Share via

Issue with Client Authenication Certificates within Bootable Media

  • Article

Question

Friday, December 19, 2014 12:54 AM

Hi All,

I am in the process of deploying SCCM 2012 R2 in our environment parallel to our existing SCCM 2007 R3 environment. So far everything is working well. I have hit, however my first issue. This seems to be related to Client Authentication certificate validation. The problem occurs when booting from SCCM 2012 Task Sequence Bootable media and attempting to contact a local Management Point. I am using a USB Boot key at this point as I do not want to overlap with our existing PXE environment.

The SMSTS.LOG shows the error 0x80072f8f. Specifically the error that I need to get past is:

[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING]                : dwStatusInformationLength is 4
 TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING]                : *lpvStatusInformation is 0x10
 TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
 TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING] AsyncCallback():  TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)

I have followed all of the recommended steps that I can think of so far. I have:

  • Ensured that the Server Authentication and client authentication certificate on all Site systems is correct (I.e. all certificates are based on Certificate Templates as per the TechNet documentation)
  • Ensured the Root and Issuing CA's are registered within the SCCM 2012 Site
  • The Distribution Point role and Bootable Media are using a dedicated Client Authentication certificate that has been imported via a .PFX
  • Ensured this certificate is in a "Not blocked" state
  • Ensured the Date and Time of each Site System and of WinPE during the boot process is in sync.
  • Checked the MPControl.LOG on each of our 2 Management Points looking for errors. These logs are all clear.
  • Checked the IIS Web Logs on the Management Points. These logs are also all clear.

The SMSTS.LOG is successfully importing the Root CA certificates ....

Root CA Public Certs=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)Importing certificates to root store TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)

I have noticed that there are plenty of issues related to an invalid CA due to root CA import issues or CRL checking. We currently have CRL checking disabled and based on the "INVALID_CN" reference I don't believe CRL check is part of the equation.

With regards to the Common Name I can confirm the following:

  1. The "ConfigMgr Client Certificate" Template used to auto enroll all domain joined systems is based upon the "Workstation Authentication" template. The Subject Field is set, as by default to "None". The SAN is set to DNS name.
  2. The "ConfigMgr OSD Certificate" Template used to create the client authentication certificate used on the DPs and Bootable Media is set to "Supplied at Request". I set a CN of "Configmgr OSD Certificate" for this certificate.
  3. I have tried using another client authentication certificate for the DPs and Bootable media that had no Subject Name defined.

Can offer any suggestions as to where I might be going wrong?

Thanks,

Nathan Sutton

NSutton

All replies (16)

Sunday, December 21, 2014 2:12 AM ✅Answered | 1 vote

Nathan,

Are you using a CAS? If you are and you cut your media from there, try cutting it from the Primary. I have had issues with cutting media from the CAS when using certificates. I'm waiting for my second and third Primaries to be install prior to putting in a case with Microsoft on the issue.

Are you using Dynamic Media, or Site-based media? The reason I ask is because of the next question.

I read that you have a CM2007 site and are standing up a CM2012 site. Do you have any of your Boundary Groups set for Site Assignment in CM2012? If you are using the Dynamic Media, but none of your CM2012 sites are setup for Site Assignment I think that the error about "no valid MP locations are received" you are seeing could be explained. Try the Site-based media in this case until you setup some boundaries with site assignment. 

Friday, December 19, 2014 12:55 AM

Hi All,

I am in the process of deploying SCCM 2012 R2 in our environment parallel to our existing SCCM 2007 R3 environment. So far everything is working well. I have hit, however my first issue. This seems to be related to Client Authentication certificate validation. The problem occurs when booting from SCCM 2012 Task Sequence Bootable media and attempting to contact a local Management Point. I am using a USB Boot key at this point as I do not want to overlap with our existing PXE environment.

