locked
State Migration Point Issue-Unable to get a value in SignedSerializedSMPKey RRS feed

  • Question

  • Hi Folks

    I'm using SCCM 2007 R2 with USMT 4.0. My site is a primary site running under mixed mode which further reports to central site. SMP is already installed at central site. I'm trying to use SMP at my site for OS migration. SMP role is installed successfully without any issue & there is no error reported in smpmgr.log, smpMSI.log, SMSSMPSetup.log & smsisapi.log files however when TS is getting executed at the system which is to be migrated, it is getting failed at "Request State Store" step.

    When I checked the smsts.log, below errors are coming

    SMP request to "Lab-SCCM-Server.com" failed with error: E_SMPERROR_ENCRYPTKEY_EMPTY (103) OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)
    ClientKeyRequestToSMP failed (0x80004005). OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)
    ClientRequestToSMP::DoRequest failed. error = (0x80004005). OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)
    Request to SMP 'Lab-SCCM-Server.com' failed with error (Code 0x80004005). Trying next SMP. OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)

    I checked the registry at path HKLM\Software\Microsoft\SMS\SMP\Statestore & found that there is no value under "SignedSerializedSMPKey". Below things are done by me to resolve this issue

    • Deleted SMP certificate from Certificate store using mmc console
    • Uninstalled SMP role, rebooted the server & reinstalled SMP role again.
    • Manually exchanged the keys from central to primary site by running preinst.exe with /PARENTKEYS switch & copied the key under hman.box folder at primary site.

    I've read somewhere that detaching primary site from central site & then reattching it can resolve this issue but not sure how to do that & what are precautions & consequences of this activity.

    Kindly let me know what is to be done to reolve this issue. Any help in this regard will be highly appreciated.


    Cheers Navdeep Sidhu

    Thursday, July 26, 2012 10:42 AM

Answers

  • Hi All

    Finally we got the solution of this problem by involving MS. It was an replication issue between primary & central site. Site control file of primary site is not getting replicated to central site because SMS Replication Manager Transaction ID (available at below registry path HKLM\Software\Microsoft\SMS\Components\SMS_Replication_Manager) 

    value of primary site is lower that the value published in .trs file available at central site at path (inboxes\replmgr.box\history) & that's why transaction got denied. For troubleshooting, we enabled debug logging at primary site by changing below registry values which should be changed to original after the exercise 

    HKLM\Software\Microsoft\CCM\Logging\@GLOBAL\LogLevel as a Reg_Dword with a value of 0x0 

    HKLM\Software\Microsoft\CCM\Logging\DebugLogging\Enabled as a Reg_Sz with a value of True HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\Enabled as a Reg_Dword with a value of 0x1

    After changing these registry values, we analyzed hman & replmgr logs & found the exact issue. 

    In order to resolve, we stopped SMS_Executive and SMS_Site_component_Manager services at primary site & then increased the value of transaction ID at primary site which is higher than the value present in .trs file available at central site and then start the services.

    Now we got the valid key in SignedSerializedSMPKey registry value & SMP migration is working like charm!

    Thanks Jason for your support.


    Cheers | Navdeep Sidhu

    • Marked as answer by NavdeepSidhu Thursday, November 29, 2012 11:38 AM
    Wednesday, August 29, 2012 5:33 AM

All replies

  • have you looked at http://technet.microsoft.com/en-us/library/bb632759.aspx yet ? and http://support.microsoft.com/kb/977203


    Step by Step ConfigMgr 2007 Guides | Step by Step ConfigMgr 2012 Guides | I'm on Twitter > ncbrady

    Thursday, July 26, 2012 11:32 AM
  • Hi Niall

    Thanks for your reply. Forgot to mention this under "things done" section in my post. We had already deployed KB977203 patch on site server & run CCMCertFix.exe on site server which showed  below output

    Processing certificate "SMS SMP Encryption Certificate"...Processing certificate "SMS Encryption Certificate "...Processing certificate "SMS Signing Certificate"...
    Summary: 1 out of 3 certificates fixed.

    We have also removed the trusted root key from the client & reinstalled client by explicitly specifying SMSPublicRootKey.

    Apart from this, AD schema is already extended for Configuration Manager 2007 & it is published in Active Directory Domain Services

    There is still no value under Registery key "SignedSerializedSMPKey" at the server hosting SMP role.

    Any other suggestion to resolve this issue.


    Cheers Navdeep Sidhu

    Thursday, July 26, 2012 1:00 PM
  • Note that 977203 is *not* a server side hotfix as the problem is a client issue. To get the actual client hotfix, you must first install the 977203 MSI on the site server though. This will extract the two client fixes depending upon whether the client has been installed or not.

    Similarily, CCMCertFix is not meant for the the site server. It is to be run on previously installed clients to fix their "malformed" certificates which is the root of the problem.

    To prevent clients from creating "malformed" certs, you must install them with the 977203 MSP and PATCH public property.

    Both of the above are described in detail in the KB.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Thursday, July 26, 2012 1:17 PM
  • Hi Jason

    Thanks for your reply. I got ur point. I run CCMCertFix.exe on client also & below output I got

    Processing certificate "SMS Signing Certificate"...Processing certificate "SMS Encryption Certificate"...
    Summary: 0 out of 2 certificates fixed.

    As per the detail mentioned in KB, it says that KB977203 patch must be deployed on clients to prevent creating malformed certificates however if the client is already installed then you need to run CCMCertFix to fix certificate issue which I run & got above mentioned output.

    Again run TS but got below error in smsts.log

    SMP request to "Lab-SCCM-Server.com" failed with error: E_SMPERROR_ENCRYPTKEY_EMPTY (103) OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)
    ClientKeyRequestToSMP failed (0x80004005). OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)
    ClientRequestToSMP::DoRequest failed. error = (0x80004005). OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)
    Request to SMP 'Lab-SCCM-Server.com' failed with error (Code 0x80004005). Trying next SMP. OSDSMPClient 7/25/2012 7:44:13 PM 3396 (0x0D44)

    Failed to find an SMP that can serve request after trying 4 attempts. OSDSMPClient 7/27/2012 11:18:25 AM 6068 (0x17B4)
    ExecuteCaptureRequestSMP failed (0x80004005). OSDSMPClient 7/27/2012 11:18:25 AM 6068 (0x17B4)
    ExecuteCaptureRequest failed (0x80004005). OSDSMPClient 7/27/2012 11:18:25 AM 6068 (0x17B4)
    OSDSMPClient finished: 0x00004005 OSDSMPClient 7/27/2012 11:18:25 AM 6068 (0x17B4)
    Process completed with exit code 16389 TSManager 7/27/2012 11:18:25 AM 772 (0x0304)
    !--------------------------------------------------------------------------------------------! TSManager 7/27/2012 11:18:25 AM 772 (0x0304)
    Failed to run the action: Request User State Storage.
    Unknown error (Error: 00004005; Source: Unknown) TSManager 7/27/2012 11:18:25 AM 772 (0x0304)

    Another question which is popping in my mind that "SignedSerializedSMPKey" registry key at site server still does not have any value. Is this creating an issue??

    Kindly suggest further course of action & help us to fix this never ending issue


    Cheers Navdeep Sidhu

    Friday, July 27, 2012 6:45 AM
  • In addition to my latest post, I'm not getting below error in Ccmexec.log file as mentioned in KB article http://support.microsoft.com/kb/977203 under SYMPTOMS section


    Failed to import the client certificate store (0x80092024) OSDSMPClient

    Any suggestions guys


    Cheers Navdeep Sidhu

    Friday, July 27, 2012 6:50 AM
  • You must run ccmcertfix with elevated permissions because the certificates it fixes are not writeable by normal users.

    Based on the output above, it saw the certificates, but could not update them because you do not have permissions to do so with the account you are using. This could be because you simply are not using an account with enough permissions or because of UAC.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Friday, July 27, 2012 2:41 PM
  • Hi Jason

    I did run CCMCertFix with administrator account only however I'll check UAC setting on the client & will let u know.

    I really appreciate your support & seeking ur help to resolve this issue.


    Cheers Navdeep Sidhu

    Saturday, July 28, 2012 10:56 AM
  • Hi Jason

    I've checked UAC setting on the client & it was set to "never notify". I'm trying to do this activity on another fresh client to isolate this issue. Any other suggestion please..


    Cheers Navdeep Sidhu

    Monday, July 30, 2012 5:47 AM
  • Did you simply try running it from an elevated command-prompt?

    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Monday, July 30, 2012 1:08 PM
  • Hi Jason

    Since I already deployed KB977203 on site server, So I simply took another client for testing. Installed client & then run CCMCertFix.exe on this client. Below output is shown by client

    Processing certificate "SMS Signing Certificate"...Processing certificate "SMS Encryption Certificate"...
    Summary: 1 out of 2 certificates fixed.

    However when I run TS on new client, it showed the same error again in smsts.log which is posted in my earlier posts.

    Then I read ur post. I copied the hotfix which is there at my site server at below path & manually installed at the client

    <ConfigMgr_2007_Install_Directory>\Client\i386\hotfix\KB977203

    Now suggest after installing this hotfix at client whether I need to reinstall the client again or simply run CCMCertFix.exe on the client or should I run TS on the client..

    Thanks in advance


    Cheers Navdeep Sidhu

    Monday, July 30, 2012 1:45 PM
  • Hi Jason

    Can you help me to explain the process of detaching primary site from central site & then re-attaching the same to central site

    I think this should resolve this problem

    What are the precautions need to be taken while doing this


    Cheers Navdeep Sidhu

    Tuesday, July 31, 2012 7:12 AM
  • Why do you think that?

    If this is truly the certificate issue, then it is a client side issue and has *nothing* to do with your site servers.


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Tuesday, July 31, 2012 2:54 PM
  • Ok, If its a client side & certificate issue then what all other things I need to do to resolve this long pending issue.

    As mentioned by me in previous post, I installed KB977203 on the client but still facing the same issue.

    Kindly suggest


    Cheers Navdeep Sidhu

    Wednesday, August 1, 2012 4:39 AM
  • As mentioned, installing 977203 on the client does not fix the issue, it only prevents it if the client hasn't created its certificates yet.

    Let's take a step back and re-examine the the symptoms reported though.

    Are your sites in native mode?


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Wednesday, August 1, 2012 2:30 PM
  • Hi Jason

    Thanks for showing the interest to assist me. Sites are running under Mixed mode & SCCM 2007 R2 is installed along with USMT 4.0

    I would really appreciate your support. Let me know if I need to post any logs for more information.


    Cheers Navdeep Sidhu

    Thursday, August 2, 2012 6:22 AM
  • Hi Guys

    Anybody having any suggestion to resolve this issue???


    Cheers | Navdeep Sidhu

    Wednesday, August 8, 2012 7:55 AM
  • It's probably time to call CSS as this does not seem to be a common issue and may be part of something in your environment, a configuration issue, or even a bug.

    Jason | http://blog.configmgrftw.com

    Thursday, August 9, 2012 11:33 PM
  • Hi All

    Finally we got the solution of this problem by involving MS. It was an replication issue between primary & central site. Site control file of primary site is not getting replicated to central site because SMS Replication Manager Transaction ID (available at below registry path HKLM\Software\Microsoft\SMS\Components\SMS_Replication_Manager) 

    value of primary site is lower that the value published in .trs file available at central site at path (inboxes\replmgr.box\history) & that's why transaction got denied. For troubleshooting, we enabled debug logging at primary site by changing below registry values which should be changed to original after the exercise 

    HKLM\Software\Microsoft\CCM\Logging\@GLOBAL\LogLevel as a Reg_Dword with a value of 0x0 

    HKLM\Software\Microsoft\CCM\Logging\DebugLogging\Enabled as a Reg_Sz with a value of True HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Tracing\Enabled as a Reg_Dword with a value of 0x1

    After changing these registry values, we analyzed hman & replmgr logs & found the exact issue. 

    In order to resolve, we stopped SMS_Executive and SMS_Site_component_Manager services at primary site & then increased the value of transaction ID at primary site which is higher than the value present in .trs file available at central site and then start the services.

    Now we got the valid key in SignedSerializedSMPKey registry value & SMP migration is working like charm!

    Thanks Jason for your support.


    Cheers | Navdeep Sidhu

    • Marked as answer by NavdeepSidhu Thursday, November 29, 2012 11:38 AM
    Wednesday, August 29, 2012 5:33 AM