none
Standalone WORKGROUP Clients can't locate MP and don't register in the SCCM Site RRS feed

  • Question

  • We have installed an SCCM client on a standalone (WORKGROUP) Windows Server 2012 R2 machine, but it's not showing up in the console. After some initial troubleshooting we found that the client is unable to locate its MP and that the MP's IIS is returning HTTP Status Code 401.2.5.

    The client is able to retrieve the list of MPs from http://mp.mydomain.com/sms_mp/.sms_aut?mplist and its corresponding certificate from http://mp.mydomain.com/sms_mp/.sms_aut?mpcert.

    We are already managing clients that are in untrusted domains and these don't have this issue. I'm totally clueless about what the issue might be. Could it be the standalone machine's configuration?

    Ad a workaround we have temporarily set the Web Site under which the MP is running to allow anonymous access, but this is not a solution for us.

    Below are extracts from the log files:

    Client
    
    LocationServices.log
    
    <![LOG[Raising event:
    
    instance of CCM_CcmHttp_Status
    {
    	DateTime = "20170112101857.872000+000";
    	HostName = "Mp.mydomain.com";
    	HRESULT = "0x87d0027e";
    	ProcessID = 3500;
    	StatusCode = 401;
    	ThreadID = 3772;
    };
    ]LOG]!><time="11:18:57.872-60" date="01-12-2017" component="LocationServices" context="" type="1" thread="3772" file="event.cpp:715">
    <![LOG[Failed to submit event to the Status Agent. Attempting to create pending event.]LOG]!><time="11:18:57.887-60" date="01-12-2017" component="LocationServices" context="" type="2" thread="3772" file="event.cpp:737">
    <![LOG[Raising pending event:
    
    instance of CCM_CcmHttp_Status
    {
    	DateTime = "20170112101857.872000+000";
    	HostName = "Mp.mydomain.com";
    	HRESULT = "0x87d0027e";
    	ProcessID = 3500;
    	StatusCode = 401;
    	ThreadID = 3772;
    };
    ]LOG]!><time="11:18:57.887-60" date="01-12-2017" component="LocationServices" context="" type="1" thread="3772" file="event.cpp:770">
    <![LOG[Failed to send location services HTTP failure message.]LOG]!><time="11:18:57.887-60" date="01-12-2017" component="LocationServices" context="" type="2" thread="3772" file="ccmhttperror.cpp:394">
    <![LOG[Error sending HEAD request. HTTP code 401, status 'Unauthorized']LOG]!><time="11:18:57.887-60" date="01-12-2017" component="LocationServices" context="" type="3" thread="3772" file="util.cpp:2690">
    <![LOG[Workgroup client is in Unknown location]LOG]!><time="11:18:57.887-60" date="01-12-2017" component="LocationServices" context="" type="1" thread="3772" file="lsad.cpp:1122">
    <![LOG[[CCMHTTP] ERROR: URL=http://Mp.mydomain.com, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="11:18:57.918-60" date="01-12-2017" component="LocationServices" context="" type="1" thread="3772" file="ccmhttperror.cpp:297">
    
    
    
    ClientLocation.log
    
    <![LOG[[CCMHTTP] ERROR: URL=http://Mp.mydomain.com, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE]LOG]!><time="11:23:59.232-60" date="01-12-2017" component="ClientLocation" context="" type="1" thread="5996" file="ccmhttperror.cpp:297">
    <![LOG[Raising event:
    
    instance of CCM_CcmHttp_Status
    {
    	DateTime = "20170112102359.247000+000";
    	HostName = "Mp.mydomain.com";
    	HRESULT = "0x87d0027e";
    	ProcessID = 4780;
    	StatusCode = 401;
    	ThreadID = 5996;
    };
    ]LOG]!><time="11:23:59.247-60" date="01-12-2017" component="ClientLocation" context="" type="1" thread="5996" file="event.cpp:715">
    <![LOG[Failed to submit event to the Status Agent. Attempting to create pending event.]LOG]!><time="11:23:59.247-60" date="01-12-2017" component="ClientLocation" context="" type="2" thread="5996" file="event.cpp:737">
    <![LOG[Raising pending event:
    
