locked
HTTP Failing when enabling "Use PKI client certificate" on site with HTTPs or HTTP communication RRS feed

  • Question

  • We're in the testing phase for transitioning to HTTPS on our site. Currently our whole site is configured for HTTP, but we configured one server as an MP and DP using HTTPS for both internet and intranet traffic (currently we are only working on intranet traffic).

    When we enable the option "Use PKI client certificate when available", it appears that all of the workstations in our environment lose the ability to communicate with any MPs, this is what the CcmMessaging logs look like for clients that DO NOT have a Client Authentication certificate:

    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2efe	CcmMessaging	4/7/2020 12:33:29 PM	38784 (0x9780)
    [CCMHTTP] ERROR: URL=http://Server.FQDN/ccm_system/request, Port=80, Options=448, Code=12030, Text=ERROR_WINHTTP_CONNECTION_ERROR	CcmMessaging	4/7/2020 12:33:29 PM	38784 (0x9780)
    [CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=CcmMessaging	4/7/2020 12:33:29 PM	38784 (0x9780)
    Raising event:instance of CCM_CcmHttp_Status{	ClientID = "GUID:BAFA0878-08D9-4738-A768-CEF471C96BBE";	DateTime = "20200407163329.708000+000";	HostName = "Server.FQDN";	HRESULT = "0x80072efe";	ProcessID = 12276;	StatusCode = 0;	ThreadID = 38784;};	CcmMessaging	4/7/2020 12:33:29 PM	38784 (0x9780)
    Successfully queued event on HTTP/HTTPS failure for server 'Server.FQDN'.	CcmMessaging	4/7/2020 12:33:29 PM	38784 (0x9780)
    Post to http://Server.FQDN/ccm_system/request failed with 0x87d00231.	CcmMessaging	4/7/2020 12:33:29 PM	38784 (0x9780)

    I have two test workstations configured with Client Authentication certificates. When I restart the ccmexec service, I can see that the SCCM client selects the correct PKI certificate (chained to our Root CA), but the clients fail to register:

    RegTask: Failed to send registration request message. Error: 0x87d00231
    RegTask: Failed to send registration request. Error: 0x87d00231

    If we disable the "Use PKI client certificate when available" all clients are able to communicate, but it appears our test workstations default to using a self-signed certificate.

    Some additional information:

    • I've verified that MPControl.log shows all MPs are in a good state. We have 2 HTTP MPs (plus the 3rd one we are trying to configure for HTTPS).
    • Our PKI is in good working order. We are a large organization and we issue certificates for all our servers, we've just never had a reason for issuing workstation certificates up to this point. For the sake of testing, we are not doing CRL checks in SCCM yet.
    • I've bound certificates for https on all our MPs, the certs we issue to all servers all both Client and Server Authentication

    It's my understanding that when we enable the option to use PKI certificates, our HTTP management points should still allow traffic because most devices don't have a certificate, and those that do they will just ignore. I've also had someone tell me that the HTTPS MP will be "preferred" by clients with certs buy I'm not seeing that as the case either.

    (I know the errors we are seeing are "Transient network errors" but the fact that communication works with the PKI option disabled tells me that this is certificate/authentication related and not a network issue.)

    I think I've read just about every technet article, blog, technet post, and reddit comment related to SCCM PKI/HTTPS and I haven't had any luck figuring this out. Any insight would be appreciated.

    Tuesday, April 7, 2020 7:12 PM

Answers

  • After finally getting to Microsoft Tier 3 support on this issue, it was determined that our problem was the fact that we had hundreds of "SMS Issuing" certificates listed in our site.

    Apparently, when enabling "Use PKI Certificates" SCCM will only check up to 24 issuing certs before it times out. If you have more than this then you will get the error we received.

    We had to run a SQL command to delete the hundreds of extra ones we had and we are now finally working.

    • Marked as answer by DZab Tuesday, August 11, 2020 4:00 PM
    Tuesday, August 11, 2020 4:00 PM

All replies

  • Before enabling clients to use a PKI cert, you need to have HTTPS client-facing site roles functionality as clients will then only choose their PKI cert for communication and thus fail.

    I've bound certificates for https on all our MPs

    Binding certificates is not enough to make a site system HTTPS, it must also be enabled as such in ConfigMgr so that the clients know to use HTTPS when communicating.

    the certs we issue to all servers all both Client and Server Authentication

    Assuming you mean you are issuing a single cert with both server and client auth uses enabled, then this is generally considered a terrible practice. Don't do this. Use separate client and server auth certs.

    I've also had someone tell me that the HTTPS MP will be "preferred" by clients with certs buy I'm not seeing that as the case either.

    This is correct but based on what you've said above, your MPs aren't actually configured for HTTPS (yet).

    What I think is going here is that the clients are trying to use the client auth cert but because the MP is not fully configured for this, it's failing. You need to disable the use of the cert until you have at least one accessible MP fully configured for HTTPS.

