Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 3, 2019 8:56 AM
Hello,
I opened case earlier but could not find any solution.
In my case my OSD TS work find with upgrade windows 7 to window 10 however brand new laptop and PC it fails register clients.
when I switch management point to HTTPS to HTTP, TS works fine but when I choice HTTPS, TS fails.
In my logs says:
Instance of CCM_SuperPeerClientConfig doesn't exist in WMI
Failed to read 'SecurityToken' from registry
CheckLocations failed. Error = 0x87d00607
Signing Certificate is not available in the store
Client is not yet registered but no FSP is available. Will retry later.
those logs i founds but it is difficult to find the problem.
I rreally need help to fix the issiue/
Regards
All replies (13)
Thursday, January 3, 2019 1:17 PM
First, on a semantic note, there is no such thing as ConfigMgr/SCCM 2016. The product is simply Configuration Manager (ConfigMgr or SCCM) and is often referred to as ConfigMgr Current Branch (CB).
> In my logs says
Which logs, there are lots of logs so you need to identify which one. Also, is that every line from the log? If not, it's not truly helpful.
However, given that HTTP works, that implies a certificate issue. Have you validated that a client auth certificate exists in the computer's store?
Jason | https://home.configmgrftw.com | @jasonsandys
Thursday, January 3, 2019 1:45 PM
Hello Jason,
Configuration Manager. It is correct.
I can send you all logs. I guess yes it is certification issiue.
how can be sure for this ?
Have you validated that a client auth certificate exists in the computer's store?
some logs ( Errors)
ClientIDManagerStartup
<![LOG[Failed to open to WMI namespace '\.\root\ccmvdi' (8007045b)]LOG]!><time="10:42:22.697-60" date="12-27-2018" component="ClientIDManagerStartup" context="" type="3" thread="9024" file="WmiNamespace.cpp:305">
ClientAuth.log
<![LOG[Signing Certificate is not available in the store]LOG]!><time="14:22:01.698-60" date="12-21-2018" component="ClientAuth" context="" type="0" thread="2740" file="ccmgencert.cpp:1385">
<![LOG[Error signing client message (0x80004005).]LOG]!><time="14:22:01.698-60" date="12-21-2018" component="ClientAuth" context="" type="3" thread="2740" file="clientauthhook.cpp:419">
EndpointProtectionAgent.log
[LOG[EP State and Error Code didn't get changed, skip resend state message.]LOG]!><time="10:44:49.701-60" date="12-27-2018" component="EndpointProtectionAgent" context="" type="1" thread="5200" file="epagentimpl.cpp:162">
<![LOG[Failed to get EP event code under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="10:44:49.701-60" date="12-27-2018" component="EndpointProtectionAgent" context="" type="2" thread="5200" file="epagentimpl.cpp:1425">
<![LOG[Failed to get EP event message under registry key SOFTWARE\Microsoft\CCM\EPAgent]LOG]!><time="10:44:49.701-60" date="12-27-2018" component="EndpointProtectionAgent" context="" type="2" thread="5200" file="epagentimpl.cpp:1430">
<![LOG[State 1, error code 0 and detail message are not changed, skip updating registry value]LOG]!><time="10:44:49.701-60" date="12-27-2018" component="EndpointProtectionAgent" context="" type="1" thread="5200" file="epagentimpl.cpp:215">
Thursday, January 3, 2019 1:55 PM
Dear Jason,
Yes I can see client cert in computer store.
I guess only unknown client cant register themself with HTTPS DP
Thursday, January 3, 2019 2:32 PM
As noted, just errors from a log file instead of the complete, relevant portion is more or less useless.
Jason | https://home.configmgrftw.com | @jasonsandys
Thursday, January 3, 2019 2:36 PM
> I guess only unknown client cant register themself with HTTPS DP
DPs have nothing to do with registration and I don't think this is explicitlly a registration issue anyway. What is leading you to make this statement?
The complete ClientIdManagerStartup.log should give an explicit reason why the certificate is not being chosen. If you would like to post this log, post it on a file sharing service and link to it here -- don't copy the log here directly please as I won't read it here.
Jason | https://home.configmgrftw.com | @jasonsandys
Thursday, January 3, 2019 2:47 PM
Ok Jason.
you are right. you can find the log file below/
regards
savas
Thursday, January 3, 2019 2:56 PM
From Log:
Got registration response from MP. Client approval status: 0
have you able to approve the client manually from the console?
Kannan.CS | [email protected]
Thursday, January 3, 2019 3:00 PM
Hello Kannan,
During TS? I dont know how to approve it.
Any commend line that I can add to TS?
Regards
Savas
Thursday, January 3, 2019 3:07 PM
As suspected, the log tells you the issue:
Begin searching client certificates based on Certificate Issuers
Certificate Issuer 1 [CN=EUM-ROOT-CA]
Certificate Issuer 2 [CN=EUM-SUB-CA; DC=eum; DC=root; DC=eumetsat; DC=int]
Finding certificate by issuer chain returned error 80092004
Completed searching client certificates based on Certificate Issuers
Unable to find any Certificate based on Certificate Issuers
Jason | https://home.configmgrftw.com | @jasonsandys
Thursday, January 3, 2019 3:08 PM
You don't, this is a red herring.
Jason | https://home.configmgrftw.com | @jasonsandys
Thursday, January 3, 2019 3:12 PM
Alright Jason.
Thank you very much for your answer.
I still dont know how to fix it. Could you little more information give to me ?
Best Regards
Thursday, January 3, 2019 3:19 PM
Your site is configured to use certificates issued from specific CAs (lines 1-3 above).
The client agent cannot find a certificate in the local store issued by one of the CAs (lines 4 and 6 above).
Thus, the client system, for whatever reason, does not have a valid certificate as you've configured the site. I can't tell you why it doesn't have this certificate or why you are are requiring certificates from these CAs as those are specific to your configuration and environment.
Jason | https://home.configmgrftw.com | @jasonsandys
Friday, January 4, 2019 7:11 AM
Hi Sabasu1,
How do you configure the certificate used by the clients?
"Yes I can see client cert in computer store."
Did SCCM need to be used to match the certificate?
When creating a certificate template, did you select/check: Autoenroll?(e.g. image)
Whether selected the "Use PKI client certricate( client authentication capability) when available?"(e.g. image) on the primary site.
For a detailed demonstration, we could refer to this great blog by Justin Chalfant and reconfirm that we have not missed anything.
Https://blogs.technet.microsoft.com/jchalfant/how-to-configure-microsoft-sccm-to-use-https-pki/
The Topics and Guide at the bottom of this page is also very helpful.
Best regards,
Yuxiang
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected].