locked
New standalone test SCCM 2012 site: 2 of 4 clients not working. RRS feed

  • Question

  • I've installed a test site on a single server and deployed the client to four test clients on various subnets.

    What I've verified is that all clients can resolve the site server by NetBIOS name and FQDN. The site server can resolve all clients by NetBIOS name and FQDN. 2 of the 4 clients show up under Assets and Compliance/Devices with:

    Client Yes

    Site Code TST

    Client Activity Active

    The other 2 clients show no site code, no activity, and Client = No

    To check communication I opened the Configuration Manager on one of the bad clients and with Wireshark running I clicked on Find Site. This failed twice, showing no traffic bound for the server in Wireshark. But the third time I clicked it, it connected to the server successfully and popped a message that the Configuration Manager has successfully found a site to manage this client. Wireshark showed a bunch of traffic. Then I switched to the Actions tab and ran a Machine Policy Retrieval and Eval Cycle. Eventually traffic showed up in Wireshark, which I assume was related to this action.

    The problem is that the Configuration Manager on the Site server still shows no client, no site code, and no activity for this client. How can I figure out what is going wrong here? I've waited for hours, checking the server periodically and there is no change in status. I don't understand how it is that the client would communicate with the server successfully and yet show no status for the client on the server.

    Wednesday, October 29, 2014 11:03 PM

Answers

  • The guide didn't really help, but I discovered that there is no fallback for HTTPS/HTTP. If your client has an untrusted certificate, SCCM will try to use it and will fail without falling back to HTTP. The solution is to disable PKI on the SCCM server, or delete the certificate(s) on the client.

    In my case, two of the four clients were built in another domain and through group policy got certificates, then they were moved into a test domain for SCCM testing. The test domain has no PKI, but I had the option for using PKI when available turned on. I assumed it would fallback on a failure of PKI, but this is not the case.



    • Marked as answer by bmcmcm Monday, November 3, 2014 4:07 PM
    • Edited by bmcmcm Tuesday, November 4, 2014 8:32 PM
    Monday, November 3, 2014 4:07 PM

All replies

  • You should follow this guide for troubleshooting: https://support.microsoft.com/kb/925282?wa=wsignin1.0

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Monday, November 3, 2014 8:44 AM
    • Unproposed as answer by bmcmcm Monday, November 3, 2014 4:08 PM
    Thursday, October 30, 2014 12:56 AM
  • The guide didn't really help, but I discovered that there is no fallback for HTTPS/HTTP. If your client has an untrusted certificate, SCCM will try to use it and will fail without falling back to HTTP. The solution is to disable PKI on the SCCM server, or delete the certificate(s) on the client.

    In my case, two of the four clients were built in another domain and through group policy got certificates, then they were moved into a test domain for SCCM testing. The test domain has no PKI, but I had the option for using PKI when available turned on. I assumed it would fallback on a failure of PKI, but this is not the case.



    • Marked as answer by bmcmcm Monday, November 3, 2014 4:07 PM
    • Edited by bmcmcm Tuesday, November 4, 2014 8:32 PM
    Monday, November 3, 2014 4:07 PM
  • First, certificates have nothing to do with domains.

    But yes, if your site does not trust the cert issue to the client, you will have issues. That's how PKI works.

    As for fallback, not totally sure on that but it depends upon the site configuration and installation mode. Without more info about your site, I couldn't say for sure.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, November 4, 2014 7:12 PM
  • I think the key here is that the mere existence of a certificate on an SCCM client will cause SCCM to use it, regardless if the certificate is trusted or not. On the Site Properties under Client Computer Communication, if you have the checked the checkbox: "Use PKI client certificate (client authentication capability) when available", there is no fallback to HTTP from a PKI failure here even though the radio button is set to HTTPS or HTTP

    Tuesday, November 4, 2014 8:46 PM
  • Kind of yes, kind of no.

    The client obviously trusts the cert but it has no way of knowing if the MP trusts the cert which would result in the client's cert being rejected by the MP without knowing why the MP didn't like the cert.

    Also, do you have an HTTP MP for the client to even fallback to?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, November 4, 2014 9:15 PM