I have looked through a few forums about the Management point and trouble shooting in native mode in internet explorer trying to access
https://<ServerName>/sms_mp/.sms_aut?mpclient. I am geting access is denied.
There was a post that pointed in adding the computer certificate into internet explorer to allow the "authentication" to happen.
I am following the guide http://technet.microsoft.com/en-us/library/bb932118.aspx#BKMK_certerror
I cannot seem to export the computer template private key I believe I know the template it is using, but the name of the template doesn't match the name of the Certificate Template on the Computer Client side to the one on the Certificate Authority
side (I believe I found the one is being used for Auto enrolment), we are using Auto enrolment group policy in the default domain. Is there a way to have it that the auto enrolment feature to populate the Personal Computer Certificate under Internet
explorer, also how are you guys issuing the personal computer certificate to internet explorer to allow access to the above sms_mp sites.
I believe this is where my problems are, I can "install the agent fine" but looking into the logs shows that it fails at http access, and the sccm never sees the client to be installed either. I have done the SetSpn -L <Service account> and it
does show the SPN is set up on the listed servers. I have also the SQL server has all the right permissions for the MP service account to access it
Thanks for your feedback I will give you any more additional information if needed
Anoop C Nair - This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually
answer your question. This can be beneficial to other community members reading the thread.
Partially yes, I dont have a means to testing out if the computer certificate and placing it in the web browser, that particular certificate is non exportable I can only export the certificate not the Private Keys. I was wondering if there is a way around
this, some how creating a GPO for internet explorer that could populate the personal certificate in Internet Explorer just like an autoenrollment feature. My fears is that if we allow the keys to be exportable it is a security issue, and trying to keep track
of revocation lists wouldn't be plausible.