- 0
The client certificate is not provided; The certificate thumbprint in the web.config did not match any cert in the SMS cert store.
Asked by
RaymondA
Asked by
RaymondA
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
Hi all, this problem has really been a big pain in the #¤%#” for me, and ANY help, advice, tips, will be much appreciated. I have been struggling with this issue for a week now.
Setup:
Configuration Manager servers:
SCCM00 – File server, WSUS
SCCM01 – Administration facing and fallback.
SCCM02 – Client facing. (PXE, DP, etc.)
SCDB – DB & Reporting.
Version: 5.00.7804.1000, Build: 7804
Communication is HTTPS only, but there is no requirement for signing, SHA-256 or Encryption. Default cert location, select any certificate when multiple certificates and client should check the CRL. Trusted Root Certificate Authorities is set. The SSL certificates is exportable (have tried the “Microsoft SCCM recipie certificates”, same errors).
When reinstalling, I have tried various methods. However, I will only describe one:
In other Words: Ready for install.
Installation:
Installing Application Catalog web service point and Application Catalog website point using https (443), and setting Allow Intranet connections.
SMSPortalWebSetup.log and SMSAwebsvcSetup.log Returns success, with exception of a line “<07/18/13 19:13:26> CWmi::Initialize(): CoCreateInstance(WbemLocator) failed. - 0x800401f0”, early in the process. It seems like an error the setup handles.
--
Pretty soon two certificates arises in the cert store (SMS\certificates), “SMS Encryption Certificate” and “SMS Signing Certificate”. (The Site System Identification Certificate was already there). None of these is trusted (This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store).
The logs “ServicePortalWebSite.log” and “ServicePortalWebService.log” both contains the following error (ERROR A):
[1, PID:4656][07/18/2013 19:13:53] :The client certificate is not provided; this could cause errors when the web site attempts to communicate with the web service. The certificate thumbprint in the web.config did not match any cert in the SMS cert store.
Question 1: Is this correct?
The thumbprint referenced in web.config in both applications are the same:
<add key="CertThumbprint" value="bd 36 3c 93 a2 e3 d4 66 ca 65 7f 12 7d 1e c0 48 1b 3f e0 03"/>
Here is something strange. Ref the log errors (ERROR A), this thumbprint does not exist on any certificate in the SMS cert store, but the Web Hosting certificate store (also in “Trusted people” store).
Question 2: WHY??? It searches (according to the log) the SMS\certificates, and later I will show you that the system KNOWS it is in the Web Hosting store.
When testing the URL, locally on the server,
The website loads without SSL warnings, and the Silverlight applications runs.
And an error (ERROR :
Loading Software Center returned error code 0x80041001 (-2147217407)
Cannot connect to the application serverThe Website cannot communicate with the server. This might be a temporary problem. Try again later to see if the problem has been corrected. If this problem continues, contact your help desk.
Comment:
Belive me, after endless debugging, I really hate that error message.
The ServicePortalWebSite.log gives me a clue:
[28, PID:4656][07/18/2013 19:47:39] :DefaultApplicationOfferService - opening channel via client proxy
[24, PID:4656][07/18/2013 19:47:39] :FindCertificate - Found certs via FindByThumbprint, count = 0
[24, PID:4656][07/18/2013 19:47:39] :FindCertificate - No matching certs found
[28, PID:4656][07/18/2013 19:47:39] :The client certificate is not provided; this could cause errors when the web site attempts to communicate with the web service. The certificate thumbprint in the web.config did not match any cert in the SMS cert store.
[24, PID:4656][07/18/2013 19:47:39] :DefaultApplicationOfferService - opening channel via client proxy
[24, PID:4656][07/18/2013 19:47:39] :The client certificate is not provided; this could cause errors when the web site attempts to communicate with the web service. The certificate thumbprint in the web.config did not match any cert in the SMS cert store.
No certificates found.
