Jump to content


anyweb

Deploy an OS over CMG using bootable media

Recommended Posts

I'm getting the same error as HeroicBandit in SMSTS.log with the generated boot media.

There's no PKI, and the site is using the Configmgr cert for HTTP site systems.  The only certificate issued by the internal CA is the one with the subject name of our CMG, which is present on the CMG.  Clients are authenticating with token fine, so I know the CMG is working for existing clients.

Is this a limitation because there's no PKI on the site system itself and so has no path to authenticate via the internal CA when using boot media?

Share this post


Link to post
Share on other sites

I haven't tested it in non-pki environments and a quick look at the documentation only states this " For version 2010 early update ring, if you use a PKI-based certificate for the boot media, configure it for SHA256 with the Microsoft Enhanced RSA and AES provider. For later releases, including globally available version 2010, this certificate configuration is recommended but not required. The certificate can be a v3 (CNG) certificate. "

In other words, it doesn't call out non-PKI environments or token based auth in this scenario, i'll ping the product group and ask if it's actually supported

 

cheers

niall

Share this post


Link to post
Share on other sites

so I got this back from the very knowledgeable Jason in the PG "The problem here appears to be that the cert on the CMG is issued by an internal CA and thus not trusted by the WinPE environment. Using a cert from a public PKI is the only way I know of to get past this (or using a pre-start script to add the issuing PKI as trusted before the TS engine launches)."

 

Share this post


Link to post
Share on other sites

Cheers to you both - that's pretty much what it looks like to me.  The cert on the CMG is the server auth cert (so server auth between the ConfigMgr server and the CMG works, as does token based auth via the CMG to the MP) but of course there's no client auth in there.  In theory replacing the internal CA cert with a public CA cert (and of course ensuring the DNS CNAME is set as well so the CNAME references the CMG instance) would mean WinPE uses its approved CA list to connect to the cert on the CMG. 

It'd definitely be worth testing further from the MS product team to see if that's a viable solution for those using token-based auth, or if there's a way that the bulk registration token could be injected into the client in the boot media (so it has a valid token in the media itself) which could alleviate.

Share this post


Link to post
Share on other sites

23 hours ago, anyweb said:

also, have you seen this post from Eswar, he's not using PKI either but it's working for him

http://eskonr.com/2021/01/certificate-error-while-deploying-an-os-over-cmg-using-bootable-media/

Cheers for that.  I looked at that, which I was already along the same lines of, but realised a couple of things - as below:

  • As the PFX cert on the CMG has a path to intermediate and root CA, I specified both .cer files in the site properties
  • The CMG config (in the Admin page of the Configmgr console) showed a new version increased by 1, so then synced the config
  • I then created the boot media, using a self-signed cert.  It also added the intermediate and root CA certs into the boot image
  • I booted, and the SMSTS.log showed it could auth to the CMG (because the certs were both there and full path to the cert on CMG was able to auth)
  • I could see the task sequences.

Specifying the root CA alone did not work in the site properties, I had to do the root and intermediate, then update the CMG config and boot media. 

Share this post


Link to post
Share on other sites

I am getting a Error stating   This task sequence cannot be run because the program files for NLD00005 cannot be located on a distribution point. For more information, contact your system administrator or helpdesk operator.

I have checked the files one the CMG it all line fine. Also  redistribute to it without issues. I am kind of lost now. 

 

SSL, using authenticator in request.    TSMBootstrap    5/28/2021 1:05:29 PM    1480 (0x05C8)
In SSL, but with no client cert.    TSMBootstrap    5/28/2021 1:05:29 PM    1480 (0x05C8)
Request was successful.    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
::DecompressBuffer(65536)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
Decompression (zlib) succeeded: original size 283, uncompressed size 694.    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
Location Reply:
<![CDATA[<ContentLocationReply SchemaVersion="1.00" BGRVersion="1"><BoundaryGroups BoundaryGroupListRetrieveTime="2021-05-28T11:05:30.120" IsOnVPN="0"><DOINCServers/></BoundaryGroups><ContentInfo/><Sites><Site><MPSite SiteCode="NLD" MasterSiteCode="NLD" SiteLocality="FALLBACK"/><LocationRecords/></Site></Sites><RelatedContentIDs/></ContentLocationReply>]]>    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
Processing 0 locations.    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
No static content server.    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
(LocationsList.size() + slistHttpPaths.size() + slistSMBPaths.size()) > 0, HRESULT=80040102 (..\resolvesource.cpp,2665)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
FALSE, HRESULT=80040102 (..\tspolicy.cpp,2441)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
Content location request for NLD00005:13 failed. (Code 0x80040102)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
hr, HRESULT=80040102 (..\tspolicy.cpp,3346)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
Failed to resolve PackageID=NLD00005    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
(*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040102 (..\tspolicy.cpp,4421)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040102 (tsmediawizardcontrol.cpp,1642)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
Failed to resolve selected task sequence dependencies. Code(0x80040102)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
hrReturn, HRESULT=80040102 (tsmediaresolveprogresspage.cpp,445)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040102)    TSMBootstrap    5/28/2021 1:05:30 PM    1480 (0x05C8)
ThreadToResolveAndExecuteTaskSequence returned code 0x80040102    TSMBootstrap    5/28/2021 1:05:30 PM    1188 (0x04A4)
Setting wizard error: This task sequence cannot be run because the program files for NLD00005 cannot be located on a distribution point. For more information, contact your system administrator or helpdesk operator.    TSMBootstrap    5/28/2021 1:05:30 PM    1188 (0x04A4)
ResolveProgressPage::OnWizardNext()    TSMBootstrap    5/28/2021 1:05:30 PM    1188 (0x04A4)
Activating Finish Page.    TSMBootstrap    5/28/2021 1:05:30 PM    1188 (0x04A4)
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.