Jump to content


Sign in to follow this  
Martinez

Computers do not switch to PKI based certs

Recommended Posts

Hello,

We are on SCCM CB 1910 since end of January [WS 2016], single primary site and 20+ DPs.

Last week, we have moved to PKI based certificates, all required cert templates are in place, GPO; Two new certs were also requested on every site system with IIS role, reconfiguration of MP to HTTPS, IIS bindings on every site system plus additional IIS config on SUP, certs imported to DPs. On Primary site I haven't switched to HTTPS only, yet, due to issues with PXE (resolved now). I have check all the configuration as per the guides ohere on wn and recordings of Justin from PatchMyPC on yt, all matches.

The problem we have is that out of 3600 computers, approx 85 % switched to PKI, rest is on self-signed, as one of the consequences, they do not install software updates.

I have tried deleting it and requesting new certs [Workstation authentication], checking if these systems have access to CRL list [they do), it they can open https://MP.FQDN site (they can), IIS reset on MP, CCM agent reinstallation with mp:https:// command, but nothing changes. 

ClientIDManagerStartup:
[RegTask] - Client is not registered. Sending registration request for GUID:
RegTask: Failed to send registration request message. Error: 0x87d00231
RegTask: Failed to send registration request. Error: 0x87d00231
[RegTask] - Sleeping for 480 seconds ...

CCMMessaging.log
Successfully queued event on HTTP/HTTPS failure for server 'MP.FQDN'.
Post to https://MP.FQDN/ccm_system/request failed with 0x87d00231.
Failed to open to WMI namespace '\\.\root\ccm' (80041003)
Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78
[CCMHTTP] ERROR: URL=https://MP.FQDN/ccm_system_windowsauth/request, Port=443, Options=480, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:xxxxx";
DateTime = "20200602111635.355000+000";
HostName = "MP.FQDN";
HRESULT = "0x80072f78";
ProcessID = 4904;
StatusCode = 0;
ThreadID = 7160;
};
CcmMessaging 6/2/2020 4:16:35 AM 7160 (0x1BF8)

LocationServices.log
Failed to send management point list Location Request Message to MP.FQDN
4 assigned MP errors in the last 10 minutes, threshold is 5.
Current AD site of machine is AD-SITE LocationServices
Current AD site of machine is AD-SITE LocationServices
Assigned MP error threshold reached, moving to next MP.


CCMSetup.log
Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78
[CCMHTTP] ERROR: URL=https://MP.FQDN/ccm_system/request, Port=443, Options=480, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE
[CCMHTTP] ERROR INFO: StatusCode=200 StatusText=
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:xxxxx";
DateTime = "20200602103445.016000+000";
HostName = "MP.FQDN";
HRESULT = "0x80072f78";
ProcessID = 2972;
StatusCode = 200;
ThreadID = 8076;
};

Failed to submit event to the Status Agent. Attempting to create pending event.
Raising pending event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:e2ea64fd-5790-4d63-99ba-24c870cf2387";
DateTime = "20200602103445.016000+000";
HostName = "MP.FQDN";
HRESULT = "0x80072f78";
ProcessID = 2972;
StatusCode = 200;
ThreadID = 8076;
};

Successfully submitted pending event to WMI.
Failed (0x80072f78) to send location request to 'MP.FQDN'. StatusCode 200, StatusText ''
Failed to send location message to 'https://MP.FQDN'. Status text ''
GetDPLocations failed with error 0x80072f78
Failed to get DP locations as the expected version from MP 'https://MP.FQDN'. Error 0x80072f78
Failed to find DP locations from MP 'https://MP.FQDN' with error 0x80072f78, status code 200. Check next MP.
Only one MP https://MP.FQDN is specified. Use it.
Have already tried all MPs. Couldn't find DP locations.

 

The computers on self-signes are Windows 10 (1809), WS2008R2, 2012 R2, 2016 and 2019, across different sites. At the same time, other computers with the same systems and locations are on PKI.

I am running out of ideas what else I can try/configure to sort this out.

Any help is appreciated. Thank you.

Share this post


Link to post
Share on other sites

have you tried reinstalling the configmgr client agent on some of the problem devices? have you also verified that the clients have received the certificate(s) from your group policy ?

Share this post


Link to post
Share on other sites

Yes, I have, the pasted error above is from the re-installation attempt. One one I have uninstalled completed, and now it doesn't want to install at all. Yes, the client receive the auto-enrollment cert via group policy. Also tried to delete it and refresh policies, cert appears, but on agent reinstallation attempt it fails.

Share this post


Link to post
Share on other sites

Hi Martinez,

if you are running a Proxy server in your environment run these command on your Management Point in an admin cmd.

netsh winhttp set proxy proxy.fqdn:port "<local>;*.fqdn"

bitsadmin /util /setieproxy localsystem NO_PROXY

bitsadmin /util /setieproxy localsystem proxy.fqdn:port "<local>;*.fqdn"

iisreset

 

I was struggeling with the same problem for a long time. The IIS server has some serious problems when the IEProxy for local system is configured with AUTODETECT.

That can result in various errors in Config Manager.

The settings above also fixed my installation errors for MDOP Bitlocker and Cache Server for delivery optimization.

 

So long

 

Peter

  • Like 1

Share this post


Link to post
Share on other sites

Hello Peter,

No proxy involved, but thank you for suggesting this. 

There is one more thing though thay I have spotted, there are old objects in AD System Management from previous SCCM infras (2007 & 2012), the MP publishing records were never cleand in the decomm process. I need to clean this up and try again. Also, planning to install HFRU to MECM 1910.

Share this post


Link to post
Share on other sites

Alright, so I ended up with creating a temporary secondary MP with HTTP traffic so that computers receive policies and switch to PKI. Seems to do the trick. I am still not sure, why many computers could have switched from self-signed to PKI and some did not [different OS version and edition, different locations].

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...