Search the Community

Hi, Yesterday I tried to make our site server and distribution points SSL. There are a ton of guides on the internet for how to do this. I think i ended up using this one: https://sccmguy.com/2013/11/26/pki-certificates-for-configuration-manager-2012-r2-part-1-of-4-web-server-certificate/. However, when we were done, client communication stopped. Some of the relevant logs: From CcmMessaging Successfully queued event on HTTP/HTTPS failure for server 'XXX'. Post to https://XXX/ccm_system_windowsauth/request failed with 0x87d00231. From CcmNotificationAgent Error: Server certificate retrieved in TLS is not an exact match of the current MP encryption certificate. Error: 0x80090322 authenticating server credentials! Failed to signin bgb client with error = 80090322. Fallback to HTTP connection. [CCMHTTP] ERROR: URL=http://1982-X-MP-1-P01.xactware.com/bgb/handler.ashx?RequestType=LogIn, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE (EDIT: MANAGEMENT POINT IS ACCEPTING HTTPS ONLY SO I EXPECTED THIS ONE) From Mpcontrol Selected certificate [thumbprint] issued to 'XXX' for HTTPS client authentication Call to HttpSendRequestSync failed for port 443 with status code 403; text: Forbidden To me this looks like a certificate issue. However, no matter what I've tried (added a common name in addition to the DNS name in the certificate, deleted and enrolled again for client and server side certificates, reinstalling the management point, 5 hours of other things I don't remember) I can't rid of this error. Aside from binding the SSL cert to the default website in IIS, is there anything else that needs to be done in IIS? Am I missing something else? Appreciate any pointers, Scott

So I find today that in trying to test a new TS that when booting PXE, I get an error screen from WDS that just only displays the error code 0xc000000f. Digging around, I've found some that say it's a WDS problem and another that says it's an SSL issue because the MP is SSL but the DP is not. One article states that if the MP is SSL, the DP also has to be using the PKI Cert as well instead of the self-signed. Another article mentions no problems with the DP being non-SSL. This is what I'm seeing in SMSPXE.log PXE::MP_GetList failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE::MP_LookupDevice failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE::MP_GetList failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE::MP_ReportStatus failed; 0x80070490 SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) PXE Provider failed to process message. Element not found. (Error: 80070490; Source: Windows) SMSPXE 5/16/2017 2:50:13 PM 5520 (0x1590) Just looking for some insight on where to go with this.

Running into an issue that I cannot wrap my head around. We recently switched from HTTPS to HTTP and now clients will not talk to remote MPs or DPs on Secondary Sites. Talking back to MP on Stand Alone Primary works fine. I have revoked certs from CA and removed certs from servers but all of my Secondary sites are having issues with MPs and DPs (no PXE Boot Filename Received). Also removed Secondary Site, WDS, WSUS, all prereqs and reinstalled. Tried PXE booting to WDS + MDT 2013 and that works, but once SCCM PXE boot is turned on, I get the error. Boot images are distributed to DPs and Task Sequences have correct boot image assigned. Has anyone run into this type of problem before? Everything looks fine the mpsetup.log and mpcontrol.log files. MPControl.log STATMSG: ID=5460 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=KEL-APPS.******.****** SITE=KEL PID=2840 TID=5188 GMTDATE=Mon Mar 13 16:23:37.001 2017 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 Successfully performed Management Point availability check against local computer. Applied D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GR;;;LS)(A;CIOI;GR;;;S-1-5-17) to folder C:\Program Files\Microsoft Configuration Manager\Client SSL is not enabled. Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK Sent summary record of SMS Management Point on ["Display=\\KEL-APPS.******.******\"]MSWNET:["SMS_SITE=KEL"]\\KEL-APPS.******.******\ to \\KEL-APPS.******.******\SMS_KEL\inboxes\sitestat.box\7d1dtt14.SUM, Availability 0, 733641724 KB total disk space , 681200880 KB free disk space, installation state 0. Http test request succeeded. STATMSG: ID=5460 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=KEL-APPS.******.****** SITE=KEL PID=2840 TID=5188 GMTDATE=Mon Mar 13 16:28:37.013 2017 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER 3/13/2017 12:28:37 PM 5188 (0x1444)

We have a small number of servers in our DMZ all are in their own workgroups so no knowledge of each other. They are also not all internet connected so patches must be pushed from internal to DMZ. I noticed this post https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which states as long as I have firewall rules inplace I can manually install the clients and have them talk directly back to my site server internally no certificates required. I was also looking at https://social.technet.microsoft.com/Forums/en-US/f8b1b51e-515e-41f6-bb1e-cdeeabb11f6f/configmgr-2012-design-for-dmz?forum=configmanagergeneral and their option 3 is to build a DP/MP/SUP box still internal and have that configured with SSL to then talk to the DZ boxes. If I were to build this design and enable SSL what effect will this have on my currently working internal environment. will every machine now have to use the new certifcates to talk to SCCM? or will it only be for boxes talking to the new Distribution Point which I can hopefully administer with boundary points.