Jump to content


Internet Based Client Management Woes

Recommended Posts



I've got a strange issue with Internet Based Client Management where clients are not communicating when outside of the network.


Some interesting things I've found in client side logs:



1 internet MP errors in the last 10 minutes, threshold is 5.

In CCMMessaging.log, I'm seeing a few of these:

Post to https://----sccm-01.-------------.org/ccm_system/request failed with 0x87d00231.

Interesting Server Side Logs:



Error verifying message from client 'GUID:736B0572-FF7D-45BD-84D2-5E5C6C6F6EC8' (0x80090006).
Message from GUID:abb9de52-52f6-42fa-8901-9e65513e5faf client failed signature validation
Skipping raising MPEvent_ClientAuth_SignatureFailure event because 4 such events were already raised in the past 60 minutes
Could not verify message signature for client 'GUID:abb9de52-52f6-42fa-8901-9e65513e5faf'.


Raising pending event:
instance of CCM_LocationServices_LocationBaseChange
ClientID = "GUID:abb9de52-52f6-42fa-8901-9e65513e5faf";
DateTime = "20160610201145.755000+000";
NewLocation = "Internet";
OldLocation = "Intranet";
ProcessID = 3264;
ThreadID = 1464;

Unable to retrieve AD forest + domain membership. Error 0x8007054b



Some background on the environment:

  • Single server with all roles and SQL (~6,000 clients), 32 GB ram, 24 cores. All clients are well connected - no slow links.
    • Upgraded existing server from SCCM 2012 R2 CU5 to SCCM 1511, then to 1602, then did a backup/restore onto new hardware to get the server from 2008 R2 to 2012 R2
  • Two domains, both have Discovery Methods set up in SCCM, and clients are working internally
  • Newly configured three-tier CA: Offline root Standalone CA, one subordinate issuing Enterprise CA
    • CRL and AIA is published over HTTP. Both CRL and AIA are internet accessible.
    • Group Policy for Trusted Root certificate, and client auto enrollment are both configured.
    • All clients in both domains have the Offline Root Cert in the Computer Accounts Trusted Root store.
    • All clients in both domains are being issued SCCM Client authentication Certs from the CA
    • SCCM Server's DP cert is installed,
  • SCCM DNS is published internally and externally with the same name. NATs and ACLs are working on the firewall, and the mplist test methods do return valid XML internally and externally


Where else should I look to troubleshoot / diagnose?


It almost seems like something with the CA / certs installed, but I *think* they're correct...


Has anyone else had similar issues with IBCM, and how did you fix it?


Any help / guidance would be appreciated!



Share this post

Link to post
Share on other sites

0x87d00231 = Transient error

0x80090006 = Invalid Signature.


These would suggest that your clients don't have the right certificate in place or that your new CA is not fully trusted yet.


Since you say that the MPlist is work fine this is not going to be a CM12 issue. I would focus on your CA and the Certs on the Client / CM12 itself. I would confirm that a client is working internal. Then walk it to the local coffee shop and confirm that IBCM still works correctly.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...