The SMSTS.LOG shows the error 0x80072f8f. Specifically the error that I need to get past is:

[TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING]                : dwStatusInformationLength is 4
 TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING]                : *lpvStatusInformation is 0x10
 TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
 TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
[TSMESSAGING] AsyncCallback():  TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)

I have followed all of the recommended steps that I can think of so far. I have:

  • Ensured that the Server Authentication and client authentication certificate on all Site systems is correct (I.e. all certificates are based on Certificate Templates as per the TechNet documentation)
  • Ensured the Root and Issuing CA's are registered within the SCCM 2012 Site
  • The Distribution Point role and Bootable Media are using a dedicated Client Authentication certificate that has been imported via a .PFX
  • Ensured this certificate is in a "Not blocked" state
  • Ensured the Date and Time of each Site System and of WinPE during the boot process is in sync.
  • Checked the MPControl.LOG on each of our 2 Management Points looking for errors. These logs are all clear.
  • Checked the IIS Web Logs on the Management Points. These logs are also all clear.

The SMSTS.LOG is successfully importing the Root CA certificates ....

Root CA Public Certs=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)Importing certificates to root store TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)

I have noticed that there are plenty of issues related to an invalid CA due to root CA import issues or CRL checking. We currently have CRL checking disabled and based on the "INVALID_CN" reference I don't believe CRL check is part of the equation.

With regards to the Common Name I can confirm the following:

  1. The "ConfigMgr Client Certificate" Template used to auto enroll all domain joined systems is based upon the "Workstation Authentication" template. The Subject Field is set, as by default to "None". The SAN is set to DNS name.
  2. The "ConfigMgr OSD Certificate" Template used to create the client authentication certificate used on the DPs and Bootable Media is set to "Supplied at Request". I set a CN of "Configmgr OSD Certificate" for this certificate.
  3. I have tried using another client authentication certificate for the DPs and Bootable media that had no Subject Name defined.

Can offer any suggestions as to where I might be going wrong?

Thanks,

Nathan Sutton

NSutton

Friday, December 19, 2014 2:39 AM

Hi All,

I did some more research on WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID and it relates to the CN defined on the Web Server certificate for the Site System. I checked the FQDN for the MP in the SMSTS.LOG and this matches exactly what is set on the certificate.

Interestingly though I found a difference between the certificates used on our two MPs. One certificate had a SAN set and the other did not. After re-issuing a new certificate with the Subject set as the CN and NO SAN. The error I reported previously is no gone.

I have hit the next road block. Regardless of which Management Point I hit I am now getting the following error:

**Invalid MP cert info; no signature **TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)
CCM::SMSMessaging::CLibSMSMPLocation::RequestMPLocation failed; 0x80004005 TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)
MPLocation.RequestMPLocation (szTrustedRootKey, sIPSubnets.c_str(), sIPAddresses.c_str(), httpS, http), HRESULT=80004005 (e:\qfe\nts\sms\framework\osdmessaging\libsmsmessaging.cpp,9565) TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)
CCM::SMSMessaging::GetMPLocations failed; 0x80004005 TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)
Failed to query https://FQDN of MP for MP location TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)
MpCnt > 0, HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmbootstraputil.cpp,1931) TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)
QueryMPLocator: no valid MP locations are received TSMBootstrap 19/12/14 1:36:16 PM 1212 (0x04BC)

Any suggestions?

NSutton

Friday, December 19, 2014 2:45 AM

Which log is that from? smsts.log also?

When exactly during the TS does that happen? Before it even starts?

Can you please provide the snippet from before the error also for additional context?

Jason | http://blog.configmgrftw.com | @jasonsandys

Friday, December 19, 2014 6:57 AM

Hi Jason,

Thanks for your reply.

The snippets are both from the SMSTS.LOG. This happens before any task sequence executes. It is happening when the SCCM client within the WinPE image is attempting to locate a Management Point and then go on to query the list of available Task Sequences.

The environment is brand new so I only have one task sequence. The boot process just terminates after the MP cannot be contacted and the device reboots.

The SMSTS.LOG is only short as this happens so quickly. I will just quickly sanitise the log and I will post it in its entirety.

Thanks again.

NSutton

Friday, December 19, 2014 10:50 PM

Hi Jason,

Here is the log as requested. I will post it up in separate messages.

