Hey guys, I'm trying to configure SCCM 2012 R2 with the Certificate Registration Point. The server running the SCCM site server role is also running the Certificate Authority role in the domain. I'm using a separate server for the NDES role. I'm using the following links as installation guide:
On the second link, somewhere halfway through the page, the actual installation of the CPR is done. After the installation is complete, the article recommends to check a couple of logs to see if the CPR is working successfully.
From the article:
CRPMSI.log: This log must read “Installation success or error status: 0”
The CRPMSI.log on my system:
MSI (s) (6C:6C) [13:36:40:937]: Windows Installer installed the product. Product Name: Certificate Registration Point. Product Version: 5.00.7958.1000. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.
Looks OK... next, the crpsetup.log: This log must read “CRP.msi exited with return code: 0”
The crpsetup.log on my system:
<07/11/14 13:36:40> CRP.msi exited with return code: 0
Okay, so far, so good... next, the crpctrl.log. The installation guide tells me the CRP state should be 0, which means it's online. However, this is what happens in the log on my system. I have placed a couple of comments in between the log entries.
Checking CRP service availability state Machine name is 'SCCM.domain.local'. Begin validation of Certificate [Thumbprint 678cd...] issued to 'SCCM.domain.local' Completed validation of Certificate [Thumbprint 678cd...] issued to 'SCCM.domain.local' Skipping this certificate which is not valid for ConfigMgr usage.
[OK cool, I have no idea why the CRP wants to use this cert. The thumbprint leads me to the ConfigMgr SQL Server Identification Certificate - no idea why it pops up in here]
Begin validation of Certificate [Thumbprint 4d9842...] issued to 'SCCM.domain.local' Certificate has "SSL Client Authentication" capability. Completed validation of Certificate [Thumbprint 4d9842...] issued to 'SCCM.domain.local' >>> Selected Certificate [Thumbprint 4d9842...] issued to 'SCCM.domain.local' for HTTPS Client Authentication
[This is the certificate I have configured to use, thank you ConfigMgr for selecting this cert...]
CRP's previous status was 1 (0 = Online, 1 = Failed, 4 = Undefined) Health check request failed, status code is 403, 'Forbidden'. STATMSG: ID=10202 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_CERTIFICATE_REGISTRATION_POINT" SYS=SCCM.domain.local SITE=123 PID=2276 TID=10924 GMTDATE=Fri Jul 11 14:23:39.037 2014 ISTR0="403" ISTR1="Forbidden" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 Completed the CRP availability check against local computer. Starting CRP certificate maintenance... Successfully granted permission to certificate CRP website is using PKI issued certificate Finished certificate maintenance... Waiting for changes for 600 seconds
I have tried a couple of different settings, renewed the of certificates, rebooted the server running the NDES role, but it won't change status to anything else. It says forbidden - error 403, which sound to me like an IIS related setting, but the eventlog just tells me to check the crpctrl.log... Google is also letting me down on this error. Has anyone ever configured NDES and knows that's going wrong? I've spend all day trying to configure this but the Network Device Enrollment Service starts to look like a Near Death Experience Service to me... thanks!