Jump to content


Search the Community

Showing results for tags 'SSL'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Cloud
    • Azure
    • Microsoft Intune
    • Office 365
    • Windows 365
  • General Stuff
    • General Chat
    • Events
    • Site News
    • Official Forum Supporters
    • Windows News
    • Suggestion box
    • Jobs
  • MDT, SMS, SCCM, Current Branch &Technical Preview
    • How do I ?
    • Microsoft Deployment Toolkit (MDT)
    • SMS 2003
    • Configuration Manager 2007
    • Configuration Manager 2012
    • System Center Configuration Manager (Current Branch)
    • Packaging
    • scripting
    • Endpoint Protection
  • Windows Client
    • how do I ?
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows Vista
    • Windows XP
    • windows screenshots
  • Windows Server
    • Windows Server General
    • Active Directory
    • Microsoft SQL Server
    • System Center Operations Manager
    • KMS
    • Windows Deployment Services
    • NAP
    • Failover Clustering
    • PKI
    • Hyper V
    • Exchange
    • IIS/apache/web server
    • System Center Data Protection Manager
    • System Center Service Manager
    • System Center App Controller
    • System Center Virtual Machine Manager
    • System Center Orchestrator
    • Lync
    • Application Virtualization
    • Sharepoint
    • WSUS

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Location


Interests

Found 6 results

  1. Team, In a recent Security Audit at my workplace , it was found that SSLv3 was enabled on IBCM server. We need to disable SSLv3 , TLSv1 & enable TLSv1.2 . Did anybody done this… Kindly share your Observations.. Also, Any Support article, guide will be of great help. I have done the changes as per reading on Internet under... HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocols Now, my Internet Based clients are not communicating to IBCM server at all. No Policy since the changes made.. Kindly suggest..
  2. Good afternoon, Is there a built-in Alert or Report (or one that can be made simply enough) to send an email (or notify in the console) that the Distribution Point certificate is expiring within 30 days? Is this possible? Thanks! Jesse
  3. Hi, Yesterday I tried to make our site server and distribution points SSL. There are a ton of guides on the internet for how to do this. I think i ended up using this one: https://sccmguy.com/2013/11/26/pki-certificates-for-configuration-manager-2012-r2-part-1-of-4-web-server-certificate/. However, when we were done, client communication stopped. Some of the relevant logs: From CcmMessaging Successfully queued event on HTTP/HTTPS failure for server 'XXX'. Post to https://XXX/ccm_system_windowsauth/request failed with 0x87d00231. From CcmNotificationAgent Error: Server certificate retrieved in TLS is not an exact match of the current MP encryption certificate. Error: 0x80090322 authenticating server credentials! Failed to signin bgb client with error = 80090322. Fallback to HTTP connection. [CCMHTTP] ERROR: URL=http://1982-X-MP-1-P01.xactware.com/bgb/handler.ashx?RequestType=LogIn, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE (EDIT: MANAGEMENT POINT IS ACCEPTING HTTPS ONLY SO I EXPECTED THIS ONE) From Mpcontrol Selected certificate [thumbprint] issued to 'XXX' for HTTPS client authentication Call to HttpSendRequestSync failed for port 443 with status code 403; text: Forbidden To me this looks like a certificate issue. However, no matter what I've tried (added a common name in addition to the DNS name in the certificate, deleted and enrolled again for client and server side certificates, reinstalling the management point, 5 hours of other things I don't remember) I can't rid of this error. Aside from binding the SSL cert to the default website in IIS, is there anything else that needs to be done in IIS? Am I missing something else? Appreciate any pointers, Scott
  4. So I find today that in trying to test a new TS that when booting PXE, I get an error screen from WDS that just only displays the error code 0xc000000f. Digging around, I've found some that say it's a WDS problem and another that says it's an SSL issue because the MP is SSL but the DP is not. One article states that if the MP is SSL, the DP also has to be using the PKI Cert as well instead of the self-signed. Another article mentions no problems with the DP being non-SSL. This is what I'm seeing in SMSPXE.log PXE::MP_GetList failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE::MP_LookupDevice failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE::MP_GetList failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE::MP_ReportStatus failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE Provider failed to process message. Element not found. (Error: 80070490; Source: Windows) SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) Just looking for some insight on where to go with this.
  5. Running into an issue that I cannot wrap my head around. We recently switched from HTTPS to HTTP and now clients will not talk to remote MPs or DPs on Secondary Sites. Talking back to MP on Stand Alone Primary works fine. I have revoked certs from CA and removed certs from servers but all of my Secondary sites are having issues with MPs and DPs (no PXE Boot Filename Received). Also removed Secondary Site, WDS, WSUS, all prereqs and reinstalled. Tried PXE booting to WDS + MDT 2013 and that works, but once SCCM PXE boot is turned on, I get the error. Boot images are distributed to DPs and Task Sequences have correct boot image assigned. Has anyone run into this type of problem before? Everything looks fine the mpsetup.log and mpcontrol.log files. MPControl.log STATMSG: ID=5460 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=KEL-APPS.******.****** SITE=KEL PID=2840 TID=5188 GMTDATE=Mon Mar 13 16:23:37.001 2017 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 Successfully performed Management Point availability check against local computer. Applied D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GR;;;LS)(A;CIOI;GR;;;S-1-5-17) to folder C:\Program Files\Microsoft Configuration Manager\Client SSL is not enabled. Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK Sent summary record of SMS Management Point on ["Display=\\KEL-APPS.******.******\"]MSWNET:["SMS_SITE=KEL"]\\KEL-APPS.******.******\ to \\KEL-APPS.******.******\SMS_KEL\inboxes\sitestat.box\7d1dtt14.SUM, Availability 0, 733641724 KB total disk space , 681200880 KB free disk space, installation state 0. Http test request succeeded. STATMSG: ID=5460 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=KEL-APPS.******.****** SITE=KEL PID=2840 TID=5188 GMTDATE=Mon Mar 13 16:28:37.013 2017 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 3/13/2017 12:28:37 PM 5188 (0x1444)
  6. We have a small number of servers in our DMZ all are in their own workgroups so no knowledge of each other. They are also not all internet connected so patches must be pushed from internal to DMZ. I noticed this post https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which states as long as I have firewall rules inplace I can manually install the clients and have them talk directly back to my site server internally no certificates required. I was also looking at https://social.technet.microsoft.com/Forums/en-US/f8b1b51e-515e-41f6-bb1e-cdeeabb11f6f/configmgr-2012-design-for-dmz?forum=configmanagergeneral and their option 3 is to build a DP/MP/SUP box still internal and have that configured with SSL to then talk to the DZ boxes. If I were to build this design and enable SSL what effect will this have on my currently working internal environment. will every machine now have to use the new certifcates to talk to SCCM? or will it only be for boxes talking to the new Distribution Point which I can hopefully administer with boundary points.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.