Jump to content


TeachMeSCCM

Clients not getting self singed certs

Recommended Posts

Hello

 

New to posting on this forum. I'll try my best

My Mp is setup to http

image.thumb.png.566480c4acbe0bd6e8005b7a0dbafb5b.png

When i changed it back I did reboot it.

I can d

I was having issue with machines losing there certs. Long story short my cert in my MMC store in the SMS folder was expired; I have taken over this 1/2 ass setup and I'm trying my best.

I was told that SCCM would automatically update the cert. This is not happening. I have found if I delete the old cert it created a new one. But now I'm still getting these errors

I have ensured my boundaries are good but I'm unable to get clients to get certificates I am going by IP addresses not subnet. This is happening for new and old clients. 

 

http://mysccm/sms_mp/.sms_aut?mplist goes to the XML file on both of my servers

 

http://mysccm/sms_mp/.sms_aut?mpcert works on both of my servers goes the the MPcertificate path with the long text

 

image.thumb.png.d9df3dc2edbb556ca86c5515aa9f52c2.png

 

image.thumb.png.5986b2b8814480d06022c14621e9bc33.png

 

 

I do have it setup a bit strange I'm doing the point the SMS and use PKI if it's there. I have tired it every other way and none of the ways work for me.

 

image.thumb.png.d0da6b2a0b4f254be5846d18e66efdcc.png

 

I have tired it like every single way and this way I can get a cert and it register but it never registers the client so I get the SCCM to install

Client Cert shows None and my Software store doesn't work won't update ect.

 

Let me know if you need more logs or info. This has been such a paint to figure out.

 

Share this post


Link to post
Share on other sites

So If I change it to just  HTTPS or HTTP check and take off the PKI and CRL uncheck both 

I also unchecked the Use configuration Manger-Gen cert

I get this error 

image.png.b6f43f82574dd9cef575fbae995341f8.png

 

image.thumb.png.bae2e1ee1f924529e2318c2a3bf41c0f.png

This is why I had to setup to look for the SMS cert and it looked like it at least got a cert in the past but same issue with the machine never registering 

Share this post


Link to post
Share on other sites

it's a bit unclear from your post but what is your actual goal here, are you trying to enable ConfigMgr in HTTPS mode (PKI) or are you trying to use e-http (enhanced http), or do you simply have client issues with invalid sms certs ?

 

Share this post


Link to post
Share on other sites

I am trying to use E http and the clients are not getting there certs. I use to get certs and after it expired I deleted the old one; as the system never auto updated it. I am still having this issue with many clients with all of the same error as above

 

SCCM installs but never gets a client cert.

 

I'm stuck with the Key 'ConfigMgrMigrationKey' not found, 0x80090016.    ClientIDManagerStartup  with no luck fixing it. See above errors

Share this post


Link to post
Share on other sites

I'm using the CCMclean and doing a fresh install with both the default ie site code

And the other with command line ccmsetup.exe /mp=Mine.mine.mine SMSSITECODE=mine

Here is what my logs say I am having this issue site wide. Old machines not getting updated certs and fresh installs/test vms all getting the same errors 

Both of my site servers show they have no client installed as well

Almost all my machines are like this

image.png.33ca2db3fa1589be540b453dc7282be7.png

Not getting a Client certificate; I see them in SCCM some say Client installed this is not Ture; when i check the pc's I see this

 

image.thumb.png.212906a65be894f33afe1fb6ecf354aa.png

image.thumb.png.702ff6b29b40e55df057d04c9c1be4f2.png

CCMexec

image.thumb.png.5b4caa24e9e99c77eb1bd8927b42aab2.png

 

Site Services are all green; please let me know if you need more info or logs I'm trying to figure this out. I really appreciate your help 

Edited by TeachMeSCCM
More info

Share this post


Link to post
Share on other sites

let's just focus on one problem at a time, your e-http setup, did you configure it like i said ? and are your roles all configured in http only or ?

Share this post


Link to post
Share on other sites

Do you have a cert called SMS Role SSL Certificate? This is generated by when enabling eHTTP and is automatically bound to IIS. If you were running full PKI previously it's possible that hasn't been set (I've seen this happen before where the SMS Role SSL Cert doesn't get generated due to an old PKI cert)

 

image.png

image.png

image.png

 

Check for the cert in your certlm.msc console on the server running the MP

image.png

Note also that the errors you have in the clientidmanagerstartup and cert maintenance logs - I get these also in my eHTTP site. 

I've noticed that the ConfigMgr applet doesn't have all the tabs and that the clientidmanager log still reports are registration pending. Does the client complete registration? Hard to know when we are working off screenshots.

Cheers

 

Share this post


Link to post
Share on other sites

So I only have this on my 2ed host my 1st main host does not have this.

image.png.e7d6ecab53e5c6f8ec16bdb80ebeca87.png

^^THIS IS MY 02

 

When I select it I get this message. I don't get any other messages with my other certs and yes I did try to get PKI to work but was not able to.

 

 

 Does the client complete registration? Hard to know when we are working off screenshots.

Yes it shows up in my SCCM console but shows Client None.

 

 

image.png.adeade9b11b14d24b169d1bff2c04a62.png

^^This is my 01

I had created these PKI and ISS in the past by importing them for the MMC; this is on me I was trying to fix this on my own; I still trying to figure out how to get this right. Thanks so much for all the help so far. I really appreciate it.

