Jump to content


Steve_BE

PXEboot 0xc000000f - PKI certificate issue (CRL)

Recommended Posts

Hello


Running SCCM2012 SP1 with an MP/DP in a datacenter and a DP in 3 local offices. All has been working fine since the beginning mostly thanks to the guides here.
But since this monday when deploying new laptops, I get an error message when PXE booting:

 

Recovery
Your PC needs to be repaired
The Boot configuration Data for your PC is missing or contains errors
File:\boot\bcd
Error code: 0xc000000f

 

 

Checking the logs on the local DP where I reside i see the following:

 

[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] : dwStatusInformationLength is 4
SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] : *lpvStatusInformation is 0x1
SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
[TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
sending with winhttp failed; 80072f8f SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
Failed to get information for MP: https://ASPSCCML01.company.com. 80072f8f. SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
PXE::MP_InitializeTransport failed; 0x80004005 SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
PXE::MP_ReportStatus failed; 0x80004005 SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
PXE Provider failed to process message.
Unspecified error (Error: 80004005; Source: Windows) SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)
6C:3B:E5:F6:F8:AE, A482B6CF-43F9-11E2-830B-A064B90000ED: Not serviced. SMSPXE 4/25/2013 11:50:20 AM 3416 (0x0D58)

 

WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED points to the CRL validation but it was not checked in the configuration.

So I did check it, save, rebooted the server, uncheck it again, reboot again … to no avail

 

Next error I checked is :


Failed to get information for MP: https://ASPSCCML01.company.com. 80072f8f.

Error code 80072f8f would means ERROR_INTERNET_SECURE_FAILURE ErrorClockWrong
But all servers and client shows the correct time (all servers/clients (bios) configured with GMT+1)

 

Next I tried the following:

 


I then went back to the original error: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED and from http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx it would means:


Certification revocation checking has been enabled, but the revocation check failed to verify whether a certificate has been revoked. The server used to check for revocation might be unreachable

 

I thus checked further the PKI implementation and in AD Sites and services -> /Services/Public Key Services/CDP/ASP-SELLROOTCA/Company Internal ROOT CA -> Properties -> Tab object
And I see that the last Modified date is from Monday 22/04 (Created 24/9/2010, Modified 22/04/2013 - USNs current 12017227, Original 17735)

 

This coincide with the time OSD didn’t work anymore
Here I am stuck on how to resolve this: Either have SCCM not check the CRL (as I believe we configured it) or have CRL access available when PXE booting.

 

Any hint / suggestion is welcome

Steve

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...