<![LOG[LOGGING: Finalize process ID set to 724]LOG]!><time="13:36:01.388+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="tslogging.cpp:1495">
<![LOG[==============================[ TSBootShell.exe ]==============================]LOG]!><time="13:36:01.388+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:1055">
<![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:01.404+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="util.cpp:964">
<![LOG[Debug shell is enabled]LOG]!><time="13:36:01.404+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:1066">
<![LOG[Waiting for PNP initialization...]LOG]!><time="13:36:01.419+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:60">
<![LOG[RAM Disk Boot Path: MULTI(0)DISK(0)RDISK(0)PARTITION(1)\SOURCES\BOOT.WIM]LOG]!><time="13:36:01.419+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:302">
<![LOG[WinPE boot path: D:\SOURCES\BOOT.WIM]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:327">
<![LOG[Booted from removable device]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:357">
<![LOG[Found config path D:\LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:548">
<![LOG[Booting from removable media, not restoring bootloaders on hard drive]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:582">
<![LOG[D:\WinPE does not exist.]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:599">
<![LOG[D:\SmsTsWinPE\WinPE does not exist.]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:613">
<![LOG[Executing command line: wpeinit.exe -winpe]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:860">
<![LOG[Executing command line: X:\windows\system32\cmd.exe /k]LOG]!><time="13:36:02.935+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:860">
<![LOG[The command completed successfully.]LOG]!><time="13:36:02.951+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:942">
<![LOG[Successfully launched command shell.]LOG]!><time="13:36:02.951+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:432">
<![LOG[The command completed successfully.]LOG]!><time="13:36:15.371+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:942">
<![LOG[Starting DNS client service.]LOG]!><time="13:36:15.371+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:666">
<![LOG[Executing command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:D:\LOG]!><time="13:36:15.890+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:860">
<![LOG[The command completed successfully.]LOG]!><time="13:36:15.890+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:942">
<![LOG[==============================[ TSMBootStrap.exe ]==============================]LOG]!><time="13:36:16.062+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1165">
<![LOG[Command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:D:\LOG]!><time="13:36:16.062+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:1166">
<![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:964">
<![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\TSRESNLC.DLL']LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="resourceutils.cpp:169">
<![LOG[Current OS version is 6.2.9200.0]LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:3094">
<![LOG[Adding SMS bin folder "X:\sms\bin\i386" to the system environment PATH]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:963">
<![LOG[Failed to open PXE registry key. Not a PXE boot.]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:844">
<![LOG[Media Root = D:\LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1000">
<![LOG[WinPE boot type: 'Ramdisk:SourceIdentified']LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:779">
<![LOG[Failed to find the source drive where WinPE was booted from]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="2" thread="1212" file="tsmbootstrap.cpp:1036">
<![LOG[Executing from Media in WinPE]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1041">
<![LOG[Verifying Media Layout.]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:1623">
<![LOG[MediaType = BootMedia]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2607">
<![LOG[PasswordRequired = false]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2633">
<![LOG[Found network adapter "Realtek PCIe GBE Family Controller" with IP Address X.X161.12.]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstraputil.cpp:517">
<![LOG[Running Wizard in Unattended mode]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2803">
<![LOG[Loading Media Variables from "D:\sms\data\variables.dat"]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsremovablemedia.cpp:322">
<![LOG[no password for vars file]LOG]!><time="13:36:16.156+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:247">
<![LOG[Entering TSMediaWizardControl::GetPolicy.]LOG]!><time="13:36:16.156+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:527">
<![LOG[Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00350031004100300031003600420036002D0046003000440045002D0034003700350032002D0042003900370043002D003500340045003600460033003800360041003900310032007D00']LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:263">
<![LOG[Environment scope successfully created: Global\51A016B6-F0DE-4752-B97C-54E6F386A912}]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:623">
<![LOG[Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00420041003300410033003900300030002D0043004100360044002D0034006100630031002D0038004300320038002D003500300037003300410046004300320032004200300033007D00']LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:263">
<![LOG[Environment scope successfully created: Global\BA3A3900-CA6D-4ac1-8C28-5073AFC22B03}]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:623">
<![LOG[Setting LogMaxSize to 1000000]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:555">
<![LOG[Setting LogMaxHistory to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:556">
<![LOG[Setting LogLevel to 0]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:557">
<![LOG[Setting LogEnabled to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:558">
<![LOG[Setting LogDebug to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:559">
<![LOG[UEFI: false]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:569">
<![LOG[Loading variables from the Task Sequencing Removable Media.]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:584">
<![LOG[Loading Media Variables from "D:\sms\data\variables.dat"]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsremovablemedia.cpp:322">
<![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:964">
<![LOG[Setting SMSTSLocationMPs TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSMediaGuid TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSBootMediaPackageID TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSBootMediaSourceVersion TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSBrandingTitle TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSCertSelection TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSCertStoreName TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSDiskLabel1 TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSHTTPPort TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSHTTPSPort TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSIISSSLState TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSMediaCreatedOnCAS TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSMediaPFX TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSMediaSetID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSMediaType TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSPublicRootKey TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSRootCACerts TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSSiteCode TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSSiteSigningCertificate TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSStandAloneMedia TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSSupportUnknownMachines TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSTimezone TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSUseFirstCert TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSx64UnknownMachineGUID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
<![LOG[Setting _SMSTSx86UnknownMachineGUID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">

