Jump to content


synwiz

Having problems deploying PKI certificate to Computers not connected to Domain

Recommended Posts

I am having great problems trying to install SCCM 2012 client onto a computer with a network connection to the internet, but NOT a member of a domain. i am using the PKI setup within SCCM2012 and have created a RootCA and deployed certificates throughout the local AD and assigned to Group Policies. The machines on the local AD network which receive the policies seem to have a great "handshake" and end up connecting to SCCM and appearing in the main console.

 

Laptops, Computers that are roaming, and not part of my local AD Network are not having such a good time. i believe it is the Certificate communication which is not working. i am exporting the Certificate from the "Certificate Services" within SCCM Server, and then copying this file over to the clients using a USB key. i am then importing the certificate with Private keys into their local certificate store, and all appears fine. until i run ccmsetp.exe.

 

Excerpt from the ccmsetup.log attached, i need ur help

 

<![LOG[Only one MP https://syna01vsscc001d.syn.local is specified. Use it.]LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmsetup.cpp:8763">

<![LOG[Have already tried all MPs. Couldn't find DP locations.]LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="ccmsetup.cpp:9647">

<![LOG[GET 'https://syna01vsscc001d.syn.local/CCM_Client/ccmsetup.cab']LOG]!><time="15:46:04.339-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="httphelper.cpp:802">

<![LOG[begin searching client certificates based on Certificate Issuers]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3759">

<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3918">

<![LOG[begin to select client certificate]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="7832" file="ccmcert.cpp:3999">

<![LOG[The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4031">

<![LOG[3 certificate(s) found in the 'MY' certificate store.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4060">

<![LOG[The 'MY' of 'Local Computer' store has 3 certificate(s). Using custom selection criteria based on the machine name.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4099">

<![LOG[Machine name is 'SYN-L3-NMS-01'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2174">

<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2003">

<![LOG[Performing search that includes SAN2 extensions...]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2210">

<![LOG[Certificate [Thumbprint 498357A12555F1D7EE8DFA009D39965880431790] doesn't have SAN2 extension.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1563">

<![LOG[Certificate [Thumbprint 235A98C6BB65429BAF75F303B2CB66204AE20090] doesn't have SAN2 extension.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1563">

<![LOG[Found a certificate with subject name as ‘SYNA01VSSCC001D.SYN.local’, but will continue to look for the certificate with subject name as ‘SYN-L3-NMS-01’.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:1540">

<![LOG[using custom selection criteria based on the machine NetBIOS name.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:4119">

<![LOG[Machine name is 'SYN-L3-NMS-01'.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2174">

<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="0" thread="7832" file="ccmcert.cpp:2003">

<![LOG[GetSSLCertificateContext failed with error 0x87d00281]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="ccmsetup.cpp:5356">

<![LOG[GetHttpRequestObjects failed for verb: 'GET', url: 'https://syna01vsscc001d.syn.local/CCM_Client/ccmsetup.cab']LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="httphelper.cpp:942">

<![LOG[DownloadFileByWinHTTP failed with error 0x87d00281]LOG]!><time="15:46:04.340-60" date="06-15-2012" component="ccmsetup" context="" type="3" thread="7832" file="httphelper.cpp:1076">

<![LOG[CcmSetup failed with error code 0x87d00281]LOG]!><time="15:46:04.341-60" date="06-15-2012" component="ccmsetup" context="" type="1" thread="3144" file="ccmsetup.cpp:9454">

Share this post


Link to post
Share on other sites

OK, i got the client and the SCCM to do an initial handshake and SCCM Client was installed. i simply did not create the appropriate Certificate for a machine in a worksgroup. the following link helped

http://www.jamesbannanit.com/2012/05/how-to-build-and-capture-in-configuration-manager-2012-using-https/

http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/

 

moved on a step, although i got them talking as such, i am now challenged witg getting the policies to sync etc... as the final communication is not happening....!!!

Share this post


Link to post
Share on other sites

ClientIDManagerStartup.log

--------------------------------------

<![LOG[[RegTask] - Client is not registered. Sending registration request for GUID:1183E6EB-46BA-4C35-AF34-33375666C38F ...]LOG]!><time="17:03:27.099-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="1" thread="5612" file="regtask.cpp:1595">

<![LOG[RegTask: Failed to send registration request message. Error: 0x87d00231]LOG]!><time="17:03:27.163-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="3" thread="5612" file="regtask.cpp:1283">

<![LOG[RegTask: Failed to send registration request. Error: 0x87d00231]LOG]!><time="17:03:27.163-60" date="06-19-2012" component="ClientIDManagerStartup" context="" type="3" thread="5612" file="regtask.cpp:1469">

 

LocationServices.log

----------------------------

<![LOG[Failed to send management point list Location Request Message to XXXXXXXXXXXXXXX.Local]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="2" thread="5612" file="lssecurity.cpp:5258">

<![LOG[LSUpdateInternetManagementPoints: No internet MPs were retrieved from internet MP, retaining previous list.]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="2" thread="5612" file="lsad.cpp:2405">

<![LOG[There is no AMP for site code 'LO1'. Nulling existing entry in WMI]LOG]!><time="16:59:26.594-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:3536">

<![LOG[Persisted Default Management Point Locations locally]LOG]!><time="16:59:26.626-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:3630">

<![LOG[unable to retrieve AD site membership]LOG]!><time="16:59:26.667-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="lsad.cpp:606">

<![LOG[begin checking Alternate Network Configuration]LOG]!><time="16:59:26.668-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="ccmiputil.cpp:1069">

<![LOG[Finished checking Alternate Network Configuration]LOG]!><time="16:59:26.678-60" date="06-19-2012" component="LocationServices" context="" type="1" thread="5612" file="ccmiputil.cpp:1146">

 

ClientLocation.log

-------------------------

]LOG]!><time="16:56:56.004-60" date="06-19-2012" component="ClientLocation" context="" type="1" thread="6232" file="event.cpp:729">

<![LOG[Current Internet Management Point is XXXXXXXXXXXXXXX.SYN.Local with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>]LOG]!><time="16:59:26.574-60"

Share this post


Link to post
Share on other sites

hmm... I may have it working... How would you test other than pushing a job?

 

Here's a great walk through of the Certificates, now that I look at it, it seems to be for 2007, but I can't remember if I had another link...

 

http://technet.micro...y/cc872789.aspx

 

ClientLocation.log:

Current Internet Management Point is cmsec.EXTERNAL.com with Version 0 and Capabilities: <Capabilities SchemaVersion ="1.0"><Property Name="SSL" Version="1" /></Capabilities>

 

 

 

Raising event (#1 of 1):

 

instance of CCM_CcmHttp_Status

{

ClientID = "GUID:84A86C42-ADA3-4C30-9670-87BDBC3B16D8";

DateTime = "20120817203014.250000+000";

HostName = "cmsec.EXTERNAL.com";

HRESULT = "0x00000000";

ProcessID = 2376;

StatusCode = 0;

ThreadID = 3792;

};

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.