across untrusted forests RRS feed

  • General discussion

  • I have a scenario where I will need to use an SCCM instance in one forest to manage clients in a second, untrusted forest, and I need clients in the second forest to use DPs in the first.  A Microsoft rep that I had spoken to indicated that this would require the DPs to use HTTPS. 

    For proof-of-concept, I've stood up test domains, SCCM 2012 running in one of them.  Currently, the only MP and DP are in the first forest.  Both forests have their own certificate authority.  Client certs have been issued following the guide here http://technet.microsoft.com/en-us/library/gg682023.  I've imported the root certs for both CAs into SCCM under Site Properties > Client Computer Communication, as well as the Trusted Root Certificate Authorities store of the site server.  Clients in the same forest as SCCM work fine.  I'm now trying to install the client manually on a computer in the second forest.  I'm running CCMSETUP.EXE /UsePKICert, with SMSSITECODE, SMSMP, and CCMCERTISSUERS defined.  The client installs, but fails to talk to the management point.

    I see the following in ClientIDManagerStartup.log

    Certificate Issuer 1 [CN=CA1; DC=DOMAIN1; DC=com]
    Certificate Issuer 2 [CN=CA2; DC=DOMAIN2; DC=com]
    Based on Certificate Issuer 'CA1' found Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com'
    Begin validation of Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com'
    Completed validation of Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com'
    Completed searching client certificates based on Certificate Issuers
    Begin to select client certificate
    Begin validation of Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com'
    Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com' doesn't have private key or caller doesn't have access to private key.
    Completed validation of Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com'
    Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
    {
        DateTime = "20120523192930.660000+000";
        HRESULT = "0x87d00283";
        ProcessID = 4740;
        ThreadID = 4896;
    };
    Failed to submit event to the Status Agent. Attempting to create pending event.
    Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
    {
        DateTime = "20120523192930.660000+000";
        HRESULT = "0x87d00283";
        ProcessID = 4740;
        ThreadID = 4896;
    };
    Unable to find PKI Certificate matching SCCM certificate selection criteria. 0x87d00283



    • Edited by JeremySD Thursday, May 24, 2012 3:02 PM
    • Changed type JeremySD Wednesday, May 29, 2013 3:43 PM
    Wednesday, May 23, 2012 8:43 PM

All replies

  • Found an issue with the template that was used to issue the certificate.  Corrected this, issued a new cert, client selects it correctly.  But there still seems to be an issue talking to the MP.  Site assignment is failing, and it doesn't look like the client is actually using the cert that it selected.  Configuration Manager Properties > General > Client Certificate = None.

    LocationServices.log

    Assigning to site 'LAB'
    LSIsSiteCompatible : Verifying Site Compatibility for <LAB>
    Retrieved lookup MP [MP.SCCMLAB.COM] from Registry
    Attempting to retrieve lookup MP(s) from AD
    No lookup MP(s) from AD    LocationServices
    Attempting to retrieve lookup MP(s) from DNS
    Attempting to retrieve default management points from DNS
    Found DNS record of mp.sccmlab.com port 443
    Lookup Management Points from DNS:
    Name: 'mp.sccmlab.com' HTTPS: 'Y' ForestTrust: 'N'
    Retrieved lookup MP(s) from DNS    LocationServices
    LSGetSiteVersionFromAD : Failed to retrieve version for the site 'LAB' (0x80004005)
    Retrieved lookup MP [MP.SCCMLAB.COM] from Registry
    Attempting to retrieve lookup MP(s) from AD
    No lookup MP(s) from AD
    Attempting to retrieve lookup MP(s) from DNS
    Attempting to retrieve default management points from DNS
    Found DNS record of mp.sccmlab.com port 443
    Lookup Management Points from DNS:
    Name: 'mp.sccmlab.com' HTTPS: 'Y' ForestTrust: 'N'
    Retrieved lookup MP(s) from DNS
    Failed to send site information Location Request Message to MP.SCCMLAB.COM
    LSIsSiteCompatible : Failed to get Site Version from all directories
    Won't send a client assignment fallback status point message because the last assignment error matches this one.

