Clients not getting self singed certs

[TeachMeSCCM]

Hello

 

New to posting on this forum. I'll try my best

My Mp is setup to http

When i changed it back I did reboot it.

I can d

I was having issue with machines losing there certs. Long story short my cert in my MMC store in the SMS folder was expired; I have taken over this 1/2 ass setup and I'm trying my best.

I was told that SCCM would automatically update the cert. This is not happening. I have found if I delete the old cert it created a new one. But now I'm still getting these errors

I have ensured my boundaries are good but I'm unable to get clients to get certificates I am going by IP addresses not subnet. This is happening for new and old clients. 

 

http://mysccm/sms_mp/.sms_aut?mplist goes to the XML file on both of my servers

 

http://mysccm/sms_mp/.sms_aut?mpcert works on both of my servers goes the the MPcertificate path with the long text

 

 

 

 

I do have it setup a bit strange I'm doing the point the SMS and use PKI if it's there. I have tired it every other way and none of the ways work for me.

 

 

I have tired it like every single way and this way I can get a cert and it register but it never registers the client so I get the SCCM to install

Client Cert shows None and my Software store doesn't work won't update ect.

 

Let me know if you need more logs or info. This has been such a paint to figure out.

 

[TeachMeSCCM]

So If I change it to just  HTTPS or HTTP check and take off the PKI and CRL uncheck both 

I also unchecked the Use configuration Manger-Gen cert

I get this error 

 

This is why I had to setup to look for the SMS cert and it looked like it at least got a cert in the past but same issue with the machine never registering 

[anyweb]

it's a bit unclear from your post but what is your actual goal here, are you trying to enable ConfigMgr in HTTPS mode (PKI) or are you trying to use e-http (enhanced http), or do you simply have client issues with invalid sms certs ?

 

[TeachMeSCCM]

I am trying to use E http and the clients are not getting there certs. I use to get certs and after it expired I deleted the old one; as the system never auto updated it. I am still having this issue with many clients with all of the same error as above

 

SCCM installs but never gets a client cert.

 

I'm stuck with the Key 'ConfigMgrMigrationKey' not found, 0x80090016.    ClientIDManagerStartup  with no luck fixing it. See above errors

[anyweb]

try setting it like this

[TeachMeSCCM]

I'm using the CCMclean and doing a fresh install with both the default ie site code

And the other with command line ccmsetup.exe /mp=Mine.mine.mine SMSSITECODE=mine

Here is what my logs say I am having this issue site wide. Old machines not getting updated certs and fresh installs/test vms all getting the same errors 

Both of my site servers show they have no client installed as well

Almost all my machines are like this

Not getting a Client certificate; I see them in SCCM some say Client installed this is not Ture; when i check the pc's I see this

 

CCMexec

 

Site Services are all green; please let me know if you need more info or logs I'm trying to figure this out. I really appreciate your help 

Edited September 17, 2021 by TeachMeSCCM
More info

[TeachMeSCCM]

I have my CMG setup correctly test to ensure

 

I have the correct information in the client for the CMG so that is working but this ongoing cert issue.

Edited September 17, 2021 by TeachMeSCCM

[anyweb]

let's just focus on one problem at a time, your e-http setup, did you configure it like i said ? and are your roles all configured in http only or ?

[TeachMeSCCM]

I did; my roles are setup to HTTP Only I have it setup the same as you have listed above.

 

On both

Distribution setup the same way

Edited September 17, 2021 by TeachMeSCCM

[SCCMentor]

What cert is bound to IIS?