b2hunter Posted September 12, 2013 Report post Posted September 12, 2013 Dear colleagues! I'm new to SCCM, hope you're can help a real noob with the problem I've faced a few days ago It had been all working fine for several weeks, but suddenly clients just stopped functioning. Here's the facts: Only two clients actions are now available: request machine policy and user policy; Nothing is reporting, software is not deploying; It happens with every machine in this setup; Tried readding MP role to the site system - no luck; Tried reinstalling agents on several machines - goes fine, but issue is still the same; No PKI, no signing needed in the site options; MP set to HTTP client connection; Every component status is green; Automatic site assignment works fine; The clients are actually receiving policies but can't verify them for some reason. This is what I've found in the PolicyAgent log file on the clients: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ instance of CCM_PolicyAgent_AssignmentsReceived { AuthorityName = "SMS:PRT"; ClientID = "GUID:A5D20107-C467-4CB2-BF51-EBF881DCE47D"; DateTime = "20130912062446.372000+000"; ProcessID = 3668; ReplyType = "Full"; ResourceName = "VEEAM"; ResourceType = "Machine"; ThreadID = 1868; }; <![LOG[signature verification failed for PolicyAssignmentID {c2154b10-0f87-4d2a-bea4-43c4180c2955}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {e9d24650-2f13-483d-b719-b482ed3ea573}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {d977b89b-e6e9-416e-9b15-4bdbc0888515}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {772bf869-7423-4b9f-9a53-ed0287e4b8bc}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {74b84bd8-a806-4646-9d31-1f45fd2dfc3d}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {7e48c59b-971b-4997-8b81-1fe587f1c359}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {3d1a5b89-4389-459f-9761-272739465315}.]LOG]!><time="10:24:46.372-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {0c982724-30d1-4730-b8e8-362bf22cd421}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {a21b3473-d298-4771-baa1-d2e61e31e3d2}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {cf46b198-fafc-48f9-aa77-20cc495829a6}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {b74d9424-ff61-41ec-98f4-29f02fb43da2}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {cdda5d42-b54e-4da9-bf1b-350c7c384a78}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {395d969d-2d3d-4887-8d51-c9b797edc950}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {88077637-5c9c-45c2-8e87-f49cba64d964}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {0929afac-7e7e-4b32-8cae-a734c776d65d}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {32df284d-6e83-4d85-a8e4-d74bf516c84a}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {5c5f13ab-40cd-42bc-b7e6-cb9e965444ca}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {45db7fab-b68e-4de8-8aed-ae037de8f7ca}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {e80adc00-59dc-4d10-9a8a-8c75cace1165}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {0af8938d-1e24-4303-b4d0-6c48fb2acbae}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[signature verification failed for PolicyAssignmentID {94b7a88c-b526-454e-9a8e-bf2f07b9cb68}.]LOG]!><time="10:24:46.388-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="3" thread="1868" file="replyassignmentsendpoint.cpp:446"> <![LOG[Raising event: instance of CCM_PolicyAgent_PolicyAuthorizationFailure { ClientID = "GUID:A5D20107-C467-4CB2-BF51-EBF881DCE47D"; DateTime = "20130912062446.403000+000"; PolicyNamespace = "\\\\VEEAM\\ROOT\\ccm\\policy\\machine\\requestedconfig"; PolicySource = "SMS:PRT"; ProcessID = 3668; ThreadID = 1868; }; ]LOG]!><time="10:24:46.403-240" date="09-12-2013" component="PolicyAgent_ReplyAssignments" context="" type="1" thread="1868" file="event.cpp:706"> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Please feel free to share any thoughts on this as I came to a standstill (which is expected as I'm totally noob to the system ) Many thanks in advance! Alex Quote Share this post Link to post Share on other sites More sharing options...