    instance of CCM_CcmHttp_Status
    {
    	DateTime = "20170112102359.247000+000";
    	HostName = "Mp.mydomain.com";
    	HRESULT = "0x87d0027e";
    	ProcessID = 4780;
    	StatusCode = 401;
    	ThreadID = 5996;
    };
    ]LOG]!><time="11:23:59.247-60" date="01-12-2017" component="ClientLocation" context="" type="1" thread="5996" file="event.cpp:770">
    <![LOG[Failed to CoCreate CcmMessaging]LOG]!><time="11:23:59.247-60" date="01-12-2017" component="ClientLocation" context="" type="3" thread="5996" file="ccmhttperror.cpp:344">
    <![LOG[Error sending HEAD request. HTTP code 401, status 'Unauthorized']LOG]!><time="11:23:59.247-60" date="01-12-2017" component="ClientLocation" context="" type="3" thread="5996" file="util.cpp:2690">
    <![LOG[Workgroup client is in Unknown location]LOG]!><time="11:23:59.247-60" date="01-12-2017" component="ClientLocation" context="" type="1" thread="5996" file="lsad.cpp:1122">
    
    
    
    CertificateMaintenance.log
    
    <![LOG[MP mp.mydomain.com does not allow client connections matching the client connection type]LOG]!><time="23:27:46.225-60" date="01-11-2017" component="CertificateMaintenance" context="" type="3" thread="3652" file="hookimpl.cpp:202">
    
    
    
    ClientIDManagerStartup.log
    
    <![LOG[[RegTask] - Executing registration task synchronously.]LOG]!><time="11:25:27.029-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="regtask.cpp:891">
    <![LOG[Read SMBIOS (encoded): 56004D0077006100720065002D00340032002000320033002000380036002000340039002000340030002000370062002000330064002000640031002D0036003700200039003900200062006300200065006200200065003400200033006200200034003600200033003800]LOG]!><time="11:25:27.044-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="smbiosident.cpp:118">
    <![LOG[Evaluated SMBIOS (encoded): 56004D0077006100720065002D00340032002000320033002000380036002000340039002000340030002000370062002000330064002000640031002D0036003700200039003900200062006300200065006200200065003400200033006200200034003600200033003800]LOG]!><time="11:25:27.044-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="smbiosident.cpp:184">
    <![LOG[No SMBIOS Changed]LOG]!><time="11:25:27.044-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="smbiosident.cpp:65">
    <![LOG[SMBIOS unchanged]LOG]!><time="11:25:27.044-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="ccmid.cpp:671">
    <![LOG[SID unchanged]LOG]!><time="11:25:27.044-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="ccmid.cpp:688">
    <![LOG[HWID unchanged]LOG]!><time="11:25:29.107-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="ccmid.cpp:705">
    <![LOG[RegTask: Failed to refresh site code. Error: 0x8000ffff]LOG]!><time="11:25:30.919-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="2" thread="2736" file="regtask.cpp:218">
    <![LOG[Sleeping for 297 seconds before refreshing location services.]LOG]!><time="11:25:32.919-60" date="01-12-2017" component="ClientIDManagerStartup" context="" type="1" thread="2736" file="regtask.cpp:196">
    
    
    
    
    Management Point
    
    IIS
    
    2017-01-12 10:39:45 x.x.x.x HEAD / - 80 - x.x.x.x SMS+CCM+5.0 - 401 2 5 216 0
    2017-01-12 10:39:45 x.x.x.x HEAD / - 80 - x.x.x.x SMS+CCM+5.0 - 401 2 5 216 15
    2017-01-12 10:39:45 x.x.x.x HEAD / - 80 - x.x.x.x SMS+CCM+5.0 - 401 2 5 216 15
    2017-01-12 10:39:45 x.x.x.x HEAD / - 80 - x.x.x.x SMS+CCM+5.0 - 401 2 5 216 15
    

    • Edited by ke_pie Thursday, January 12, 2017 11:16 AM Added log extracts
    Thursday, January 12, 2017 11:10 AM

All replies

  • Based on the messages above, I suspect the issue is related to the client being identified in an Unknown location. Not positive though.

