Jump to content


Sign in to follow this  
yukis1

Failed to get certificate. Error: 0x80004005

Recommended Posts

Hi guys,

I have been working on a new installation of SCCM 2012 in a DMZ environment which includes many servers that are not in the domain, part of a different Forest and etc…

 

Most of the installation is doing great except some of the servers have very strict security policies.

On those servers I have a problem when installing the client.

 

When I install the client I can see it finds the site code (manually registered ‘hosts’ and ‘lmhosts’ files), but once the client is installed I have the following errors:

 

1. When looking on the client in control panel I see it has no certificate and the connection type is unknown

2. CertificateMaintenance.log on the client throws several errors:

 

 

Failed to create certificate 80090020 CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058)

CCMDoCertificateMaintenance() failed (0x80090020). CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058)

Raising pending event:

instance of CCM_ServiceHost_CertificateOperationsFailure

{

DateTime = "20120530082955.356000+000";

HRESULT = "0x80090020";

ProcessID = 36532;

ThreadID = 36952;

};

CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058)

CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event. CertificateMaintenance 30/05/2012 11:29:55 36952 (0x9058)

 

 

3. ClientIDManagerStartup.log on the client also shows many errors:

 

 

[----- STARTUP -----] ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

Machine: Server ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

OS Version: 6.1 Service Pack 1 ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

SCCM Client Version: 5.00.7711.0000 ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

Client is set to use HTTPS when available. The current state is 224. ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

'RDV' Identity store does not support backup. ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

CCM Identity is in sync with Identity stores ClientIDManagerStartup 30/05/2012 12:51:05 3604 (0x0E14)

[RegTask] - Executing registration task synchronously. ClientIDManagerStartup 30/05/2012 12:51:09 2556 (0x09FC)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC)

Read SMBIOS (encoded): 56004D0077006100720065002D00340032002000320061002000390065002000610066002000660032002000620033002000610037002000630063002D0064003100200038006200200064003000200065003100200039003000200038003800200037006600200062003500 ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC)

Evaluated SMBIOS (encoded): 56004D0077006100720065002D00340032002000320061002000390065002000610066002000660032002000620033002000610037002000630063002D0064003100200038006200200064003000200065003100200039003000200038003800200037006600200062003500 ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC)

No SMBIOS Changed ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC)

SMBIOS unchanged ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC)

SID unchanged ClientIDManagerStartup 30/05/2012 12:51:10 2556 (0x09FC)

HWID unchanged ClientIDManagerStartup 30/05/2012 12:51:14 2556 (0x09FC)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:16 2556 (0x09FC)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:18 2556 (0x09FC)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:22 2556 (0x09FC)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:26 2556 (0x09FC)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 30/05/2012 12:51:32 2556 (0x09FC)

Share this post


Link to post
Share on other sites


Problem solved!!!

 

The problem was that the 'CNG Key Isolation' Service was disabled.

Setting the service to Manual solved the issue.

 

I believe that the service is only used during the installation process - to create the Self-Signed certificate, and can be disabled after the installation.

I've now disabled it, and will continue monitoring the server and report back with results.

Share this post


Link to post
Share on other sites

Which system did you have to enable the service for? Client or server? Mine is enabled on both and I am receiving this error from a new client I am trying to get into SCCM.

Share this post


Link to post
Share on other sites

Follow up: I was able to get mine working. There were a few more things I tried to get it going.

 

Referencing this post I enabled the Protected Storage Service. That did no resolve the issue.

 

Moved onto find this post where I located the MachineKeys directory on Windows 7 (C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys) and removed the key that started with 19c5cf and the cert was able to be created. Repaired CCM on the client and it was reporting in no time. I believe it was an old cert on that machine from before I had SCCM configured correctly, thus it had to be cleared to function correctly.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...