Remove From My Forums

Client installs fail for push or manual

Question
0

Sign in to vote

This one has got me stumped, hopefully someone can give me some ideas of what to look at.

Got two servers I'm trying to install the 2012 R2 client onto two servers, we'll call them DP01 and DP02. This is part of the process to install the DP role onto these servers. Doing a push or manual install fails with the below log entries:

<![LOG[Checking the URL 'HTTPS://SCCM00.Skynet.com:443/CCM_Client/ccmsetup.cab']LOG]!><time="01:13:50.400-120" date="04-20-2014" component="ccmsetup" context="" type="1" thread="2068" file="ccmsetup.cpp:10157">
<![LOG[PROPFIND 'HTTPS://SCCM00.Skynet.com:443/CCM_Client']LOG]!><time="01:13:50.400-120" date="04-20-2014" component="ccmsetup" context="" type="1" thread="2068" file="httphelper.cpp:807">
<![LOG[[CCMSETUP] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:698">
<![LOG[[CCMSETUP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:699">
<![LOG[[CCMSETUP]                : dwStatusInformationLength is 4
]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:700">
<![LOG[[CCMSETUP]                : *lpvStatusInformation is 0x1
]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:701">
<![LOG[[CCMSETUP]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:705">
<![LOG[[CCMSETUP] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:731">
<![LOG[Failed to send HTTPS request. (Error at WinHttpSendRequest: 12175)]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="2" thread="2068" file="httphelper.cpp:1214">
<![LOG[WinHttpRequestReponse failed with a non-recoverable failure, 12175]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:1266">
<![LOG[Failed to check url HTTPS://SCCM00.Skynet.com:443/CCM_Client/ccmsetup.cab 2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:1597">
<![LOG[Accessing the URL 'HTTPS://SCCM00.Skynet.com:443/CCM_Client/ccmsetup.cab' failed with 80072F8F]LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="2" thread="2068" file="ccmsetup.cpp:10195">
<![LOG[Checking the URL 'HTTPS://SCCM02.web.Skynet.com:443/CCM_Client/ccmsetup.cab']LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="1" thread="2068" file="ccmsetup.cpp:10157">
<![LOG[PROPFIND 'HTTPS://SCCM02.web.Skynet.com:443/CCM_Client']LOG]!><time="01:14:10.432-120" date="04-20-2014" component="ccmsetup" context="" type="1" thread="2068" file="httphelper.cpp:807">
<![LOG[Failed to correctly receive a WEBDAV HTTPS request.. (StatusCode at WinHttpQueryHeaders: 403)]LOG]!><time="01:14:11.430-120" date="04-20-2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:1370">
<![LOG[Failed to check url HTTPS://SCCM02.web.Skynet.com:443/CCM_Client/ccmsetup.cab 2014" component="ccmsetup" context="" type="3" thread="2068" file="httphelper.cpp:1597">
<![LOG[Accessing the URL 'HTTPS://SCCM02.web.Skynet.com:443/CCM_Client/ccmsetup.cab' failed with 80004005]LOG]!><time="01:14:11.430-120" date="04-20-2014" component="ccmsetup" context="" type="2" thread="2068" file="ccmsetup.cpp:10195">
<![LOG[Next retry in 10 minute(s)...]LOG]!><time="01:14:11.430-120" date="04-20-2014" component="ccmsetup" context="" type="0" thread="2068" file="ccmsetup.cpp:8835">

Now, firewalls on both DP01 and DP02 servers are disabled, as are the domain firewalls on both SCCM00 and SCCM02 servers.

I CAN open IE and go to HTTPS://SCCM02.web.Skynet.com:443/CCM_Client and download the files, this works on both DP01 and DP02. So the server does have access, I can also use SMB to browse to the SCCM installation path on the SCCM server from both DP01/02.

Certs on both SCCM servers and DP01/02 servers are valid and not expired.

Boundary groups are setup for the servers.

Other servers and Windows OS boxes have had no issues with client installs or DP role installs, its just these two.

I've restarted both DP and SCCM servers and still get the same error.

Pinging SCCM servers from DP servers has the correct IP's and times less than 120ms.

I know the HTTPS 403 error is Access is Denied, but I can browse to the site with no problems...

Saturday, April 19, 2014 11:48 PM

Answers

0

Sign in to vote
certificate chaining issue...
http://msdn.microsoft.com/en-us/library/windows/desktop/aa383770(v=vs.85).aspx

Danovich suggests to check your FQDN vs DN: http://blog.danovich.com.au/2010/07/09/sccm-clients-not-installing-in-native-mode/

more here (although CM07 is discussed):
http://social.technet.microsoft.com/Forums/systemcenter/en-US/931e839f-a85a-41dd-a175-5546d1316463/client-push-problem-with-ca-cert?forum=configmgrsetup

Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)
- Marked as answer by Chris Thelen Sunday, April 20, 2014 1:49 AM
Sunday, April 20, 2014 12:33 AM

All replies

0

Sign in to vote
certificate chaining issue...
http://msdn.microsoft.com/en-us/library/windows/desktop/aa383770(v=vs.85).aspx

Danovich suggests to check your FQDN vs DN: http://blog.danovich.com.au/2010/07/09/sccm-clients-not-installing-in-native-mode/

more here (although CM07 is discussed):
http://social.technet.microsoft.com/Forums/systemcenter/en-US/931e839f-a85a-41dd-a175-5546d1316463/client-push-problem-with-ca-cert?forum=configmgrsetup

Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)
- Marked as answer by Chris Thelen Sunday, April 20, 2014 1:49 AM
Sunday, April 20, 2014 12:33 AM
0

Sign in to vote

Thanks for the reply Don,

it was a cert issue on the site server. It was using a cert with the Subject name = FQDN of the site server, and Subject Alternative = the principal name - FQDN.

I changed the cert for the IIS 443 binding to our MP/DP cert which leaves the Subject blank and Subject Alternative = DNS - FQDN of the server and then both DP01 and DP02 client installs kicked off with no errors.

I'll have to check everything else later on to make sure that change didn't break something else...

Sunday, April 20, 2014 1:45 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Client installs fail for push or manual

Question

Answers

All replies