    Is mp.mydomain.com configured for Intranet, Internet, or Intranet and Internet connection?

    Have you validated that your Network Access Account is set up correctly?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, January 12, 2017 4:09 PM
    Moderator
  • If I check the Configuration Manager applet from the Control Panel I see that its connection type is "Currently Internet". This should normally become "Always Intranet" after registration and manual approval I think.

    I have also verified that there is a correct boundary specified, and there is an IP Address Range Boundary that covers the client machine.

    The NAA is set up correctly and it works for the other machines that are part of an untrusted domain. Does the NAA get published before the client is registered and approved in the Site?

    This issue is really boggling my mind... :p

    Thursday, January 12, 2017 4:29 PM
  • What about the MP's configuration I asked about above?

    Boundaries and boundary groups have nothing to do with client location in respect to a client being classified as Intranet or Internet.

    Has the resource already been approved in the console?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, January 12, 2017 5:05 PM
    Moderator
  • I'm sorry, I have misread your reply. The MP is configured for Intranet only.


    The problem is that the resource doesn't appear in the console. I think something is going wrong during the getting assigned to the first MP and the registration to the site afterwards.

    We installed the client using the following command line:

    ccmsetup.exe /Source:<path> SMSSITECODE=S01 SMSMP=mp.mydomain.com 
    • Edited by ke_pie Thursday, January 12, 2017 8:34 PM
    Thursday, January 12, 2017 8:32 PM
  • Hi,

    The error 0x87d0027e mean bad http status code.

    You used http, please check that port 80 is not blocked and whether there is DNS issue, like DNS resolution .

    You could have a try to use following command to install client .

          CCMSETUP.exe /source:   SMSMP=<.com>   DNSSUFFIX=<.com>
    For details, you could have a look at this article: https://technet.microsoft.com/en-us/library/gg682055.aspx 

        And this article about MP assignment with DNS : https://technet.microsoft.com/en-us/library/gg712701.aspx#BKMK_Plan_Service_Location

    Best Regards,

    Ray

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 16, 2017 8:02 AM
  • Hi,

    Thanks for your reply :)

    I have verified the network connectivity over port TCP 80, and it is not being blocked. I'm also able to resolve the Management Point from DNS.

    Is DNS Publishing really required? Isn't the SLP sufficient?

    We currently don't use DNS Publishing. We have machines in untrusted domains (without AD Publishing) as well and these have no issues detecting their Management Point.
    • Edited by ke_pie Monday, January 16, 2017 2:05 PM Added information
    Monday, January 16, 2017 10:15 AM
  • The problem shown in the above logs isn't really about service location, it's about the client trying to query the MP. Without seeing more of log, it's unclear on what stage it is at and so its unclear what its querying the MP for but it looks like it's trying to get the mplist. This communication with the MP is failing so any discussion of whether to use an SLP or DNS publishing is moot at this point. The MP is simply not replying with the requested info.

    Also, there is no SLP anymore as a discreet role and no DNS publishing is not required either but neither here is the source of an issue from the logs above.

    I could potentially see this as a DNS issue though in that maybe the client, being in a workgroup, is resolving the name given the logs to another IP address or maybe there is some network filtering getting in the way.

    Is this workgroup client on the internal network and not separated by anything; i.e., is it sitting right next other managed systems?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, January 16, 2017 4:13 PM
    Moderator
  • The workgroup client is separated from the Management Point through several firewalls and it's configured with a dual NIC configuration. One for business traffic and the other for management traffic. The SCCM traffic is going through the Management NIC.

    Static persistent routes have been added towards the Management Point and it is pingable from the workgroup client and the workgroup client is able to connect on port TCP 80 to the Management Point.

    I will ask someone from the network team to assist me on this.

    Do you have any hunch as to what might be causing issues on network level?

    Tuesday, January 17, 2017 2:30 PM
  • Is the traffic being proxied or filtered in any way?

