Jump to content



Sign in to follow this  
synwiz

Having problems deploying PKI certificate to Computers not connected to Domain



Recommended Posts

synwiz    0

I am having great problems trying to install SCCM 2012 client onto a computer with a network connection to the internet, but NOT a member of a domain. i am using the PKI setup within SCCM2012 and have created a RootCA and deployed certificates throughout the local AD and assigned to Group Policies. The machines on the local AD network which receive the policies seem to have a great "handshake" and end up connecting to SCCM and appearing in the main console.

 

Laptops, Computers that are roaming, and not part of my local AD Network are not having such a good time. i believe it is the Certificate communication which is not working. i am exporting the Certificate from the "Certificate Services" within SCCM Server, and then copying this file over to the clients using a USB key. i am then importing the certificate with Private keys into their local certificate store, and all appears fine. until i run ccmsetp.exe.

 

Excerpt from the ccmsetup.log attached, i need ur help

 

<![LOG[Only one MP https://syna01vsscc001d.syn.local is specified. Use it.]LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmsetup.cpp:8763">

<![LOG[Have already tried all MPs. Couldn't find DP locations.]LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="ccmsetup.cpp:9647">

<![LOG[GET 'https://syna01vsscc001d.syn.local/CCM_Client/ccmsetup.cab']LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="httphelper.cpp:802">

<![LOG[begin searching client certificates based on Certificate Issuers]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3759">

<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3918">

<![LOG[begin to select client certificate]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3999">

<![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4031">

<![LOG[3 certificate(s) found in the 'MY' certificate store.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4060">

<![LOG[The 'MY' of 'Local Computer' store has 3 certificate(s). Using custom selection criteria based on the machine name.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4099">

<![LOG[Machine name is 'SYN-L3-NMS-01'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2174">

<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2003">

<![LOG[Performing search that includes SAN2 extensions...]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2210">

<![LOG[Certificate [Thumbprint 498357A12555F1D7EE8DFA009D39965880431790] doesn't have SAN2 extension.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1563">

<![LOG[Certificate [Thumbprint 235A98C6BB65429BAF75F303B2CB66204AE20090] doesn't have SAN2 extension.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1563">

<![LOG[Found a certificate with subject name as ‘SYNA01VSSCC001D.SYN.local’, but will continue to look for the certificate with subject name as ‘SYN-L3-NMS-01’.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1540">

<![LOG[using custom selection criteria based on the machine NetBIOS name.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4119">

<![LOG[Machine name is 'SYN-L3-NMS-01'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2174">

<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2003">

<![LOG[GetSSLCertificateContext failed with error 0x87d00281]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="ccmsetup.cpp:5356">

<![LOG[GetHttpRequestObjects failed for verb: 'GET', url: 'https://syna01vsscc001d.syn.local/CCM_Client/ccmsetup.cab']LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="httphelper.cpp:942">

<![LOG[DownloadFileByWinHTTP failed with error 0x87d00281]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="httphelper.cpp:1076">

<![LOG[CcmSetup failed with error code 0x87d00281]LOG]!><time="15:46:04.341-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="3144" file="ccmsetup.cpp:9454">

Share this post


Link to post
Share on other sites


synwiz    0

OK, i got the client and the SCCM to do an initial handshake and SCCM Client was installed. i simply did not create the appropriate Certificate for a machine in a worksgroup. the following link helped

http://www.jamesbannanit.com/2012/05/how-to-build-and-capture-in-configuration-manager-2012-using-https/

http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/

 

moved on a step, although i got them talking as such, i am now challenged witg getting the policies to sync etc... as the final communication is not happening....!!!

Share this post


Link to post
Share on other sites
synwiz    0

ClientIDManagerStartup.log

--------------------------------------

<![LOG[[RegTask] - Client is not registered. Sending registration request for GUID:1183E6EB-46BA-4C35-AF34-33375666C38F ...]LOG]!><time="17:03:27.099-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="1" thread="5612" file="regtask.cpp:1595">

<![LOG[RegTask: Failed to send registration request message. Error: 0x87d00231]LOG]!><time="17:03:27.163-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="3" thread="5612" file="regtask.cpp:1283">

<![LOG[RegTask: Failed to send registration request. Error: 0x87d00231]LOG]!><time="17:03:27.163-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="3" thread="5612" file="regtask.cpp:1469">

 

LocationServices.log

----------------------------

<![LOG[Failed to send management point list Location Request Message to XXXXXXXXXXXXXXX.Local]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="2" thread="5612" file="lssecurity.cpp:5258">

<![LOG[LSUpdateInternetManagementPoints: No internet MPs were retrieved from internet MP, retaining previous list.]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="2" thread="5612" file="lsad.cpp:2405">

<![LOG[There is no AMP for site code 'LO1'. Nulling existing entry in WMI]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:3536">

<![LOG[Persisted Default Management Point Locations locally]LOG]!><time="16:59:26.626-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:3630">

<![LOG[unable to retrieve AD site membership]LOG]!><time="16:59:26.667-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:606">

<![LOG[begin checking Alternate Network Configuration]LOG]!><time="16:59:26.668-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="ccmiputil.cpp:1069">

<![LOG[Finished checking Alternate Network Configuration]LOG]!><time="16:59:26.678-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="ccmiputil.cpp:1146">

 

ClientLocation.log

-------------------------

]LOG]!><time="16:56:56.004-60" date="06-19-2012" component="ClientLocation" context="" type="1" thread="6232" file="event.cpp:729">

<![LOG[Current Internet Management Point is XXXXXXXXXXXXXXX.SYN.Local with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>]LOG]!><time="16:59:26.574-60"

Share this post


Link to post
Share on other sites
Ocelaris    3

hmm... I may have it working... How would you test other than pushing a job?

 

Here's a great walk through of the Certificates, now that I look at it, it seems to be for 2007, but I can't remember if I had another link...

 

http://technet.micro...y/cc872789.aspx

 

ClientLocation.log:

Current Internet Management Point is cmsec.EXTERNAL.com with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>

 

 

 

Raising event (#1 of 1):

 

instance of CCM_CcmHttp_Status

{

ClientID = "GUID:84A86C42-ADA3-4C30-9670-87BDBC3B16D8";

DateTime = "20120817203014.250000+000";

HostName = "cmsec.EXTERNAL.com";

HRESULT = "0x00000000";

ProcessID = 2376;

StatusCode = 0;

ThreadID = 3792;

};

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×