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

OK this will be potentially the problem then. 

So remove eHTTP by unchecking the box. 

image.png

Set the IIS SSL cert to 'Not selected'

Keep an eye on the sitecomp and mpcontrol logs and ensure they complete removing eHTTP - just watch them until they stop churning over.

Reenable the check box.

Watch the sitecomp log again, keep an eye out for 'Detected change in SSLState for client settings'

Then check back in certlm.msc for the SMS Role SSL Certificate cert in the personal store and then see if it's bound to IIS.

At that point, restart the ccmexec services on the endpoint and see what clientidmanagerstartup log does. Does it get an 'Retrieved Certificate options successfully' entry and then check for cert?

 

Share this post


Link to post
Share on other sites

@SCCMentor

Those screen shots are so helpful

I went in and found that SMS cert I needed I went I added it to the IIS and I have been manually adding them in. I can see this is not the way.

I thought as much as there is no documentation on it 

 

How can I Set the IIS SSL cert to 'Not selected' can I just delete it for now?

Share this post


Link to post
Share on other sites

It won't let me check OK it's grayed out

image.png.e23b310c1ea61fb5b221f83f3cb9dbbd.png

 

My 02

image.png.7a47aeb9907102c8971ed4453b3e002b.png

It makes me have to pick a cert; I was trying to import the cert but this wasn't working for me; makes sense as SCCM is said to create a SMS Role SSL certificate and that isn't happening 

I am doing what you said Above what I did was delete it for now. I'll re add it once it's created I guess.

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

So I have two servers

One I think it was created and the other I copied it; can i just delete them both and have them re created 

So my 01 has this

image.png.34f6d224ce2e8359bbc77de12aaccec2.png

IF I set it to check box I can go to browse 403 and takes me the IIS page ie it works :) 

 

My 02

image.png.e7d6ecab53e5c6f8ec16bdb80ebeca87.png

 

Still gives me this and when I go to the browse the 403 web page to check the cert

 

This is my 02 this is my IIS page so there is an issue I still have this error I only have 1 thing to Select for the SMS Role SSL Certificate? 

image.png.ad28859535bb98e56a048530d829b4c4.png

 

I'm going to try to reinstall some clients on my 01 and see if takes 

Let me know thanks for the help so far. This is such a mess.

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

I tested this. I unchecked the box to remove eHTTP. I deleted the SMS Role SSL Certificate certificate from local machine. I wasn't able to select Not Selected - greyed out like you said. I then re-enabled eHTTP, it recreated the SMS Role SSL Certificate and I then set this in IIS.

Share this post


Link to post
Share on other sites

When you say you deleted your I deleted the SMS Role SSL Certificate certificate from local machine this is from the Server

This would be the one in the SMS folder? Personal Folder? Or Secure Folder?

Can you show me on the MMC I think I need to do this; also when I go to binding do I need to have the Server host name here? and have Required Server Name Checked 

I noticed when I did I was able to browse to port 443 via the IIS but like i said my 02 I'm unable to.

 

image.png.e76280a432e97244c47e4c272825fdcc.png

My 01 issuer of the certificate could not be found but works via IIS

My 02 this certificate is ok runs into error browse via IIS

I'm thinking the 02 still has my copy and i just need to delete it and re do it; I'm still getting the same errors installing on my 01 might try a reboot after hours and report back

 

Share this post


Link to post
Share on other sites

So i went ahead and deleted the old certs and did what SCCMentor said to delete the EHTTP with the Site Check and ensure a new SMS role is install.  what's strange is my 02 will recreate the SSM Role SSL Certificate  and auto re add it; my 01 i have to manually import it but it does re add.

They both give me cert errors when going to 443 via IE see screen shot above.

This is on my 02 fresh install client after cleanup

 

Both of the SMS Role SSL Certifcate give me

image.png.ad28859535bb98e56a048530d829b4c4.png

Is there any setting in IIS I am missing? Most are check to ignore certificate 

 

 

image.thumb.png.c9a0bbff72c6b8f6c73f8f8d0e17e2fe.png

 

I was not getting Retrieved key 'ConfigMgrPrimaryKey' from provider Microsoft Software Key Storage Provider    ClientIDManagerStartup    9/19/2021 9:41:57 PM    6352 (0x18D0)

This is good. I also see it gets a SMS cert but it still never finishes the setup and still shows up Certificate None

I doubled checked and this is good as my

http://mysccm/sms_mp/.sms_aut?mplist goes to the XML file on both of my servers

http://mysccm/sms_mp/.sms_aut?mpcert works on both of my servers goes the the MPcertificate path with the long text

 

Just kind of stuck on what to try next.

 

 

Edited by TeachMeSCCM
Added more info

Share this post


Link to post
Share on other sites

Here is my CCmexec log from one of my failed cert clients

 

image.thumb.png.1c842f01793a766b3f4da66a832af709.png

 

This Error registering hosted class '{53C46006-E1C5-4AD1-89B3-B8332D1B17EA}'. Code 0x80040111    CcmExec    9/20/2021 3:44:53 PM    15444 (0x3C54)

This Error registering hosted class Code 0x80040111 

This doesn't not give me much to work out; been looking for all articles on this error goes back to mp issues.

I will try another Management Point reinstall as from my last set of logs the certs look like they are applying. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...