    What's the goal enabling HTTPS at this point?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, April 7, 2020 8:27 PM
  • Hi, 

    The flexible configuration options in Configuration Manager let you gradually transition clients and the site to use PKI certificates to help secure client endpoints. PKI certificates provide better security and enable you to manage internet clients.
    Because of the number of configuration options and choices in Configuration Manager, there's no single way to transition a site so that all clients use HTTPS connections. However, you can follow these steps as guidance:
    https://docs.microsoft.com/en-us/configmgr/core/plan-design/security/plan-for-security#BKMK_PlanningForPKITransition


    Please don't forget to configure the Client connections option in the management point properties for HTTPS.


    Best regards,
    Larry

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 8, 2020 8:44 AM
  • Currently our goal is to get our two test clients with certs successfully talking to our one HTTPS MP.

    This is what we've configured for our test HTTPS case:

    -Under the Management Point properties of our HTTPS MP, we've selected HTTPS for client communication
    -Under the Distribution Point properties of that same server, we've selected HTTPS for client communication.
    -On the HTTPS MP we've bound a certificate to IIS
    -Under the Site Properties, we chose HTTP or HTTPS client communication
    -Under the Site Properties, we've selected "Use PKI certificates for client authentication".
    -For our two test Client Workstations, we've manually enrolled in Client Auth certs

    I'm not sure what else you mean by HTTPS "must also be enabled as such in ConfigMgr", are there some other steps there that we're missing?

    In the ClientIDManagerStartup.log on the clients, I can see that it finds and selects the correct client cert. However, they do not seem to be preferring the HTTPS MP. They also fail to register with our existing HTTP MPs.

    What we discovered last night, is when the clients do try to use the HTTPS MP, in the CertificateMaintenance.log file we're seeing:

    Looking for cert with SHA1 hash A56E1BD9CD6B631C68CFFC38B3E15CA0EF15395B in cert store My.	CertificateMaintenance	4/7/2020 9:21:17 PM	2056 (0x0808)
    CSP associated with PKI Server Certificate on MP does not support SHA256 signing. MP will use SHA1 signing	CertificateMaintenance	4/7/2020 9:21:17 PM	2056 (0x0808)
    CSP associated with MP Certificate does not support SHA256 signing. Using SHA1 signing	CertificateMaintenance	4/7/2020 9:21:17 PM	2056 (0x0808)

    And then in the DmpDeviceCertAuthModule.log we're seeing

    No client certificate was negotiated. Async: 0	DeviceCertAuthModule	4/8/2020 8:58:03 AM	12104 (0x2F48)
    Failing HTTP request with status code 403.7 with HR 0x0 and reason "Client certificate required"	DeviceCertAuthModule	4/8/2020 8:58:03 AM	12104 (0x2F48)
    

    Based on those recent log files, we're working with our PKI team to revisit the certificate settings.

    • Edited by DZab Wednesday, April 8, 2020 1:32 PM
    Wednesday, April 8, 2020 1:29 PM
  • Hi, 

    The mpcontrol.log records the status of your Management Point, and you can use it to verify that the Management Point is up and running and whether it can communicate normally in HTTPS mode and whether it has successfully performed the management point availability checks.
    For more details, see:
    How can I configure System Center Configuration Manager in HTTPS mode

    Best regards,
    Larry

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, April 9, 2020 9:08 AM
  • Thanks for the response Larry but we've read all of the Microsoft documentation and everything is configured according to that.

    We opened a support case with Microsoft yesterday, they confirmed that everything is set up correctly. We're working with them on reviewing everything, if we figured out what the issue is I'll update this post with the answer.

    Thursday, April 9, 2020 12:54 PM
  • Hi, 

    It looks like you have configured your server to require a client authentication certificate, but you have not installed a valid client certificate, or you may also need to check whether there is a problem with the network connection between the client and the server..
    Thank you very much for your feedback. If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

    Have a nice day!


    Best regards,
    Larry

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 10, 2020 2:28 AM
  • After finally getting to Microsoft Tier 3 support on this issue, it was determined that our problem was the fact that we had hundreds of "SMS Issuing" certificates listed in our site.

    Apparently, when enabling "Use PKI Certificates" SCCM will only check up to 24 issuing certs before it times out. If you have more than this then you will get the error we received.

    We had to run a SQL command to delete the hundreds of extra ones we had and we are now finally working.

    • Marked as answer by DZab Tuesday, August 11, 2020 4:00 PM
    Tuesday, August 11, 2020 4:00 PM
  • Is there a reason or working theory on how you had hundreds of these? Each site should only have one but it does get renewed every year.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Tuesday, August 11, 2020 4:24 PM
  • The technician I was working with thought that the certificates were created because we have our site configured to automatically approve all computers. He said that this setting could generate these certificates if a new client tried to authenticate with a certificate that was chained to a root/intermediate cert that SCCM didn't know about. SCCM would supposedly import these certs as "SMS Issuing" certs.

    There are a couple problems with this theory:

    1. All of the extraneous certs were created in a two day window last November. 
    2. We only had about 50 clients in the site when they were created.

    We were also in the final stages of getting this new SCCM site configured at that time. So it's hard to determine what specific changes were made because it was still non-prod.

    I'll follow up if I'm able to determine a more concrete cause.

    Tuesday, August 11, 2020 6:02 PM