Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, April 15, 2015 1:26 PM
Strange issue after copying SCCM Server into a lab environment.
We have copied the VM from the production environment to a lab environment (Isolated) which includes a copy of the Active Directory Servers. Now we can't build off the SCCM Server in the Lab, production works fine.
When I boot off a USB Stick (Boot Media) I get the following entries in the SMSTS.LOG file
**********************************************************************************************
CryptVerifySignature failed, 80090006 TSMBootstrap 4/13/2015 2:01:42 PM 1404 (0x057C)
untrusted certificate: 308202EB308201D3A00302010202103B76C3B1FC59E9A5423AA1DF7A9B659E300D06092A864886F70D01010B0500302431143012060355040
<Eliminated a bunch of lines for ease of reading>
3130B49544F532D5343434D3032310C300A06035504031303534D533082720DD28FAD9B1281241F27BBF534C518DFE1E20274CB31C07C54051A5B7F2D6ACE33981102E95AC8BBCB7A48761CF9F2C50D72D9A TSMBootstrap 4/13/2015 2:01:42 PM 1404 (0x057C)
Failed to get information for MP: http://<Server>.<Domain> 80090006. TSMBootstrap 4/13/2015 2:01:42 PM 1404 (0x057C)
**********************************************************************************************
I went to http://<Server>.<Domain>/SMS_MP/.sms_aut?MPKEYINFORMATIONMEDIA and the untrusted certificate is the MPCERTIFICATE
I'm not running in HTTPS so these are self signed certs and I'm not exactly sure how to go about recreating / regenerating these.
Anyone have any ideas?
All replies (6)
Friday, April 17, 2015 8:08 PM âś…Answered | 2 votes
Turns out I was missing a few Registry Values that the MP was supposed to put in when it was installed. Everything installed correctly according to the logs, even Microsoft was stumped.
HKLM\SOFTWARE\Microsoft\SMS\Security\SignedSerilizedKey]
HKLM\SOFTWARE\Microsoft\SMS\Security\SignedSerilizedKeyEx]
I left it for a few days and the Registry Keys appeared.
I don't like things that fix themselves, especially when I don't know the root cause.
Chris
Thursday, April 16, 2015 8:43 AM
Hi,
I think you have run into a problem as described in this blog:
Certificate untrusted after changing IP-address of ConfigMgr server
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 11, 2015 2:19 PM
Hi Chirs,
But do you know which values should the key have? Considering that are other keys in the same folder with similar data. I have the same issue but I don't know which keys should be there.
I already install the certificates on the trust root authorities, but didn't help.
Thanks in advanced,
J.
Tuesday, April 3, 2018 1:56 PM
This worked for me too
Thursday, April 26, 2018 3:59 PM
I've had the same problem today 26-Apr-2018, after an SCCM upgrade to 1802 (full version 5.00.8634.1000). The install was successful no errors, but just after it came back the SMSPXE.log had lots of errors.
Found the values in the current DB using SQL:
select * from SC_SysResUse_Property where name ='SignedSerializedCertificate'
select * from SC_SysResUse_Property where name ='SignedSerializedCertificateEx'
And put the values into registry on the MP and DP rebooted both. This fixed the error "CryptVerifySignature failed, 80090006" in the E:\SMS_DP$\sms\logs\SMSPXE.log on the DP.
Tony
Tuesday, April 9, 2019 1:30 AM
Similar issue here when upgrading from 1710 to 1810.<o:p></o:p>
Upgrade was fine but had lots of errors in SMSPXE.log.
Registry keys for SignedSerilizedKey and SignedSerilizedKeyEx were empty.<o:p></o:p>
Left it a day, still no luck so upgraded to 1902. Still an issue straight after the 1902 upgrade but overnight it sorted itself out and the registry keys were filled in and OSD was working in the morning.
Running the following queries gives be 6 rows for each, I've checked on a few other environments and they only show one row.<o:p></o:p>
select * from SC_SysResUse_Property where name ='SignedSerializedCertificate'<o:p></o:p>
select * from SC_SysResUse_Property where name ='SignedSerializedCertificateEx'<o:p></o:p>