NSutton

Friday, December 19, 2014 10:51 PM

<![LOG[Root CA Public Certs=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:615">
<![LOG[Importing certificates to root store]LOG]!><time="13:36:16.203+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="utils.cpp:5349">
<![LOG[Added certificate to store or replaced matching certificate in store.]LOG]!><time="13:36:16.203+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="utils.cpp:5405">
<![LOG[Added certificate to store or replaced matching certificate in store.]LOG]!><time="13:36:16.203+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="utils.cpp:5405">
<![LOG[Support Unknown Machines: 1]LOG]!><time="13:36:16.203+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:632">
<![LOG[Custom hook from X:\TSConfig.INI is ]LOG]!><time="13:36:16.203+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:675">
<![LOG[No hook is found to be executed before downloading policy]LOG]!><time="13:36:16.203+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:699">
<![LOG[Authenticator from the environment is empty.]LOG]!><time="13:36:16.219+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:838">
<![LOG[Need to create Authenticator Info using PFX]LOG]!><time="13:36:16.219+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:850">
<![LOG[Initialized CStringStream object with string: FEC086CD-EC61-45BA-A01F-972EE8D1D890;2014-12-19T21:36:16Z.]LOG]!><time="13:36:16.266+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="stringstream.cpp:101">
<![LOG[Using user-defined MP locations: <a href="https://MP21.DOMAIN.DOMAIN.DOMAIN.DOMAIN]LOG]!><time="13:36:16.297+480">https://MP21.DOMAIN.DOMAIN.DOMAIN.DOMAIN]LOG]!><time="13:36:16.297+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:914">
<![LOG[Set authenticator in transport]LOG]!><time="13:36:16.297+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="libsmsmessaging.cpp:7734">
<![LOG[Set media certificates in transport]LOG]!><time="13:36:16.344+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="libsmsmessaging.cpp:9540">
<![LOG[IP: X.X.161.12 X.X.160.0]LOG]!><time="13:36:16.359+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="libsmsmessaging.cpp:9561">
<![LOG[CLibSMSMessageWinHttpTransport::Send: URL: MP21.DOMAIN.DOMAIN.DOMAIN.DOMAIN:443  GET /SMS_MP_AltAuth/.sms_aut?MPLOCATION&ir=X.X161.12&ip=X.X160.0]LOG]!><time="13:36:16.359+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="libsmsmessaging.cpp:8604">
<![LOG[In SSL, but with no client cert]LOG]!><time="13:36:16.359+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="libsmsmessaging.cpp:8738">
<![LOG[Request was successful.]LOG]!><time="13:36:16.715+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="libsmsmessaging.cpp:8939">
<![LOG[pwsSig != NULL, HRESULT=80004005 (e:\qfe\nts\sms\framework\osdmessaging\libsmsmessaging.cpp,5592)]LOG]!><time="13:36:16.715+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="libsmsmessaging.cpp:5592">