    CcmMessaging.log

    [CCMHTTP] ERROR: URL=http://MP.SCCMLAB.COM/ccm_system/request, Port=80, Options=480, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
    Raising event:
    instance of CCM_CcmHttp_Status
    {
        DateTime = "20120524150618.264000+000";
        HostName = "MP.SCCMLAB.COM";
        HRESULT = "0x87d0027e";
        ProcessID = 3984;
        StatusCode = 403;
        ThreadID = 3208;
    };
    Successfully sent security settings refresh message.
    Successfully sent location services HTTP failure message.
    Post to http://MP.SCCMLAB.COM/ccm_system/request failed with 0x87d00231.



    • Edited by JeremySD Thursday, May 24, 2012 3:25 PM
    Thursday, May 24, 2012 3:02 PM
  • It looks like it's trying to communicate over port 80, which is in line with your hypothesis that the client is not able to select a certificate. I'd check ccmexec.log or ccmmessaging.log (I'm not sure which of those logs has this information in ConfigMgr 2012) to see if you can find any information on how the client is searching for a certificate and if there's any clues as to why it can't select one. You may need to enable verbose logging to get this information.
    Thursday, May 24, 2012 4:21 PM
  • Reinstalled the agent with CCMLOGLEVEL=0.

    CertificateMaintenance.log

    Using the certificate [Thumbprint] issued to 'computer.domain2.com'.


    clientidmanagerstartup.log

    >>> Client selected the PKI Certificate [Thumbprint] issued to 'computer.domain2.com'
    Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
        DateTime = "20120524171640.720000+000";
        HRESULT = "0x00000000";
        ProcessID = 2384;
        ThreadID = 3040;
    };
        ClientIDManagerStartup    5/24/2012 1:16:40 PM    3040 (0x0BE0)
    Failed to submit event to the Status Agent. Attempting to create pending event.

    and then

    Using the certificate [Thumbprint] issued to 'computer.domain2.com'.
    RegTask: Failed to refresh site code. Error: 0x8000ffff

    CCMMessaging.log and LocationServices.log look the same.  Ccmexec.log offers no clues.  I'm not sure what CCMMessaging.log is supposed to be, I don't see it on the list over here http://technet.microsoft.com/en-us/library/hh427342.aspx but it sure seems like the client is at least trying to use the cert.  It just doesn't seem to be actually making any HTTPS connection attempts.

    Edit: looking in that log on one of the working clients on domain1, the connections do say HTTPS.

    Edit Edit: looked at the IIS logs on the site server, seems like every hit from this computer has been port 80.


    • Edited by JeremySD Thursday, May 24, 2012 6:26 PM
    Thursday, May 24, 2012 5:32 PM
  • Other factors forced us to establish trusts between our production forests.  However, even after creating a two-way trust between my two test forests, this issue remained.  To better reflect the new plan for our production environment, I rebuilt both test forests, two-way selective authentication forest trust, SCCM2012 in forest 1, HTTPS only, site information being published to both ADs, and a CA in 1 enabled for cross-forest certificate enrollment.  Clients in forest2 are now hitting the MP on HTTPS, and things are looking happy.

    Still don't know why it didn't work before.  What's interesting is that in LocationServices.log, I still see the following when the client attempts to locate it's MP:

         Name: 'LAB1-SCCM.SCCMLAB1.local' HTTPS: 'Y' ForestTrust: 'N'

    Does this indicate that the client doesn't recognize the trust?

    • Edited by JeremySD Friday, June 1, 2012 4:55 PM
    Friday, June 1, 2012 4:52 PM
  • I know this is an old topic, but I struggled with this for months before I figured it out.

    I was getting this same error:

    Certificate [Thumbprint] issued to 'COMPUTER.DOMAIN2.com' doesn't have private key or caller doesn't have access to private key.

    This ended up being an issue with the key storage provider I chose for building the certificate request.  It MUST be the legacy key, not the CNG key SP.  SCCM cannot (or doesn't try to) read the storage location for CNG keys, it only accesses the legacy key storage location.  

    Thursday, December 8, 2016 2:04 PM