SCCM 2007 Management Point in Native Mode Installation

    Diskusi Umum

  • I have looked through a few forums about the Management point and trouble shooting in native mode in internet explorer trying to access https://<ServerName>/sms_mp/.sms_aut?mplist https://<ServerName>/sms_mp/.sms_aut?mpclient. I am geting access is denied. There was a post that pointed in adding the computer certificate into internet explorer to allow the "authentication" to happen.

    I am following the guide

    I cannot seem to export the computer template private key I believe I know the template it is using, but the name of the template doesn't match the name of the Certificate Template on the Computer Client side to the one on the Certificate Authority side (I believe I found the one is being used for Auto enrolment), we are using Auto enrolment group policy in the default domain.  Is there a way to have it that the auto enrolment feature  to populate the Personal Computer Certificate under Internet explorer, also how are you guys issuing the personal computer certificate to internet explorer to allow access to the above sms_mp sites.

    I believe this is where my problems are, I can "install the agent fine" but looking into the logs shows that it fails at http access, and the sccm never sees the client to be installed either. I have done the SetSpn -L <Service account> and it does show the SPN is set up on the listed servers. I have also the SQL server has all the right permissions for the MP service account to access it


    Thanks for your feedback I will give you any more additional information if needed


    Brian Dillehay

    Server Administrator


    27 April 2011 21:04

Semua Balasan

  • Hello - Have you seen the comments from Carol in the below thread? Did that help?

    Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    28 April 2011 0:57
  • Partially yes, I dont have a means to testing out if the computer certificate and placing it in the web browser, that particular certificate is non exportable I can only export the certificate not the Private Keys. I was wondering if there is a way around this, some how creating a GPO for internet explorer that could populate the personal certificate in Internet Explorer just like an autoenrollment feature. My fears is that if we allow the keys to be exportable it is a security issue, and trying to keep track of revocation lists wouldn't be plausible.
    28 April 2011 15:09