OK, where does this noncense come from? The awebsctl.log gives a clue:
Starting certificate maintenance... SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:22 4668 (0x123C)
Successfully granted permission to certificate SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:22 4668 (0x123C)
Successfully completed certificate maintenance SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:22 4668 (0x123C)
SSL is enabled. SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:22 4668 (0x123C)
CRL Checking is also enabled. SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:22 4668 (0x123C)
Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
AWEBSVCs http check returned hr=0, bFailed=0 SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
AWEBSVC's previous status was 4 (0 = Online, 1 = Failed, 4 = Undefined) SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
STATMSG: ID=8102 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AWEBSVC_CONTROL_MANAGER" SYS=SCCM02.AD.UIT.NO SITE=U03 PID=1884 TID=4668 GMTDATE=tor jul 18 17:13:31.091 2013 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
AWEBSVC's status has changed from failed or unknown to online. SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
Completed the AWEBSVC availability check against local computer. SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
Waiting for changes for 60 minutes SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
AWEBSVC registry key change notification triggered. SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
Updating config (registry and web.config) SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
Updating M:\SMS_CCM\CMApplicationCatalogSvc\Web.config SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated database connection SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated CertThumbprint to bd 36 3c 93 a2 e3 d4 66 ca 65 7f 12 7d 1e c0 48 1b 3f e0 03 SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated AllowSelfSignedCerts to false SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated EnforceEnhancedHash to false SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated FQDN to SCCM02.AD.UIT.NO SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated security mode to TransportWithMessageCredential SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated revocation mode to Online SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
Searching for child nodes... add[@prefix=HTTPS://SCCM02.AD.UIT.NO:443] SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig:Binding already in web.config SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated web service address for IApplicationOfferService endpoint SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
CAWebSvcControlManager::UpdateConfig: Updated web service address for IDeviceManagementService endpoint SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:08 4668 (0x123C)
Waiting for changes for 60 minutes SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:14:09 4668 (0x123C)
Notice the update of config (registry and web.config) and the following update of CertThumbprint.
These tree lines gives error (I repeat the log now):
(ERROR C) AWEBSVCs http check returned hr=0, bFailed=0 SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
(ERROR D) AWEBSVC's previous status was 4 (0 = Online, 1 = Failed, 4 = Undefined) SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
..
(ERROR E) AWEBSVC's status has changed from failed or unknown to online. SMS_AWEBSVC_CONTROL_MANAGER 18.07.2013 19:13:31 4668 (0x123C)
According to CertificateMaintance.log, this seems to be “all in order”. It looks up the “BD363C93A2E<clip>” in cert store Hosting. (OK, not the SMS\certificate!)
I ask again, why use this thumbprint? He KNOWS it is the SSL cert!
The referred registry setting are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\AWEBSVC
SignedSigningCertificate = “”
SigningCertificate = “308203C73082036DA0030201020213440000004D2<clip>”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\PORTALWEB
EncodedCertificate=”3082049930820381A0030201020213330000009D1E8<clip>”
EncodedXapCertificate=”308203C73082036DA0030201020213440000004D<clip>”
Debugging test: Change SSL certificate?
Requesting a new SSL certificate from CA, this time exportable (has not been, so far)
Awating Certificate maintance… (every hour)
The test CertificateMaintance.log gives the answer: No problem!
The only “remark” is a line “CSP associated with MP Certificate does not support SHA256 signing. Using SHA1 signing”
Web.Config in both places is updated with the new SSL certificate thumbprint.
<add key="CertThumbprint" value="72 49 19 9f c4 1f 75 1e 1c 5e 0f 62 61 5b bf 32 33 50 3e 52"/>
Registry settings in both places are also updated.
The “only” difference is the SignedSigningCertificate is now set.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\AWEBSVC
SignedSigningCertificate = “has value”
Some other “test-points”:
Awebsctl.log Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK
The client certificate is not provided; this could cause errors when the web site <clip>
Gives:
This is a Windows© Communication Foundation service.
Metadata publishing for this service is currently disabled.
OK, got really got no clue! I am familiar With WCF, however I do not get how to correct this error.
So, I try to install a brand new server (SCCM03), meet all prerequesites, and install the two roles.
And amazingly: The error remains!
In short: Please, any ideas, directions, help, will be very appriciated!
Regards Raymond
Share this post
Link to post
Share on other sites