Jeff K Posted January 7, 2015 Report post Posted January 7, 2015 Hi i am trying to setup a Internet MP for just users that never see an office. i have follwed this post to set it up but running into issues that i cant figure out. i am hoping that someone can assist me in getting this fixed. http://www.systemcenterdudes.com/internet-based-client-management/ I went and did all the client certs before installing. made sure IIS had the cert installed before SCCM was installed. made sure site and site systems were set for internet and intranet access. imported DP cert in the dp section. installed SCCM and got no errors. Here is from the mpcontrol.log Machine name is 'NWICCM01.nwtraders.msft'. 1/7/2015 2:12:49 PM Begin validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft' 1/7/2015 2:12:49 PM Completed validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft' 1/7/2015 2:12:49 PM Skipping this certificate which is not valid for ConfigMgr usage. 1/7/2015 2:12:49 PM There are no certificate(s) that meet the criteria. 1/7/2015 2:12:49 PM Performing machine FQDN to SAN2 search. 1/7/2015 2:12:49 PM Begin validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft' 1/7/2015 2:12:49 PM Completed validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft' 1/7/2015 2:12:49 PM Using custom selection criteria based on the machine NetBIOS name. 1/7/2015 2:12:49 PM Machine name is 'NWICCM01'. 1/7/2015 2:12:49 PM Begin validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft' 1/7/2015 2:12:49 PM Completed validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft' 1/7/2015 2:12:49 PM Skipping this certificate which is not valid for ConfigMgr usage. 1/7/2015 2:12:49 PM Begin validation of Certificate [Thumbprint 341f426c7a86ea084ff324ede6450fa173498f4c] issued to 'sccmlab.domain.com' 1/7/2015 2:12:49 PM Certificate doesn't have "SSL Client Authentication" capabilities. 1/7/2015 2:12:49 PM Completed validation of Certificate [Thumbprint 341f426c7a86ea084ff324ede6450fa173498f4c] issued to 'sccmlab.domain.com' 1/7/2015 2:12:49 PM Skipping this certificate which is not valid for ConfigMgr usage. 1/7/2015 2:12:49 PM There are no certificate(s) that meet the criteria. 1/7/2015 2:12:49 PM Failed to retrieve client certificate. Error -2147467259 1/7/2015 2:12:49 PM Call to HttpSendRequestSync failed for port 443 with -2147467259 error code. 1/7/2015 2:12:49 PM Sent summary record of SMS Management Point on ["Display=\\NWICCM01.NWTRADERS.MSFT\"]MSWNET:["SMS_SITE=IMP"]\\NWICCM01.NWTRADERS.MSFT\ to \\NWICCM01.nwtraders.msft\SMS_IMP\inboxes\sitestat.box\haj0o219.SUM, Availability 1, 52425724 KB total disk space , 42883468 KB free disk space, installation state 0. 1/7/2015 2:12:49 PM Http test request failed, error code is -2147467259. 1/7/2015 2:12:49 PM Successfully performed Management Point availability check against local computer. 1/7/2015 2:12:49 PM i can telnet to the open 443 over the web and no issues there long with port 80. in the line that says Begin validation of Certificate [Thumbprint 341f426c7a86ea084ff324ede6450fa173498f4c] issued to 'sccmlab.domain.com' i have followed that document and am sure it does have ssl capabilities. am i missing a step in IIS???? Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 7, 2015 Report post Posted January 7, 2015 It's trying to do a healthcheck and it can't find a client certificate to use. Make sure you've got a certificate available with client authentication capabilities. Quote Share this post Link to post Share on other sites More sharing options...
Jeff K Posted January 7, 2015 Report post Posted January 7, 2015 ok can you explain how to get that??? i followed that guide....did i miss something??? Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 7, 2015 Report post Posted January 7, 2015 It looks like you didn't deploy the client certificate on your management point server. Quote Share this post Link to post Share on other sites More sharing options...
Jeff K Posted January 7, 2015 Report post Posted January 7, 2015 sorry i dont follow??? where does that go???? can i get some steps on 2012 windows. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 8, 2015 Report post Posted January 8, 2015 It's also part of the guide you're following, it's located under the header "CLIENT CERTIFICATE". Quote Share this post Link to post Share on other sites More sharing options...
