Jump to content


We use cookies to let you log in, for ads and for analytics. OK

Photo

Having problems deploying PKI certificate to Computers not connected to Domain

PKI ccmsetup client deploy certificate



  • Please log in to reply
4 replies to this topic

#1 synwiz

synwiz

    Member

  • Established Members
  • PipPip
  • 10 posts

Posted 15 June 2012 - 03:11 PM

I am having great problems trying to install SCCM 2012 client onto a computer with a network connection to the internet, but NOT a member of a domain. i am using the PKI setup within SCCM2012 and have created a RootCA and deployed certificates throughout the local AD and assigned to Group Policies. The machines on the local AD network which receive the policies seem to have a great "handshake" and end up connecting to SCCM and appearing in the main console.

Laptops, Computers that are roaming, and not part of my local AD Network are not having such a good time. i believe it is the Certificate communication which is not working. i am exporting the Certificate from the "Certificate Services" within SCCM Server, and then copying this file over to the clients using a USB key. i am then importing the certificate with Private keys into their local certificate store, and all appears fine. until i run ccmsetp.exe.

Excerpt from the ccmsetup.log attached, i need ur help

<![LOG[Only one MP https://syna01vsscc001d.syn.local is specified. Use it.]LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmsetup.cpp:8763">
<![LOG[Have already tried all MPs. Couldn't find DP locations.]LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="ccmsetup.cpp:9647">
<![LOG[GET 'https://syna01vsscc001d.syn.local/CCM_Client/ccmsetup.cab']LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="httphelper.cpp:802">
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3759">
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3918">
<![LOG[Begin to select client certificate]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3999">
<![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4031">
<![LOG[3 certificate(s) found in the 'MY' certificate store.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4060">
<![LOG[The 'MY' of 'Local Computer' store has 3 certificate(s). Using custom selection criteria based on the machine name.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4099">
<![LOG[Machine name is 'SYN-L3-NMS-01'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2174">
<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2003">
<![LOG[Performing search that includes SAN2 extensions...]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2210">
<![LOG[Certificate [Thumbprint 498357A12555F1D7EE8DFA009D39965880431790] doesn't have SAN2 extension.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1563">
<![LOG[Certificate [Thumbprint 235A98C6BB65429BAF75F303B2CB66204AE20090] doesn't have SAN2 extension.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1563">
<![LOG[Found a certificate with subject name as ‘SYNA01VSSCC001D.SYN.local’, but will continue to look for the certificate with subject name as ‘SYN-L3-NMS-01’.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1540">
<![LOG[Using custom selection criteria based on the machine NetBIOS name.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4119">
<![LOG[Machine name is 'SYN-L3-NMS-01'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2174">
<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2003">
<![LOG[GetSSLCertificateContext failed with error 0x87d00281]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="ccmsetup.cpp:5356">
<![LOG[GetHttpRequestObjects failed for verb: 'GET', url: 'https://syna01vsscc001d.syn.local/CCM_Client/ccmsetup.cab']LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="httphelper.cpp:942">
<![LOG[DownloadFileByWinHTTP failed with error 0x87d00281]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="httphelper.cpp:1076">
<![LOG[CcmSetup failed with error code 0x87d00281]LOG]!><time="15:46:04.341-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="3144" file="ccmsetup.cpp:9454">



#2 synwiz

synwiz

    Member

  • Established Members
  • PipPip
  • 10 posts

Posted 18 June 2012 - 09:18 AM

OK, i got the client and the SCCM to do an initial handshake and SCCM Client was installed. i simply did not create the appropriate Certificate for a machine in a worksgroup. the following link helped
http://www.jamesbann...12-using-https/
http://www.petervand...in-native-mode/

moved on a step, although i got them talking as such, i am now challenged witg getting the policies to sync etc... as the final communication is not happening....!!!

#3 synwiz

synwiz

    Member

  • Established Members
  • PipPip
  • 10 posts

Posted 19 June 2012 - 04:06 PM

ClientIDManagerStartup.log
--------------------------------------
<![LOG[[RegTask] - Client is not registered. Sending registration request for GUID:1183E6EB-46BA-4C35-AF34-33375666C38F ...]LOG]!><time="17:03:27.099-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="1" thread="5612" file="regtask.cpp:1595">
<![LOG[RegTask: Failed to send registration request message. Error: 0x87d00231]LOG]!><time="17:03:27.163-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="3" thread="5612" file="regtask.cpp:1283">
<![LOG[RegTask: Failed to send registration request. Error: 0x87d00231]LOG]!><time="17:03:27.163-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="3" thread="5612" file="regtask.cpp:1469">

LocationServices.log
----------------------------
<![LOG[Failed to send management point list Location Request Message to XXXXXXXXXXXXXXX.Local]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="2" thread="5612" file="lssecurity.cpp:5258">
<![LOG[LSUpdateInternetManagementPoints: No internet MPs were retrieved from internet MP, retaining previous list.]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="2" thread="5612" file="lsad.cpp:2405">
<![LOG[There is no AMP for site code 'LO1'. Nulling existing entry in WMI]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:3536">
<![LOG[Persisted Default Management Point Locations locally]LOG]!><time="16:59:26.626-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:3630">
<![LOG[Unable to retrieve AD site membership]LOG]!><time="16:59:26.667-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:606">
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time="16:59:26.668-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="ccmiputil.cpp:1069">
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time="16:59:26.678-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="ccmiputil.cpp:1146">

ClientLocation.log
-------------------------
]LOG]!><time="16:56:56.004-60" date="06-19-2012" component="ClientLocation" context="" type="1" thread="6232" file="event.cpp:729">
<![LOG[Current Internet Management Point is XXXXXXXXXXXXXXX.SYN.Local with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>]LOG]!><time="16:59:26.574-60"

#4 Ocelaris

Ocelaris

    Advanced Member

  • Established Members
  • PipPipPip
  • 70 posts
  • Gender:Male
  • Location:New York, New York
  • Interests:SCCM, CM, Cisco, Linux

Posted 17 August 2012 - 08:33 PM

hmm... I may have it working... How would you test other than pushing a job?

Here's a great walk through of the Certificates, now that I look at it, it seems to be for 2007, but I can't remember if I had another link...

http://technet.micro...y/cc872789.aspx

ClientLocation.log:
Current Internet Management Point is cmsec.EXTERNAL.com with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>



Raising event (#1 of 1):

instance of CCM_CcmHttp_Status
{
ClientID = "GUID:84A86C42-ADA3-4C30-9670-87BDBC3B16D8";
DateTime = "20120817203014.250000+000";
HostName = "cmsec.EXTERNAL.com";
HRESULT = "0x00000000";
ProcessID = 2376;
StatusCode = 0;
ThreadID = 3792;
};

#5 Ocelaris

Ocelaris

    Advanced Member

  • Established Members
  • PipPipPip
  • 70 posts
  • Gender:Male
  • Location:New York, New York
  • Interests:SCCM, CM, Cisco, Linux

Posted 17 August 2012 - 08:48 PM

well, the client is finding the site, but in ccmMessaging.log I am getting errors:

Post to https://cmsec.EXTERN..._system/request failed with 0x8000000a.





Also tagged with one or more of these keywords: PKI, ccmsetup, client deploy, certificate

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users