locked
Configuration Manager Properties under Client Certificate says self-signed when PKI is present in certificate store RRS feed

  • Question

  • Hi All,

    I am trying to figure out this issue with setting up IBCM in a forest (forest 2) that the SCCM site server (forest 1) is not in. Both forest have their own Root CAs. I have gotten IBCM working in forest 1 (where the SCCM primary site resides) and clients installed and working on the intranet side in forest 2. In forest 2, I have setup the client authentication certificate and distributed through an autoenrollment GPO along with setting up another GPO to put the Root Cert (public key) from forest 1 into the trusted root stores of the machines that we want to be internet based clients. Also, the Root Cert (public key) from forest 2 is put into the internet only roles server (MP, DP, and SUP) in forest 1.

    The machine autoenrolls the cert and it is now present in the Certificates personal store (local computer account). I then install the client with the following command line:

    ccmsetup.exe /usePKICert /NOCRLCheck /mp:<IntranetFQDNofMP> SMSSITECODE=<3DigitSiteCode> CCMHOSTNAME=<InternetFQDNofMP>

    The client installs just fine, but in the configuration manager properties under the general tab the Client certificate says self-signed and connection type says currently intranet. I know it is supposed to say PKI under client certificate, but it says self-signed. The client works when on the domain and talks to the intranet-only roles server, but not the internet-only roles server when off the domain and on the internet (both intranet and internet role servers are present in forest 1, no role servers are setup in forest 2). Through research I have found that “If a valid certificate cannot be found, the client falls back to using an HTTP connection and a self-signed certificate.”, but I used the same method as I did in the other forest and the cert was found to be valid because it said PKI in client certificate. I began to scour the logs and found in the ClientLocation.log that it continues to search for the intranet-only MP even if just on the internet; this makes sense based off the statement I made earlier. The only other place that I found something in the logs was in the ClientIDManagerStartup.log.

    Client is set to use HTTPS when available. The current state is 480. ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Certificate Issuer 1 [CN=CAserver; DC=forest1; DC=com] ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Finding certificate by issuer chain returned error 80092004 ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Unable to find any Certificate based on Certificate Issuers ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    ClientID = "GUID:742FA911-F321-44C0-A452-7FFCD7498C46";
    DateTime = "20130123184559.949000+000";
    HRESULT = "0x87d00215";
    ProcessID = 5812;
    ThreadID = 5828;
    };
    ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Failed to submit event to the Status Agent. Attempting to create pending event. ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Raising pending event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    ClientID = "GUID:742FA911-F321-44C0-A452-7FFCD7498C46";
    DateTime = "20130123184559.949000+000";
    HRESULT = "0x87d00215";
    ProcessID = 5812;
    ThreadID = 5828;
    };
    ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    PKI Client Certificate matching SCCM certificate selection criteria is not available. ClientIDManagerStartup 1/23/2013 10:45:59 AM 5828 (0x16C4)
    Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 1/23/2013 10:46:02 AM 5892 (0x1704)
    Succesfully intialized registration renewal. ClientIDManagerStartup 1/23/2013 10:46:02 AM 5892 (0x1704)

    I saw that the certificate issuer was referencing to the CA server of forest 1. Tried to fix this through editing the registry entry under HKLM\Software\Microsoft\CCM\Security\CCMCERTISSUERS to have the CA info from Forest 2. It would fix it for the moment and then revert back to the forest 1 CA info and remove the entry I had made in the registry. I also tried adding this property on to the end of the install command:

    ccmsetup.exe /usePKICert /NOCRLCheck /mp:<IntranetFQDNofMP> SMSSITECODE=<3DigitSiteCode> CCMHOSTNAME=<InternetFQDNofMP> CCMSERTISSUERS=”CN=CAserver; DC=forest2; DC=com”

    It would just revert back to the forest 1 info still.