Jeff K Posted January 13, 2015 Report post Posted January 13, 2015 Well the MP finally settled down and was successful. b ut now the client I am trying from doesn't want to install. the first line is the install with switches from a batch file. cmd /c c:\windows\ccmsetup\ccmsetup.exe /mp:SCCMLAB.domain.com /usePKICert /NoCRLCheck FSP=SCCMLAB.domain.com CCMALWAYSINF=1 CCMHOSTNAME=sccmlab.domain.com SMSSITECODE=IMP RESETKEYINFORMATION=TRUE CCMLOGMAXHISTORY=0 CCMLOGMAXSIZE=300000 CMALLOWSILENTREBOOT=0 Unable to retrieve AD forest + domain membershipDomain joined client is in InternetDHCP entry points already initialized.Begin checking Alternate Network ConfigurationFinished checking Alternate Network ConfigurationAdapter {3E0F2CE1-C40D-467A-AAC3-1F7DE3F71DF8} is DHCP enabled. Checking quarantine status.Adapter {6571246B-7970-4A9A-AD2E-06EC53BA77BF} is DHCP enabled. Checking quarantine status.Adapter {86B668FD-7A29-4002-A477-5C25995E6D8C} is DHCP enabled. Checking quarantine status.Adapter {C4D7AB6F-B931-4B14-9F3D-5E86EB4FA106} is DHCP enabled. Checking quarantine status.Sending message body '<ContentLocationRequest SchemaVersion="1.00"> <AssignedSite SiteCode="IMP"/> <ClientPackage/> <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseInternetDP="1"> <ADSite Name="Default-First-Site-Name"/> <Forest Name=""/> <Domain Name=""/> <IPAddresses><IPAddress SubnetAddress="192.168.0.0" Address="192.168.0.2"/><IPAddress SubnetAddress="2001:0000:9D38:90D7" Address="2001:0000:9D38:90D7:10D5:273C:3F57:FFFD"/> </IPAddresses> </ClientLocationInfo></ContentLocationRequest>'Sending message header '<Msg SchemaVersion="1.1"><ID>{FB003907-9553-4236-9076-B0B740BB90BF}</ID><SourceHost>L00729</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:L00729:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>SCCMLAB.domain.com</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2015-01-13T20:56:01Z</SentTime><Body Type="ByteRange" Offset="0" Length="1276"/><Hooks><Hook3 Name="zlib-compress"/></Hooks><Payload Type="inline"/></Msg>'CCM_POST 'HTTP://SCCMLAB.domain.com/ccm_system/request'Failed to receive ccm message response. Status code = 403GetDPLocations failed with error 0x80004005Failed to get DP locations as the expected version from MP 'SCCMLAB.domain.com'. Error 0x80004005Failed to find DP locations from MP 'SCCMLAB.domain.com' with error 0x80004005, status code 403. Check next MP.Only one MP SCCMLAB.domain.com is specified. Use it.Have already tried all MPs. Couldn't find DP locations.GET 'HTTP://SCCMLAB.domain.com/CCM_Client/ccmsetup.cab'Failed to successfully complete WinHttp request. (StatusCode at WinHttpQueryHeaders: 403)DownloadFileByWinHTTP failed with error 0x80004005Sending Fallback Status Point message to 'SCCMLAB.domain.com', STATEID='308'.Failed to get client version for sending messages to FSP. Error 0x8004100eParams to send FSP message '5.0.7958.1000 Deployment Error 0x80004005. Url HTTP://SCCMLAB.domain.com/CCM_Client/ccmsetup.cab'Request failed: 404 Not Found 'Configuration Manager Client Retry Task' is scheduled to run at 01/13/2015 08:56:04 PM (local) 01/14/2015 01:56:04 AM (UTC) time with arguments ' "/mp:SCCMLAB.domain.com" "/usePKICert" "/NoCRLCheck" "FSP=SCCMLAB.domain.com" "CCMALWAYSINF=1" "CCMHOSTNAME=sccmlab.domain.com" "SMSSITECODE=IMP" "RESETKEYINFORMATION=TRUE" "CCMLOGMAXHISTORY=0" "CCMLOGMAXSIZE=300000" "CMALLOWSILENTREBOOT=0" /RetryWinTask:1'.CcmSetup failed with error code 0x80004005 Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 14, 2015 Report post Posted January 14, 2015 Can the client resolve the Internet FQDN of the MP on the Internet? Quote Share this post Link to post Share on other sites More sharing options...
Jeff K Posted January 14, 2015 Report post Posted January 14, 2015 i can resolve the name, and can telnet to port 443 without issues. when I go to the MP website i get access denied. not sure if its some permissions that require setting??? Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 14, 2015 Report post Posted January 14, 2015 I would look at the certificates. Check the IIS log files for more detailed information. Quote Share this post Link to post Share on other sites More sharing options...