b2hunter Posted September 12, 2013 Report post Posted September 12, 2013 I've also tried the below - no luck: 1) client push reinstall with RESETKEYINFORMATION=TRUE 2) links to get MP certificate info and MP list work fine: http://servername/SMS_MP/.SMS_AUT?MPCERT http://servername/SMS_MP/.SMS_AUT?MPLIST Quote Share this post Link to post Share on other sites More sharing options...
b2hunter Posted September 12, 2013 Report post Posted September 12, 2013 What I've also realized is that when you don't use CA, SCCM generates self-signed certificates and the client push installation method provides the client computer with them. I've found 4 certificates in the site system computer account SMS certificate store. Two of them ("SMS signing certificate" and "SMS Encryption Certificate") are usually exported to a client machine , am I right? I've tried exporting and replacing an existing certificates on a client machine with them - still no luck, same error messages in the log file. I'll keep you posted if I find anything more. In the meanwhile I still hope for a piece of advise or comments Quote Share this post Link to post Share on other sites More sharing options...
jorlando Posted September 12, 2013 Report post Posted September 12, 2013 Look at the LocationServices.log and ClientLocation.log any errors? Also put this in a URL: Replace MP with the name of your management point. Quote Share this post Link to post Share on other sites More sharing options...
b2hunter Posted September 13, 2013 Report post Posted September 13, 2013 Look at the LocationServices.log and ClientLocation.log any errors? Also put this in a URL: Replace MP with the name of your management point. Hello, I would like to thank you for the input! It actually locates the MP well, no errors in the log. As far as I understand, client can not receive any policies when it's not locating the MP, and from the PolicyAgent.log we see such event: instance of CCM_PolicyAgent_AssignmentsReceived Then it fails to verify the policies, but fails all the time: Signature verification failed for PolicyAssignmentID And after that it logs policy authorization failure: instance of CCM_PolicyAgent_PolicyAuthorizationFailure So, when the client receives the policy it should verify it to make sure it has been sent from a correct server. I don't use CA, so the primary server issues 4 self-signed certificates which I can find in the SMS certificate store. I can also find two of them in the client SMS certificate store ("SMS signing certificate" and "SMS Encryption Certificate"). In order to try and solve it I've tried: a ) reinstall client with RESETKEYINFORMATION=TRUE b ) removed the certificates from the client server and replaced them with the exported certificates from the site system None of this helped, unfortunately. So this is where I came to a standstill. 1) There may be another reason for verification check to fail. Does anyone know that? 2) The issue is still with the certificates. What can I do to make sure certs are 100% fine? Quote Share this post Link to post Share on other sites More sharing options...
b2hunter Posted September 13, 2013 Report post Posted September 13, 2013 SOLVED!!! That was certificate issue indeed, so here's what I did in order to solve that. Please note: my setup is SCCM 2012 SP1 with no PKI. However, if you do have PKI and running into the same issue, note that SCCM uses self-signed certificate for the policy signature! 1) Removed all certificates from the primary server. For those who's new to certificates this can be done if you run mmc and add "Certificates" snap-in into it. You need to select computer account, the certificates will be in the "SMS" folder. 2) Removed and added back MP. This may not be needed, but the overall task sequence worked well for me. However, it didn't help when I did it previously without removing keys. 3) Restarted the primary site server. There is no need to reinstall clients after that - ours picked up their policies successfully after that! Not sure of the main cause of the issue by the way, I'm convinced there were no changes to SCCM infrastructure. The system sometimes seems really unpredictable to me, however the logs always help! 1 Quote Share this post Link to post Share on other sites More sharing options...
jonathan173 Posted March 12, 2014 Report post Posted March 12, 2014 Just wanted to comment on this post after reading it and having the same symptoms with a totally different resolution. Running SCCM 2012 R2 I discovered that from the initial install of SCCM 2012 there was a MP object for my primary site server residing in the System Management container at the FOREST level as well as the child domain. Once removed there were no longer two separate versions of my management point in Active Directory and policy assignments resumed without further action. Hopefully no one else has the same issue but if you do give this a try. Quote Share this post Link to post Share on other sites More sharing options...