question

MikeGorski-5001 avatar image
0 Votes"
MikeGorski-5001 asked ·

Unable to install SCCM agent over internet using CMG and bulk enrollment token

I have set up a CMG recently and I am having trouble trying to install the SCCM agent over the internet using token based authentication. The errors I am seeing seem to indicate a certificate trust issue but there should be no need for certs for this to work. My test PC is in a workgroup and has never touched the domain. I have tested the CMG with a domain joined PC and I verified it works (I can deploy applications and software updates.)

I am running SCCM 2010 and to test this, I am following this MS doc https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/deploy-clients-cmg-token. I ran the bulk enrollment utility to generate the token and here is my installation command line:

ccmsetup.exe /mp:https://myCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939 CCMHOSTNAME=myCMG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939 SMSSiteCode=GOR SMSMP=https://myMP.myDomain.com /regtoken:eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6InpkZnpZMVNGM.....

The installation fails with these errors in ccmsetup.log:

 [CCMHTTP] AsyncCallback(): -------------------------                   ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 [CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered                     ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 [CCMHTTP]                : dwStatusInformationLength is 4                  ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 [CCMHTTP]                : *lpvStatusInformation is 0x9                          ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 [CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set        ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 [CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set                       ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 [CCMHTTP] AsyncCallback(): -----------------------------------------------------------------    ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f                          ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 RetrieveTokenFromStsServerImpl failed with error 0x80072f8f                    ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)  
 Failed to create SMS client object. Error 0x80040154                                 ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 Failed to get CCM access token and client doesn't have PKI issued cert to use SSL. Error 0x80070002             ccmsetup    3/2/2021 10:53:37 PM    10656 (0x29A0)
 CcmSetup failed with error code 0x87d00455

I imported the RootCA from my domain tried to reinstall. It errored again with the same messages except for WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set which makes sense. However the the RootCA or any certs should not be needed if I am understanding how the bulk token is supposed to work. I added /nocrlcheck to the command line and this allowed the SCCM agent to complete. Unfortunately after it finished installing the agent is refusing to communicate with the CMG as I get the same error messages in locationservices.log that I posted above.

I've read a lot of blogs and how-tos for this and I am doing exactly the same procedure. Does anyone have any thoughts about this? Thanks.
73946-ccmsetup-copy.log


mem-cm-general
ccmsetup-copy.log (60.8 KiB)
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
1 Vote"
Jason-MSFT answered ·

but there should be no need for certs for this to work.

This is not correct. Clients must still trust the PKI that issued the certificate configured on the CMG. Given that you've tested it and it works with a domain joined PC, I'm assuming that you are using a certificate issued from an internal CA on the CMG. If so, then this is an issue as non-domain joined clients won't automatically trust the cert on the CMG. This is all standard, by design PKI behavior and not specific to CMG or ConfigMgr. This is why we recommend using a cert from public CA for the CMG as this kind of cert is trusted by Windows by default.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Now that you say it, it makes perfect sense. I've read on a ton of forums of the recommendation to use a public cert vs a PKI but couldn't find a reason why. I guess this explains it.

Thanks for your input.

0 Votes 0 ·
FionaYan-MSFT avatar image
0 Votes"
FionaYan-MSFT answered ·

@MikeGorski-5001

Thank you for posting in Microsoft Q&A forum.

As we mentioned above, there is no requirement of using certs during our installation. Could we know if we check the option of "Clients check the certificate revocation list (CRL) for site systems"(like the image shown below)? If we select it, please check out it and then try to use /nocrlcheck command line to see if it works.
74215-3-4.png

Have a good day!


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



3-4.png (280.2 KiB)
3-4.png (284.8 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MikeGorski-5001 avatar image
0 Votes"
MikeGorski-5001 answered ·

Hi @FionaYan-MSFT thanks for replying. I disabled the CRL check but my test machine still throws the WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error and refuses to communicate with the CMG. Thinking maybe the client needed a policy update, I connected to the internal LAN and ran a machine policy refresh. After it completed I put it on the internet and it is still throwing the WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error. After this failed, I completly uninstalled the client from my test machine, rebooted, and tried to reinstall. It fails to install if I do not include /nocrlcheck and if I do include it, it will install like before and then fail to communicate with the CMG.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.