    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Certificate Issuer 1 [CN=CAserver; DC=forest2; DC=com] ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Based on Certificate Issuer 'CAserver' found Certificate [Thumbprint 5B6****8BDA] issued to 'Forest2Worstation' ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Begin validation of Certificate [Thumbprint 5B6****8BDA] issued to 'Forest2Worstation' ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Completed validation of Certificate [Thumbprint 5B6****8BDA] issued to 'Forest2Worstation' ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Begin to select client certificate ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Begin validation of Certificate [Thumbprint 5B6****8BDA] issued to 'Forest2Worstation' ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Completed validation of Certificate [Thumbprint 5B6****8BDA] issued to 'Forest2Worstation' ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    >>> Client selected the PKI Certificate [Thumbprint 5B6****8BDA] issued to 'Forest2Worstation' ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    ClientID = "GUID:742FA911-F321-44C0-A452-7FFCD7498C46";
    DateTime = "20130123214549.063000+000";
    HRESULT = "0x00000000";
    ProcessID = 5668;
    ThreadID = 5544;
    };
    ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Failed to submit event to the Status Agent. Attempting to create pending event. ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Raising pending event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    ClientID = "GUID:742FA911-F321-44C0-A452-7FFCD7498C46";
    DateTime = "20130123214549.063000+000";
    HRESULT = "0x00000000";
    ProcessID = 5668;
    ThreadID = 5544;
    };
    ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Client PKI cert is available. ClientIDManagerStartup 1/23/2013 1:45:49 PM 5544 (0x15A8)
    Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 1/23/2013 1:46:20 PM 2908 (0x0B5C)
    Succesfully intialized registration renewal. ClientIDManagerStartup 1/23/2013 1:46:20 PM 2908 (0x0B5C)
    [RegTask] - Executing registration task synchronously. ClientIDManagerStartup 1/23/2013 1:46:20 PM 2908 (0x0B5C)
    Read SMBIOS (encoded): 4200320053004D0051004D003100 ClientIDManagerStartup 1/23/2013 1:46:20 PM 2908 (0x0B5C)
    Evaluated SMBIOS (encoded): 4200320053004D0051004D003100 ClientIDManagerStartup 1/23/2013 1:46:21 PM 2908 (0x0B5C)
    No SMBIOS Changed ClientIDManagerStartup 1/23/2013 1:46:21 PM 2908 (0x0B5C)
    SMBIOS unchanged ClientIDManagerStartup 1/23/2013 1:46:21 PM 2908 (0x0B5C)
    SID unchanged ClientIDManagerStartup 1/23/2013 1:46:21 PM 2908 (0x0B5C)
    HWID unchanged ClientIDManagerStartup 1/23/2013 1:46:22 PM 2908 (0x0B5C)
    RenewalTask: Executing renewal task. ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Certificate Issuer 1 [CN=CAserver; DC=forest1; DC=com] ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Finding certificate by issuer chain returned error 80092004 ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Unable to find any Certificate based on Certificate Issuers ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
    ClientID = "GUID:742FA911-F321-44C0-A452-7FFCD7498C46";
    DateTime = "20130123214624.663000+000";
    HRESULT = "0x87d00215";
    ProcessID = 5668;
    ThreadID = 728;
    };
    ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    PKI Client Certificate matching SCCM certificate selection criteria is not available. ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    RenewalTask: Certificate has changed, initiating a renewal. ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Aborting any pending registration. ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)
    Re-registration/renewal initiated. Restarting the service. ClientIDManagerStartup 1/23/2013 1:46:24 PM 728 (0x02D8)

    These are the results after editing the CCMCERTISSUERS.

    I have come to the conclusion that I think it has to do with what is being published to AD, but I am not sure what to do about it. Can anyone give me any ideas as to how to further look into this or if anyone has a solution.




    Wednesday, January 23, 2013 9:52 PM

Answers

  • The issue seems to be resolved, but it was a multi-step process to get the PKI working cross-forest.

    1. I did not realize the root certificates from the CAs in the other forest had to be put into Configuration Manager site server's properties under Client Computer Communication tab's Trusted Root certificate Authorities (first time doing multi-forest and IBCM). Hope that all made sense. Thanks Alex, though this post (http://austrianalex.com/2012/10/system-center-configuration-manager-sccm-2012-client-pki-and-subordinate-ca-woes/) did not resolve my issue; it still helped pop an idea into my head on why it would replace my manual entry of Cert Issuers which I was thinking it was because something was being published to AD. I was right, but I did not know where to go to fix it.

    2. The root certificates from the CAs in the other forest also had to be put into the Trusted Root Certification Authorities Store of the intranet server it initially talks to so that the chain of trust could be established initially and properly.

    3. The last part came because my client was having issues with their PKI environment. This was found out through the Locationservices.log. Once CRLs were disabled it started working completely. I know this is not as secure, but they are ok with it.

    Hope this helps someone out there!

    Monday, January 28, 2013 8:50 PM

All replies

  • Are there any MVPs or seasoned vets out there that can help with this?
    Thursday, January 24, 2013 7:09 PM
  • The issue seems to be resolved, but it was a multi-step process to get the PKI working cross-forest.

    1. I did not realize the root certificates from the CAs in the other forest had to be put into Configuration Manager site server's properties under Client Computer Communication tab's Trusted Root certificate Authorities (first time doing multi-forest and IBCM). Hope that all made sense. Thanks Alex, though this post (http://austrianalex.com/2012/10/system-center-configuration-manager-sccm-2012-client-pki-and-subordinate-ca-woes/) did not resolve my issue; it still helped pop an idea into my head on why it would replace my manual entry of Cert Issuers which I was thinking it was because something was being published to AD. I was right, but I did not know where to go to fix it.

    2. The root certificates from the CAs in the other forest also had to be put into the Trusted Root Certification Authorities Store of the intranet server it initially talks to so that the chain of trust could be established initially and properly.

    3. The last part came because my client was having issues with their PKI environment. This was found out through the Locationservices.log. Once CRLs were disabled it started working completely. I know this is not as secure, but they are ok with it.

    Hope this helps someone out there!

    Monday, January 28, 2013 8:50 PM