Jump to content


spgsitsupport

Established Members
  • Posts

    198
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by spgsitsupport

  1. OK, so I decided to re-check all my steps. http://blogs.technet.com/b/smartinez/archive/2012/10/19/sys-ctr-2012-configmgr-mobile-device-installation.aspx and specifically: https://technet.microsoft.com/en-us/library/gg699362.aspx Site systems that run Internet Information Services (IIS) and that are configured for HTTPS client connections: Server authentication Web Server Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1) AND This certificate must reside in the Personal store in the Computer certificate store. That was my "error". I moved the certificate to Web Hosting store. Which obviously caused the issue on this one role. Once moved back to Personal store, all is good Works now & can enroll my Mac clients Seb
  2. How about start with fully updated install.wim ? You could use Simplix for it
  3. SQL run as domain user. These are few helpful sites to achieve this: https://msdn.microsoft.com/en-us/library/ms143504.aspx https://technet.microsoft.com/en-us/library/Bb735885.aspx?f=255&MSPPError=-2147217396 http://www.zerohoursleep.com/2010/11/a-fatal-error-occurred-when-attempting-to-access-the-ssl-server-credential-private-key/ http://www.sqlservercentral.com/Forums/Topic1251605-1550-1.aspx https://social.msdn.microsoft.com/Forums/sqlserver/en-US/ee918522-2190-4d5e-9e25-a8ae34ced025/sql-agent-wont-start-under-domain-account-which-is-not-in-local-administrators-group-sql-server?forum=sqlsecurity Once you have filesystem/PKI/registry/database permissions & SPNs setup correctly, it will work again Seb
  4. The PKI bit only seems to mean that PKI certificate was used to register with SCCM site server. So normal machine certificate exists, and the 2 SMS certificates are there as well
  5. Did run it, it added few bits, rebooted the server & I am back at the very same point: On 24/08/2015 18:03:33, component SMS_ENROLL_SERVER on computer sccmserver.local reported: Enrollment Point Control Manager detected that the Enrollment Point is not responding to HTTP/HTTPS requests. The http status code and text is 500, Internal Server Error. Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which Enroll Service is configured to communicate. Solution: Verify that the designated Web Site is configured to use the same ports which ENROLLSRV is configured to use. Possible cause: The designated Web Site is disabled in IIS. Solution: Verify that the designated Web Site is enabled, and functioning properly. For more information, refer to Microsoft Knowledge Base.
  6. Resolved it by running SQL used by SCCM as domain user & assigned SPNs MSSQLSvc/sqlserver:1433 & MSSQLSvc/sqlserver_FQDN:1433 to this user https://technet.microsoft.com/en-us/library/Bb735885.aspx?f=255&MSPPError=-2147217396 https://msdn.microsoft.com/en-us/library/ms143504.aspx
  7. I have SQL specified as FQDN in SCCM 2012 R2 config Ofcourse such account does NOT exist in AD (as it is only short name) So I get lots of error in event log: A Kerberos error message was received: on logon session Client Time: Server Time: 14:35:53.0000 8/24/2015 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: DOMAIN.LOCAL Server Name: MSSQLSvc/sccmserver.local:1433 Target Name: MSSQLSvc/sccmserver.local:1433@DOMAIN.LOCAL Error Text: File: 9 Line: 12c5 Error Data is in record data. setspn -L SQLServerAccountName returns correct info (SPNs do exist & they are correct for this SQL account) Is that expected? Can it be fixed? Seb
  8. Moved to PKI HTTPS based setup (from plain http) I can see that newly installed client shows: Client certificate: PKI but the actual certificates in SMS are still showing as issued by SMS (ie via certutil -viewstore SMS ) SMS Encryption certificate 1.3.6.1.4.1.311.101.2 SMS Signing certificate 1.3.6.1.4.1.311.101 So what is the actual Client certificate: PKI ? Where is the info taken from that it is now PKI? I get the same result (change from self-signed to PKI if I re-register client) using SCCM Client Action Tool from http://sccmcat.codeplex.com/ as per http://www.scconfigmgr.com/2012/11/12/force-a-client-re-registration-in-configmgr-2012/ Seb
  9. I have retested my syspreperd image. Removed smscfg.ini & certificates. Removed Computer object (from my previou try) from SCCM. Re-created pre-staged computer object with MAC & GUID (from PXE boot screen 421... ) Machine boots to desired PXE boot image Machine gets re-registered with SCCM with different GUID to the prestaged object (exactly same as per first post 9DA... ) Name & MAC address of the "new" registered machine are identical to the prestaged computer object (only GUID is different) It makes no sense to me...
  10. I would recommend looking at Toolkit from Engl.co.uk. Does amazingly easy job (with tiny modifications to the process you can get exactly what you want) Seb
  11. Site System role is configured for the very FQDN already, but I am to change it to "external" address ie. sccm.domain.com "...In your internal DNS zone, configure the following..." Is that as CNAME? sccm.domain.com --> sccmserver.local Done above, issued webserver certificate which has BOTH DNS in SAN sccm.domain.com sccmserver.local Can access webserver via https:// using both names (of course certificate shows OK) but still get error: On 23/08/2015 19:25:05, component SMS_ENROLL_SERVER on computer sccmserver.local reported: Enrollment Point Control Manager detected that the Enrollment Point is not responding to HTTP/HTTPS requests. The http status code and text is 500, Internal Server Error. If I try to login to https://sccm.domain.com/EnrolmentService I get Server Error in '/EnrollmentService' Application. Access is denied. Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources. Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\Program Files\SMS_CCM\EnrollmentPoint'. which means that obviously it is listening on this address! I can also access: https://sccm.domain.com/EnrollmentServer/enroll.htm Enterprise Enrollment To enroll your phone and connect to your company network, select from the following list of supported devices: Windows Mobile 6.1, 6.5 Nokia Symbian Belle In error log I also have error from System.ServiceModel 4.0.0.0 (attached) WebHost failed to process a request. WebHost failed to process a request.txt
