green_bread Posted January 3, 2014 Report post Posted January 3, 2014 Hello everyone! I have been working on a problem for a few days and I've run out of things that I can think of to try. First, a little background: The issue I am currently experiencing is that I can get the SCCM client to install on workstations, however, I cannot get them to pull their policies. This also means they are not installing SCEP, which is what we use for antivirus. This issue started occurring because we weren't paying attention to our certs and had some expire. At first, I couldn't even get the SCCM client to install on workstations. After creating a new cert in IIS for the SCCM server, Ive been able to get the client to install, but they will not pull policies. The environment is simple... a Standalone Primary that also acts as the MP, SUP, and DP with the site DB located on a different MSSQL server. Here are the things that Ive noticed/been looking in to: Locationservices.log: Attempting to retrieve site information from lookup MP(s) via HTTPS CCMVerifyMsgSignature failed. Failed to verify received message 0x80090006 CCMVerify failed with 0x80090006 Failed to verify message. Could not retrieve certificate from MPCERT. MPCERT requests are throttled for 00:04:59 Failed to verify message. Sending MP [sERVER] not in cached MPLIST. MPLIST requests are throttled for 00:59:59 Failed to send site information Location Request Message to [sERVER] CertificateMaintenance.log keeps repeating: Failed to verify signature of message received from MP using name '[sERVER.FQDN]' Also, Ive noticed that when I look at the "General" tab of the Configuration Manager utility in Control Panel, new clients show "none" for Client certificate, where clients that were installed before these issues began show "PKI". To me, it seems like I am either missing a cert, somewhere, or the cert that the client uses to talk to the MP for policy assignment is missing.... of course, I could be WAAAY off. I am happy to provide any other info or log information, as needed. Thank you all for any help you can offer! Quote Share this post Link to post Share on other sites More sharing options...
Rocket Man Posted January 4, 2014 Report post Posted January 4, 2014 Never had to deal with certs as only use HTTP self signed..... but you say that you re-created a new cert, do you specify this cert change on the DP also??ike you would with an expired self-signed cert? maybe you have already done this.. Quote Share this post Link to post Share on other sites More sharing options...
green_bread Posted January 6, 2014 Report post Posted January 6, 2014 Never had to deal with certs as only use HTTP self signed..... but you say that you re-created a new cert, do you specify this cert change on the DP also??ike you would with an expired self-signed cert? maybe you have already done this.. DPcert.PNG Thanks for the reply! When I look at that setting on my server (Administration->Site Configuration->Servers and Site System Roles... select Primary site, then go to Properties for Distribution point), the DP is actually set to use a self-signed certificate and it doesnt expire until 4/9/2112. I have not changed this setting from when I first set up SCCM. The certificate that expired was the one for the IIS server on the MP... if you go to Server Manager->Roles->Web Server->IIS Manager, then click on your IIS server and go to "Server Certificates" in the IIS section, I had to create a new certificate there. This is the one that is bound to port 443 (we use HTTPS only for client communication) on my "Default Website". I believe this was called the "Web Server Certificate", IIRC. How do you have it set up in your environment? Do you use the same cert for the web server that you use for client communications? Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 6, 2014 Report post Posted January 6, 2014 The certificates in IIS are only needed when you have clients connecting via HTTPS. Quote Share this post Link to post Share on other sites More sharing options...
Rocket Man Posted January 6, 2014 Report post Posted January 6, 2014 As mentioned before I do not use PKI certs as only use HTTP/self signed, so unsure of the in's and out's of a PKI enviornment. But having a guess at it if clients have PKI cert installed would it not make sense that the DP has also got the cert in order for client communication to be fully HTTPS? (Just a guess though) Maybe some members that have experience with HTTPS enviornment can contribute this as I am not sure. How do you have it set up in your environment? Just HTTP client communication. If a DP self-signed cert expires (normally 1 year after site setup if DP is installed during the setup as you do not get a choice of date expiration, unless you create the DP afterwards) then just re-create a new self-signed cert on the DP properties as seen above. EDIT: Just seen Peter has posted to this.... Quote Share this post Link to post Share on other sites More sharing options...
green_bread Posted January 6, 2014 Report post Posted January 6, 2014 The certificates in IIS are only needed when you have clients connecting via HTTPS. Which, we do. I cannot remember why, exactly, that I was told that I had to set it up that way (came from our Security group), but I cannot go back to HTTP client communications as that option is now grayed out. I just exported the cert we are using in IIS and configured the DP to use that one. Ill report back here after testing. Thank you both for your replies, so far! Its much appreciated! Quote Share this post Link to post Share on other sites More sharing options...
green_bread Posted January 6, 2014 Report post Posted January 6, 2014 I just exported the cert we are using in IIS and configured the DP to use that one. Ill report back here after testing. Just tried with the exported cert from IIS on the DP and Im getting the same errors. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted January 7, 2014 Report post Posted January 7, 2014 Every HTTPS enabled Site System needs its own certificate configured in IIS. Quote Share this post Link to post Share on other sites More sharing options...
green_bread Posted January 21, 2014 Report post Posted January 21, 2014 A little update of where I am, right now: I have set the MP/DP back to HTTP or HTTPS communication, which reinstalls the MP/DP. I am able to access http://smsservername/sms_mp/.sms_aut?mplist and http://smsservername/sms_mp/.sms_aut?mpcert as well as the HTTPS flavors, fine. client installs, fine MP is set to use "self signed" certificate, however, I am still seeing "none" on the General tab of the Config Manger client I have downloaded the Client Actions Tool and under the "Client Agent Actions" section, theres a utility to "Delete certificates (re-register client)", which, I can watch the certificates delete/reappear in MMC.exe under Certificates->SMS->Certificates. Is there a way to specify the cert being used by SCCM? Im also seeing "RegTask: Failed to send registration request message. Error: 0x8000000a" under ClientIDManagerStartup.log. Been searching on that error but not finding much helpful info. Quote Share this post Link to post Share on other sites More sharing options...