    From the logs above, the MP simply does not like the connection.

    Can you move the client onto the same network as the MP or other working clients for testing?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, January 17, 2017 9:28 PM
    Moderator
  • Hello again! The last weeks have been really hectic here and I wasn't able to work on this matter.

    I now have some more time and I have checked with a network engineer whether there was proxying and/or filtering in the way and we found nothing. The traffic is passing through firewalls and is allowed.

    I am now busy requesting a network trace capture and will analyze it once I get it. I will update this thread once I've done it.

    Thanks already for all your help, I really appreciate it!

    Tuesday, February 7, 2017 2:25 PM
  • I've received the results of the network trace and analyzed them but I couldn't find anything wrong there.

    I did find an article written by someone who was also facing this issue, https://thedesktopteam.com/raphael/sccm-2012-web-redirect-is-evil/.

    Granted, his issue is a bit different, but he encountered the same symptoms and he found out something interesting: "Speaking with MS, i asked why this request to the root / as this request doesn’t seem to be necessary and only cause extra network traffic (small, but extra…). From the reply I’ve got, this behaviour was implemented on SP1 or R2 for specific workgroup scenarios to detect if the client is internet or intranet."

    So apparently it's an extra check specifically for WORKGROUP machines to detect whether it's Intranet based or Internet based. Since our IIS MP is configured with only Windows Authentication at its root, it returns HTTP Status Code 401.2.15 and the Client probably thinks it's Internet based. Because of this, you see the errors in the CertificateMaintenance.log: "MP mp.mydomain.com does not allow client connections matching the client connection type".

    This could also explain that when we temporarily allow Anonymous Authentication on the IIS MP root, it has no issues whatsoever...

    Is there perhaps a method to disable this check or to trick the client that it is in fact Intranet based?

    Thursday, February 9, 2017 2:59 PM
  • Hello

    Check this

    Https://technet.microsoft.com/en-us/library/bb680962.aspx

    And be sure that



    You login with ADMIN LOCAL ACCOUNT WHEN YOU INSTALL THE CLIENT in server

    FIREWALL IS CONFIGURED TO COMMUNICATE WITH SCCM CONSOLE (manualy configure check file and printing sharing and WMI)

    YOU CHECK NETWORK CONNECTIVITY you need to be sure that from client to server ping x.x.x.x (server) respond  and server to client ping x.x.x.x (client) respond

    And for my this works  very good work just change the appropriate values

    CCMSetup.exe  SMSSITECODE=ABC      DNSSUFFIX=constoso.com

    regards

    Saturday, February 11, 2017 1:22 AM
  • Local admin is irrelevant.

    Communication with the console is also irrelevant.

    Pinging in either or both directions is not required at all.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Saturday, February 11, 2017 9:43 PM
    Moderator
  • 

    Hi!

    I try install SCCM client in WORKGROUP

    Have error:

    MP XXX does not allow client connections matching the client connection type CertificateMaintenance 23.08.2019 16:34:21 2876 (0x0B3C)
    RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 23.08.2019 16:34:21 2876 (0x0B3C)

    Failed to send site information Location Request Message to FQDN_MP LocationServices 23.08.2019 16:34:21 2876 (0x0B3C)
    LSIsSiteCompatible : Failed to get Site Version from all directories LocationServices 23.08.2019 16:34:21 2876 (0x0B3C)

    After read this post. I understand:

    SCCM config managment point . Allow INTERNET. 

    After this i have good day.

    i use:

    https://itpro.outsidesys.com/2017/12/20/sccm-certificates-for-windows-workgroup-clients/

    Install cmd line:

    CCMSetup.exe /UsePKICert /NoCRLCheck /Retry:1 /MP:https://FQDN_SCCM_ADDRESS CCMCERTSEL="SubjectStr:CETTIFICATE_CN" CCMFIRSTCERT=1 CCMALWAYSINF=1 SMSSITECODE=XXX CCMHOSTNAME=FQDN_SCCM_ADDRESS  SMSMP=FQDN_SCCM_ADDRESS 

    Friday, August 23, 2019 1:52 PM