Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, July 13, 2016 10:17 PM
We have the error below on SCCM logs.
Clients are not registering on SCCM server due to a certificate issue - but WHAT certificate to issue?
Clients cannot communicate to the SCCM server
Begin validation of Certificate [Thumbprint 84BC67537946B6B56A071CEA499A200064F6A089] issued to 'servidor.dominio.com.br' MP_RegistrationManager 7/13/2016 1:17:28 PM 5236 (0x1474)
The certificate chain processed correctly but terminated in a root certificate not trusted per ConfigMgr CTL. MP_RegistrationManager 7/13/2016 1:17:28 PM 2896 (0x0B50)
Completed validation of Certificate [Thumbprint 25DEE4F349BCCCC5A19D543390880BAB1AFEEFC9] issued to 'xyz.dominio.com.br' MP_RegistrationManager 7/13/2016 1:17:28 PM 2896 (0x0B50)
MP Reg: Client in-band certificate is not valid due to failures in certificate chain validation, Raising status event. Failure HR = 0x800b0109, In-band Cert SubjectName = xyz.dominio.COM.BR MP_RegistrationManager 7/13/2016 1:17:28 PM 2896 (0x0B50)
The certificate chain processed correctly but terminated in a root certificate not trusted per ConfigMgr CTL. MP_RegistrationManager 7/13/2016 1:17:28 PM 5236 (0x1474)
Completed validation of Certificate [Thumbprint 84BC67537946B6B56A071CEA499A200064F6A089] issued to 'servidor.dominio.com.br' MP_RegistrationManager 7/13/2016 1:17:28 PM 5236 (0x1474)
MP Reg: Client in-band certificate is not valid due to failures in certificate chain validation, Raising status event. Failure HR = 0x800b0109, In-band Cert SubjectName = servidor.dominio.com.br MP_RegistrationManager 7/13/2016 1:17:28 PM 5236 (0x1474)
Raising event:
[SMS_CodePage(850), SMS_LocaleID(1046)]
instance of MpEvent_CertInvalidChain
{
ClientID = "GUID:738D16B7-C306-443A-B3E4-A9C4184A924F";
DateTime = "20160713161728.874000+000";
MachineName = "sccm.dominio.com.br";
ProcessID = 4636;
SiteCode = "site1";
SubjectName = "servidor.dominio.com.br";
ThreadID = 5236;
Win32ErrorCode = 2148204809;
};
MP_RegistrationManager 7/13/2016 1:17:28 PM 5236 (0x1474)
MP Reg: Registration request body is invalid. MP_RegistrationManager 7/13/2016 1:17:28 PM 5236 (0x1474)
Also another error message from CLientIDManagerStartup.log:
<![LOG[[RegTask] -
Client is not registered. Sending registration request for GUID:400B42E4-FFAA-4859-BCAE-B443ABD0A90D …
]LOG]!><time="16:29:08.626+180" date="07-12-2016" component="ClientIDManagerStartup" context="" type="1" thread="7188" file="regtask.cpp:1595">
<![LOG[[RegTask] -
Server rejected registration request: 3
]LOG]!><time="16:29:08.813+180" date="07-12-2016" component="ClientIDManagerStartup" context="" type="3" thread="7188" file="regtask.cpp:1662">
Thank you,
De Lucca
All replies (3)
Saturday, July 16, 2016 2:06 PM ✅Answered
Hello all
Thank you very much for the answers.
We could resolve this issue with Microsoft escalation support engineers.
After days of testing we checked there were 4 outdated certificates on the server personal\certs.
Although we had the valid certificates on that server the outdated certificates were causing this communication problem.
So we've deleted those outdated certs. and everything became normal again.
Wednesday, July 13, 2016 10:54 PM
0x800b0109 - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Is there anymore information in CLientIDManagerStartup.log about which certificate it is selecting?
Which roles are using HTTPS?
Have you deployed Client certificates from your CA? Have you configured autoenroll in GPO?
Is this issue for all clients or just some?
Which certificates are you using in your environment?
Are you using a Microsoft Enterprise CA?
Nick | https://brotechcm2012.wordpress.com/
Thursday, July 14, 2016 1:35 AM
Does you MP trust the root CA of the PKI that issued the client certs? Based on the above, it doesn't.
Jason | http://blog.configmgrftw.com | @jasonsandys