matt_nz Posted August 18, 2012 Report post Posted August 18, 2012 Hi there! Over the last few weeks I've been playing around with SCCM 2012 to get the hang of it and for the most part, with the help of many of the guides I've found on here I've got it humming along quite nicely. Now I'm starting to play with some of the individual parts of SCCM and I've run into a problem getting PXE booting to work and I believe it has something to do with Certs. I'm running in HTTPS with PKIs but I think I'm missing something when it comes to PXE as I'm getting the following messages spammed in my SMSPXE.log file whenever a machine tries to PXE boot: PXE::CBootImageManager::FindMatchingArchitectureBootImage SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set enterpirse certificate in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set media certificate in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set authenticator in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) In SSL, but with no client cert SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set authenticator in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) In SSL, but with no client cert SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Client boot action reply: <ClientIDReply><Identification Unknown="0" ItemKey="16777220" ServerName="" ServerRemoteName=""><Machine><ClientID/><NetbiosName/></Machine></Identification><PXEBootAction LastPXEAdvertisementID="" LastPXEAdvertisementTime="" OfferID="" OfferIDTime="" PkgID="" PackageVersion="" PackagePath="" BootImageID="" Mandatory=""/></ClientIDReply> SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Client Identity: cf9295de-a9b7-44dc-b29a-0500ab51db6b SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set enterpirse certificate in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set media certificate in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set authenticator in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) In SSL, but with no client cert SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) Set authenticator in transport SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) In SSL, but with no client cert SMSPXE 19/08/2012 2:53:41 a.m. 5596 (0x15DC) I've followed the Step-By-Step guide found here, http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012 under "Deploying the Client Certificate for Distribution Points" and I've imported the PFX certificate into the settings of "Distribution Point" from a location that everyone has read access to. Quote Share this post Link to post Share on other sites More sharing options...
matt_nz Posted August 19, 2012 Report post Posted August 19, 2012 Alright, well, it seems I was just rushing things a bit. I left it overnight, came back in the morning and things were semi-working! Before I went to bed, PXE booting wasn't really doing anything on the client, just that DHCP line with the spinning cursor. When I tried again in the morning it was now contacting the WDS server but halting before continuing on. Looking in the logs I now had this: WARNING: _SMSTSCertStoreName Not Set. This might cause client failures in native mode. SMSPXE 19/08/2012 12:46:10 p.m. 1740 (0x06CC) WARNING: _SMSTSCertSelection Not Set. This might cause client failures in native mode. SMSPXE 19/08/2012 12:46:10 p.m. 1740 (0x06CC) Which indicated it was still a certificate error. In the SCCM console, I went to Administration, Security and then Certificates. In there I had a bunch of blocked certficates and the issued to fields were showing as GUIDs rather than actual FQDNs. To resolve the problem, I opened the properties of each Certificate, noticed that they were showing as not installed so installed them manually to the Local Computer's (the Primary server) trusted store. Once that was done, I unblocked each certificate and then attempted PXE again - and now it's working perfectly! So the moral of the story I've learn is, if something appears to not be working with SCCM, give it a few hours and see if it clears itself up... Quote Share this post Link to post Share on other sites More sharing options...
Kingen Posted August 19, 2012 Report post Posted August 19, 2012 I don't set up sites with encryption it adds extra complexity into it (i might consider it if i would have to set up sccm site in DMZ and expose it for internet users) , also the data traffic going back and fourth from the client to the site server do not contain sensitive user information (?) "So the moral of the story I've learn is, if something appears to not be working with SCCM, give it a few hours and see if it clears itself up... " True that Quote Share this post Link to post Share on other sites More sharing options...
matt_nz Posted August 23, 2012 Report post Posted August 23, 2012 I don't set up sites with encryption it adds extra complexity into it (i might consider it if i would have to set up sccm site in DMZ and expose it for internet users) , also the data traffic going back and fourth from the client to the site server do not contain sensitive user information (?) "So the moral of the story I've learn is, if something appears to not be working with SCCM, give it a few hours and see if it clears itself up... " True that When it comes to using it in production I don't think we'll be able to avoid SSL as we'll be wanting to use SCCM to provision Intel AMT machines as well. Quote Share this post Link to post Share on other sites More sharing options...