NSutton

Friday, December 19, 2014 10:52 PM

<![LOG[Invalid MP cert info; no signature]LOG]!><time="13:36:16.715+480" date="12-19-2014" component="TSMBootstrap" context="" type="3" thread="1212" file="libsmsmessaging.cpp:5592">
<![LOG[CCM::SMSMessaging::CLibSMSMPLocation::RequestMPLocation failed; 0x80004005]LOG]!><time="13:36:16.715+480" date="12-19-2014" component="TSMBootstrap" context="" type="3" thread="1212" file="libsmsmessaging.cpp:5688">
<![LOG[MPLocation.RequestMPLocation (szTrustedRootKey, sIPSubnets.c_str(), sIPAddresses.c_str(), httpS, http), HRESULT=80004005 (e:\qfe\nts\sms\framework\osdmessaging\libsmsmessaging.cpp,9565)]LOG]!><time="13:36:16.715+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="libsmsmessaging.cpp:9565">
<![LOG[CCM::SMSMessaging::GetMPLocations failed; 0x80004005]LOG]!><time="13:36:16.715+480" date="12-19-2014" component="TSMBootstrap" context="" type="3" thread="1212" file="libsmsmessaging.cpp:9569">
<![LOG[Failed to query https://MP21.DOMAIN.DOMAIN.DOMAIN.DOMAIN for MP location]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="3" thread="1212" file="tsmbootstraputil.cpp:1874">
<![LOG[MpCnt > 0, HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmbootstraputil.cpp,1931)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstraputil.cpp:1931">
<![LOG[QueryMPLocator: no valid MP locations are received]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="3" thread="1212" file="tsmbootstraputil.cpp:1931">
<![LOG[TSMBootstrapUtil::QueryMPLocator ( true, sSMSTSLocationMPs.c_str(), sMediaPfx.c_str(), sMediaGuid.c_str(), sAuthenticator.c_str(), sEnterpriseCert.c_str(), sServerCerts.c_str(), nHttpPort, nHttpsPort, bUseCRL, httpS, http, accessibleMpCnt), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,925)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:925">
<![LOG[Exiting TSMediaWizardControl::GetPolicy.]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:1420">
<![LOG[GetPolicy(), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,2449)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:2449">
<![LOG[Unattended(), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,2804)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:2804">
<![LOG[oTSMediaWizardControl.Run( sMediaRoot, true, sTSLaunchMode ), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmbootstrap.cpp,1042)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:1042">
<![LOG[Execute( eExecutionEnv, sConfigPath, sTSXMLFile, uBootCount, &uExitCode ), HRESULT=80004005 (e:\qfe\nts\sms\client\tasksequence\tsmbootstrap\tsmbootstrap.cpp,1226)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:1226">
<![LOG[Exiting with return code 0x80004005]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1238">
<![LOG[Execution complete.]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:693">
<![LOG[hMap != 0, HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\environmentscope.cpp,493)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="0" thread="732" file="environmentscope.cpp:493">
<![LOG[m_pGlobalScope->open(), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\environmentlib.cpp,335)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="0" thread="732" file="environmentlib.cpp:335">
<![LOG[this->open(), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\environmentlib.cpp,553)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="0" thread="732" file="environmentlib.cpp:553">
<![LOG[::RegOpenKeyExW (HKEY_LOCAL_MACHINE, sKey.c_str(), 0, KEY_READ, &hSubKey), HRESULT=80070002 (e:\qfe\nts\sms\framework\tscore\utils.cpp,809)]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="0" thread="732" file="utils.cpp:809">
<![LOG[RegOpenKeyExW is unsuccessful for Software\Microsoft\SMS\Task Sequence]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="2" thread="732" file="utils.cpp:809">
<![LOG[GetTsRegValue() is unsuccessful. 0x80070002.]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="2" thread="732" file="utils.cpp:842">
<![LOG[End program: ]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:725">
<![LOG[Finalizing logging from process 724]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="tslogging.cpp:1741">
<![LOG[Finalizing logs to root of first available drive]LOG]!><time="13:36:16.730+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="tslogging.cpp:1583">
<![LOG[LOGGING: Setting log directory to "C:\SMSTSLog".]LOG]!><time="13:36:16.746+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="tslogging.cpp:1808">

NSutton

Saturday, December 20, 2014 1:12 AM

From that log file, it doesn't look like your boot image has a valid cert : "In SSL, but with no client cert"

Jason | http://blog.configmgrftw.com | @jasonsandys

Saturday, December 20, 2014 10:30 AM

Hi Jason,

I did see that, however I think it is expected. If you notice the URL that is accessed just prior to that ...

