none
SCCM and ECC Certificates (not supported) RRS feed

  • General discussion

  • Hi There,

    I recently configured a new installation of an SCCM server (latest) and run into a weired problem during Client deployment. The client push installation was successfull, it installed the client, but the client cannot register itself back to the SCCM.

    In the logs (ClientIDManagerStartup.log) I found the following error message:

    RegTask: Failed to create registration request body. Error: 0x80090027

    What become suspicious is that in the config manager client on the general tab the "Client Certificate" showed: None

    It was strange because in the log I saw that it found a client certificate on the machine, and was able to validate it successfully.

    The certificate had the "Client authentication" purpose, but it was an ECC 384 bit certificate.

    It was suspicious.

    I issued a new certificate for the client a good old RSA 2048 bit cert.

    Placed it to a different store to be sure it will be used, and configured the SCCM server to look for client certificates in that store.

    Re initiated the client setup process and woala...it worked!!

    In the latest available MS article I found only two restriction for the client certificate:

    - Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2).

    - Maximum supported key length is 2,048 bits.

    https://docs.microsoft.com/en-us/sccm/core/plan-design/network/pki-certificate-requirements

    Although explicitly not stated that ECC certificates are not supported, it seems to me that this is the case.

    Monday, April 29, 2019 4:05 PM

All replies

  • Which version exactly of ConfigMgr are you running?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, April 30, 2019 2:19 AM
  • Version 1902
    Tuesday, April 30, 2019 6:27 AM
  • Read about CNG Certificates, i think it's releated to the usage of ECC Certificates:

    https://docs.microsoft.com/en-us/sccm/core/plan-design/network/cng-certificates-overview


    • Edited by Michael-CM Tuesday, April 30, 2019 7:33 AM
    Tuesday, April 30, 2019 7:33 AM
  • Yes, that was where I going as well but CNG certs are [almost] fully supported in 1902 and do work fine for the client agent.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, April 30, 2019 2:05 PM
  • What version is the client itself running?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, April 30, 2019 2:06 PM
  • The client is Windows Server 2016 version 1607
    Thursday, May 2, 2019 8:05 AM
  • Sorry, what version is the ConfigMgr client agent on the managed system where you are testing and seeing this issue?

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, May 2, 2019 2:54 PM
  • Hi,

    Client version is: 5.00.8790.1007

    Friday, May 3, 2019 9:11 AM
  • Meanwhile we found another interesting issue in connection with it.

    In the SCCM console, under Administration -> Site Configuration -> Sites -> Propeties -> Client computer Communication -> Client computer Settings, under Use PKI... if I click Modify I see Client Certificate Selection Settings.

    Here we now use the default setting which is: If multiple certificates match criteria:

    Select the certificate with the longest validity period.

    Our clients has multiple certificates which match the criteria. Because of this we rolled out one certificate to have the longest validity from all matching certificates.

    Unfortunately we experience that the agent selects from matching certificates randomly and not based on the setting above.

    Has anyone experienced this?

    Friday, May 3, 2019 9:20 AM
  • You've most likely chosen some other unsupported option for the certificates then like the hashing algorithm. Not everything possible is always documented so lack of documentation, while annoying, it's necessarily definitive. If you are bound and determined to use these certs, then you should open a support case with Microsoft to narrow down exactly what is not supported. Keep in mind that this is often the case -- running into something that doesn't exactly work right -- when yo go down a path that few (or none even) have gone down before.

    Jason | https://home.configmgrftw.com | @jasonsandys


    Friday, May 3, 2019 6:24 PM
  • Sounds like a possible bug that perhaps should be another support case.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, May 3, 2019 6:25 PM
  • Thanks for the suggestions.

    We worked around the issues with changing the client certificates to be only one which matching the criteria, and changed this one to an RSA cert.

    This way clients install correctly.

    Unfortunately we have no time for an MS case right now.

    Thanks.

    Monday, May 6, 2019 8:55 AM