green_bread

A little update of where I am, right now: I have set the MP/DP back to HTTP or HTTPS communication, which reinstalls the MP/DP. I am able to access http://smsservername/sms_mp/.sms_aut?mplist and http://smsservername/sms_mp/.sms_aut?mpcert as well as the HTTPS flavors, fine. client installs, fine MP is set to use "self signed" certificate, however, I am still seeing "none" on the General tab of the Config Manger client I have downloaded the Client Actions Tool and under the "Client Agent Actions" section, theres a utility to "Delete certificates (re-register client)", which, I can watch the certificates delete/reappear in MMC.exe under Certificates->SMS->Certificates. Is there a way to specify the cert being used by SCCM? Im also seeing "RegTask: Failed to send registration request message. Error: 0x8000000a" under ClientIDManagerStartup.log. Been searching on that error but not finding much helpful info.

Just tried with the exported cert from IIS on the DP and Im getting the same errors.

Which, we do. I cannot remember why, exactly, that I was told that I had to set it up that way (came from our Security group), but I cannot go back to HTTP client communications as that option is now grayed out. I just exported the cert we are using in IIS and configured the DP to use that one. Ill report back here after testing. Thank you both for your replies, so far! Its much appreciated!

Thanks for the reply! When I look at that setting on my server (Administration->Site Configuration->Servers and Site System Roles... select Primary site, then go to Properties for Distribution point), the DP is actually set to use a self-signed certificate and it doesnt expire until 4/9/2112. I have not changed this setting from when I first set up SCCM. The certificate that expired was the one for the IIS server on the MP... if you go to Server Manager->Roles->Web Server->IIS Manager, then click on your IIS server and go to "Server Certificates" in the IIS section, I had to create a new certificate there. This is the one that is bound to port 443 (we use HTTPS only for client communication) on my "Default Website". I believe this was called the "Web Server Certificate", IIRC. How do you have it set up in your environment? Do you use the same cert for the web server that you use for client communications?

Hello everyone! I have been working on a problem for a few days and I've run out of things that I can think of to try. First, a little background: The issue I am currently experiencing is that I can get the SCCM client to install on workstations, however, I cannot get them to pull their policies. This also means they are not installing SCEP, which is what we use for antivirus. This issue started occurring because we weren't paying attention to our certs and had some expire. At first, I couldn't even get the SCCM client to install on workstations. After creating a new cert in IIS for the SCCM server, Ive been able to get the client to install, but they will not pull policies. The environment is simple... a Standalone Primary that also acts as the MP, SUP, and DP with the site DB located on a different MSSQL server. Here are the things that Ive noticed/been looking in to: Locationservices.log: Attempting to retrieve site information from lookup MP(s) via HTTPS CCMVerifyMsgSignature failed. Failed to verify received message 0x80090006 CCMVerify failed with 0x80090006 Failed to verify message. Could not retrieve certificate from MPCERT. MPCERT requests are throttled for 00:04:59 Failed to verify message. Sending MP [sERVER] not in cached MPLIST. MPLIST requests are throttled for 00:59:59 Failed to send site information Location Request Message to [sERVER] CertificateMaintenance.log keeps repeating: Failed to verify signature of message received from MP using name '[sERVER.FQDN]' Also, Ive noticed that when I look at the "General" tab of the Configuration Manager utility in Control Panel, new clients show "none" for Client certificate, where clients that were installed before these issues began show "PKI". To me, it seems like I am either missing a cert, somewhere, or the cert that the client uses to talk to the MP for policy assignment is missing.... of course, I could be WAAAY off. I am happy to provide any other info or log information, as needed. Thank you all for any help you can offer!