  12. Well, I did follow this (as it seems to be the most current by version): https://technet.microsoft.com/en-us/library/Gg699362.aspx "... the Subject Name OR Subject Alternative Name must contain the Internet fully qualified domain name (FQDN)...." So I have NO SAN, but subject name contains FQDN (of the SCCM server on local network, I do NOT have it on internet) Seb
  13. I do trying not to use Unknown Computers for PXE boot, but create computer account in SCCM (MAC & BIOS GUID, correct collection), so it boot with the image that is assigned to this collection. Works fine. But once the SCCM client gets installed on the machine & it registers itself with SCCM, but a completly different object gets created with EXACTLY same name, but different GUID
  14. Need to enroll Mac (Mavericks) clients on SCCM 2012 R2 SP1 Configured whole environment as per: http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/ and/or http://blogs.technet.com/b/systemcenterpfe/archive/2014/10/04/step-by-step-guide-to-setting-up-system-center-2012-r2-configuration-manager-to-support-management-and-installation-of-the-configmgr-client-on-mac-osx-computers.aspx Reinstalled Enrollment Roles, still only getting: Component SMS_ENROLL_SERVER on computer sccmserver.local reported: Enrollment Point Control Manager detected that the Enrollment Point is not responding to HTTP/HTTPS requests. The http status code and text is 500, Internal Server Error. Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which Enroll Service is configured to communicate. Solution: Verify that the designated Web Site is configured to use the same ports which ENROLLSRV is configured to use. Possible cause: The designated Web Site is disabled in IIS. Solution: Verify that the designated Web Site is enabled, and functioning properly. For more information, refer to Microsoft Knowledge Base. (does NOT specify which one!?) Which obviously results on the client with: System Center Configuration Manager Client for Mac OS X Version: 5.00.7958.1102 Copyright 2013 Microsoft Corporation Contacting Server: https://sccmserver.local/EnrollmentServer/DeviceEnrollmentWebService.svc Using username: ********** SSL Connection failed. HTTP Response code is 500 and reason is Internal Server Error Unknown Error from server ------------------------------------------------ I can access https://sccmserver.local/EnrollmentServer/DeviceEnrollmentWebService.svc just fine and get: This is a Windows© Communication Foundation service. Metadata publishing for this service is currently disabled. Anybody has any ideas? Seb
  15. Thanks, I like being different (but your comment is completly OFF TOPIC really). Not using DP (for some big installs like Autocad 20xx or Sibelius or some educational subject specific software that DOES ONLY RUN from UNC without ANY install) does not make me less productive (just the opposite in fact!) I will give you simple example: Gigs & gigs of iso files on network share that have content that can/should/must change every so often. They do get mounted from network share & run on a client from VirtualClone Drive "DVD". So an Application without DP that is available to end users (and can be refreshed by F5 to get new updated version) is just one of them Another one you might have not encountered if network install of OCR Finereader. It licences itself to the HD SN of the server on which it is installed. Then client install must be done from that location, as it is the only way it works (if you copy content first elsewhere & then install the version is not licenced) One has to recognize that there is never ONE & ONLY way when computers are concerned Seb
  16. And you detect older version by what? C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe does not present version no (like ie. FlashUtil64_18_0_0_232_Plugin.exe does) Seb
  17. Just wonder which way admins update clients Flash versions? Via SCUP? Thanks Seb
  18. Thanks, will test it all again then. At least good to know that Applications can ALSO work without content in DP & only UNC Really appreciate your time answering my questions Seb
  19. Good that everybody is entitled to they own opinions. Believe me, in a flat ten gig backbone network, I see no benefit to DP (and its own internal doings) I need to run applications from UNC (they either are already installed there to be executed OR the source is stored there for install like admin install of Office etc) DP is another unnecessary step to keep updated & backed up. I am sure there are places where DP might be usefull, mine not the one currently. Of course I could use it, but do not need it, and using it for the sake of using it, makes it pointless. As to the error: The software change returned error code 0x80070005(-2147024891). That is definitely not access error (as the rights/permissions are correct) Why would there be a timeout? Seb PS To me it seems that SCCM is designed with a missing option: access network as user X (predefined like NAA) and run locally as dynamic administrator (and not system)
  20. Ofcourse I have share (and NTFS permissions) setup correctly for COMPUTER accounts (client ones) Still Application assigned to collection (users or computers) does not work (it always errors out) Why "...like shooting yourself in the foot..." In my environment, with NO WAN etc I see DP as totally pointless Seb
  21. http://mickitblog.blogspot.co.uk/2013/04/sccm-deploying-from-network-share.html The above states that one could do it with Application. Yet I never managed to behave this way. (I could only do that with Packages, but the way they advertise on client machine is not intuitive, F5 does nothing) I have tried Microsoft forums, but (sadly) they are full of people that behave... well... Microsoft way... "It is the designed way, nothing can be done about it...." Yet, I do NOT want to use DP for Applications install, as I already have the source maintained by myself on a separate server network share (so no need to duplicate content in DP) So the question is: is it possible to create Application with no content, that does run something executable (.cmd, .exe etc) directly from UNC WITHOUT first being copied to DP Thanks Seb
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.