MP21.DOMAIN.DOMAIN.DOMAIN.DOMAIN:443  GET /SMS_MP_AltAuth/.sms_aut?

When you look at the SSL requirements on this IIS Virtual Directory it is "Require SSL" Enabled, Client authentication (None or ignore). I believe the line you have picked up on reflects the fact the communication is encapsulated within SSL to the MP but that particular URL does not require Client Authentication.

Prior to posting the question I did check the SCCM 2012 PKI requirements again to make sure the Certificate Templates required were set up correctly, i.e the Web Server certificate for each Site System, the Client Certificate for auto enrolment and the Client Certificate for Distribution Points and Bootable Media.

I also look after the PKI environment. I am pretty sure the certs. are OK. I can confirm that all the certificates are based upon a Windows Server 2003 CA (not 2008), i.e. are version 2 certificates and that all key lengths are 2048. The HASH algorithm we are using is SHA256. According to the PKI requirements SHA-1 and SHA-2 algorithms are supported. SHA2 is made up of multiple options: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. I am assuming when Microsoft states SHA2 they are actually referring to all options? I believe the only Site System that needs SHA1 is the Out of Band Service Point which needs to communicate with AMT capable clients.

NSutton

Saturday, December 20, 2014 3:18 PM

Just having templates in place is not enough though. Does the boot media have an actual valid certificate? That's not something that happens automatically. By default, boot media gets created with a self-signed cert.

Also, can the target system here reach the CDP for the MP's cert?

Jason | http://blog.configmgrftw.com | @jasonsandys

Sunday, December 21, 2014 2:13 AM

Hi Jason,

Yep, I understand about the templates. I am just saying that the certificates we have in use are based upon templates that I have doubled-checked for compatible settings, like key length, version, Subject and CRL paths both CDP/AIA and OCSP.

Our CDP location is accessible by all internal clients via anonymous authentication for obvious reasons, like allowing a WinPE image to access them. 

I have not yet turned on CRL checking within the Site configuration. The SMSTS.LOG also does not seem to indicate a CRL check is happening. 

The Distribution Points and the Bootable media are using the same certificate. This certificate is a client authentication certificate which was generated based upon the "Workstation Authentication" certificate template. The certificate template allowed the private key to be exported. The certificate was generated, exported as a .PFX and then imported into the DP role and Boot media. With the small assumption I made about the support for SHA-256 based certificates I am positive the certificate for the boot media and DPs is OK.

The issue seems to me, however related to the validation of the Web Server certificate on the MP. 

I may have to give MS a call. I was hoping this was a more common problem.

NSutton

Sunday, December 21, 2014 9:48 PM

Hi NStone,

Thanks for the reply. You actually nailed it.

I had not allocated a Boundary group to provide Site Assignment. As soon as I did the Task Sequence went through the process as expected. Thanks for all of you help.

Thanks Jason for your help as well. Very much appreciated.

Cheers,

Nathan Sutton

NSutton

Monday, December 22, 2014 3:01 AM

? duplicate of https://social.technet.microsoft.com/Forums/en-US/723c452e-2bbb-45a8-813f-3e5ebcbfe92c/issue-with-client-authenication-certificates-within-bootable-media?forum=configmanagerosd#8347d1f1-a3ec-442d-a796-d8b1eb45c26d

Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Monday, December 22, 2014 4:10 AM

Hi Don,

Yes it is. When I posted this question originally I received an Internal Server Error response. Assuming the posting failed I tried again and it was OK. Unfortunately I could not delete the duplicate.

Cheers,

Nathan

NSutton

Friday, July 8, 2016 4:44 AM

Hi Guys. 

In my case, I had the exact same error message and it turned out that the BOUNDARY configuration was missing. So just added the boundary and customer was able to build their machines fine. Thought it is worth sharing and might come handy if you overlooked your boundary configuration in the SCCM.