Jump to content


TeachMeSCCM

Clients not getting self singed certs

Recommended Posts

So I reinstalled both MP's one I did the HTTPS to HTTP and my main wouldn't take so I completed deleted via the SCCM console and re added it

Was getting the same errors So i went back to the tell it to look for the SMS string under the PKI and also without both give me the same type of errors

 

Here is the SMS

image.thumb.png.6ebbb5c7f010d548274042bd9e998b7c.png

Just sits and never registers the client. Client Certificate None

Here is the CCMecec on the SMS

image.thumb.png.3b53ead13244a97faedd9f791abb2ae2.png

 

This a Failed to raise pending event as ClientID is not available, I have looked and not found many working links for this issue.

 

Same Error type of my other machine

image.thumb.png.0f810c8da998ed138d447ba132bbeda5.png

 

Same Ccmexec.log error

image.thumb.png.274cb05810b69be96abfdf8f1420d0c8.png

 

Two different machines 

Share this post


Link to post
Share on other sites

So I wasn't getting anywhere with the self singed so I changed over to HTTPS and did the full patchmypc PKI guide

 

image.thumb.png.ce2cdfbef4175e9dd96e7d9455b4908a.png

 

Can you confirm it's getting the PKI cert correctly here also it's still stuck on Client registration. I'm going to do a reboot after hours to see if that will fix the issue. 

I think the PKI is working from this log; I'm able to view the IIS from each site goes to the correct page boundries are good. I hope I don't have a messed up IIS setting or something

I did changed over the required SSL cert and set the correct certs to ignore. 

Share this post


Link to post
Share on other sites

take a look at my two posts here, they cover everything you need to convert to https, they'll cover a bit more than Justins excellent video, so do please verify you didn't miss anything

also, keep in mind that certs can expire, and when they do you'll have issues, like this

https://www.niallbrady.com/2020/08/16/how-can-i-replace-an-expired-iis-certificate-in-a-pki-enabled-configmgr-environment/

if you want to really test PKI is working then try pxe boot (operating system deployment), if it fails you'll see it failing quickly in the logs, and that'll be a clue that you've missed something,

also, on PKI managed clients, your configmgr client agent should report that the client is PKI, like this...

image.png

  • Like 1

Share this post


Link to post
Share on other sites

I was still getting the same clients just never installing just sitting on registration even with PKI

I even manually added the PKI from AD and the clients did the same thing; as I posted above so i went back to E http and it's still doing the same thing.

I'm trying to get someone at Microsoft support to help me out; running out of ideas before I have to just scrap this and rebuild.

Share this post


Link to post
Share on other sites

Question i did the whole reinstall this is NONE pki; i'm staying with EHTTP as I can't open my pki stuff with our network team at this time. Why do I have a cert under the SMS I had the system recreate it; still getting the same errors

 

Small update I have a pending ticket with MS support about this and noticed another person reddit with the same issue as me; I think it has to do with the certs expiring and not being created correctly. Still fishing for more. But I'll update this thread so once I get it solved with a solution. I'm still open to ideas. Ms support is a bit slow.

 

image.png.78786187ac2516c0cf67e17e91105e3c.png

Share this post


Link to post
Share on other sites

Update still waiting on MS did a another reinstall watched the logs ensured all permission are correct

I have both of Sites setup this way

 

So question. 

Can I go to the \Administration\Overview\Security\Certificates

And Just import this SMS into the Certificate folders I know this should be done automatically?

I want to make sure the thumbprint matches my SMS in the SMS folder or the one in personal.

Can someone confirm with me if I can do this and the correct ones to match up?

I also made sure i didn't have anything being blocked in my \Administration\Overview\Security\Certificates still getting the same errors from clients not registering 

My clients just do this

image.thumb.png.8d42d7e7b6b2a239a168b89e705d4683.png

They never register just sleep and retry forever; done clean install; deleted machine keys ect; different strings restart SMS ect same issue.

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

The best solution I can give someone with this error is make sure your IIS is setup correct

I had noticed that the SMS_MP directory browser everything bit Long Date should be checked make sure it's applied

Make sure you have the proper security options for the SMS_MP properties

IUSR

SYSTEM

LOCAL

Network

Your Site System

I then reinstalled the MP let the certs re create themselves

I had to reboot my server see the certs to 443 like I did above

I'm getting self singed certs now on most few machines still giving me issue but most are getting them.

 

 

Edited by TeachMeSCCM

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...