question

Jonathan-8497 avatar image
1 Vote"
Jonathan-8497 asked Jonathan-8497 answered

SCCM - Build and Capture - Application installation while on PKI for workgroup clients not working

Hello,

I'm trying to do a Build and Capture task sequence but the TS always fail at the Install Application step. This step works when the client join the domain but not on workgroup.

I already checked many forums but I'm not able to find a solution.

I found errors in the LocationService.log, it seems that the problem is because the clients don't have a certificate. I don't know how to import the certificate for workgroup clients in Build and Capture TS and if it is what I need to do.

[CCMHTTP] ERROR: URL=https://FQDN_TO_SERVER/SMS_MP/.sms_aut?SITESIGNCERT, Port=0, Options=31, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT
[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=


I use the following parameters to install the SCCM Client : SMSCACHESIZE=10240 SMSMP=FQDN /UsePKICert /NoCRLCheck CCMHTTPSSTATE=31 DNSSUFFIX=DOMAIN


Can you help me on this ?

Do you need to see a specific log ?

mem-cm-osdmem-cm-application
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Value of the Enhanced Key Usage is : Client Authentication (1.3.6.1.5.5.7.3.2)

Do I need to compare this with something else ?


I joined some logs, I hope that it can help.

88575-smsts.log
88576-clientlocation.log
88592-execmgr.log
88593-locationservices.log
88594-locationservices-20210415-140430.log

Thanks for your help.




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

It's probably time to open a support case here as there's nothing obvious that jumps out at this point as a root cause.

I would definitely get rid of CCMHTTPSSTATE and DNSSUFFIX from the properties though as CCMHTTPSTATE as noted is unsupported for direct use and DNSSUFFIX is redundant if you are already specifying SMSMP.

Reviewing the IIS log on the MP for corresponding traffic may be helpful as well (you'll have to filter by the client's IP).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered Jonathan-8497 edited

Thanks @Jason-MSFT.

I removed CCMHTTPSSTATE and DNSSUFFIX and the result is the same.

Is it possible that you take a look onto the clientlocation.log file please ?

There are the message that I mentioned on my first post :

[CCMHTTP] ERROR: URL=http://FQDNTOSCCM/SMS_MP/.sms_aut?SITESIGNCERT, Port=80, Options=480, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden


I will check the IIS log, thanks for the advice.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Thanks for pointing me to the IIS log it helped me.

By looking for the following message on internet :

2021-04-19 06:23:05 IP_TO_SCCM GET /SMS_MP/.sms_aut SITESIGNCERT 80 - CLIENT_IP SMS+CCM+5.0 - 403 4 5 1394 43

I found that a user added https:// on SCCM Client parameter /MP:. So I replaced SMSMP=FQDN_TO_SCCM by /MP:https://FQDN_TO_SCCM

I did a try and do not have anymore the above error. Perhaps you have and idea of why this resolved this error ?!


Solving this didn't solve my initial problem unfortunately : Software Installation

It seems that the process hangs on this :

89033-socket.png


Do you know where I need to look on ?





socket.png (21.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

/mp and SMSMP are two completely, nearly unrelated configurations and are not in any way interchangeable.

As noted, it's time for you to open a support case to dig deeper here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jonathan-8497 avatar image
0 Votes"
Jonathan-8497 answered

Thanks for your help Jason. We do not have contract for the Microsoft Support, that's why I need to resolve this by myself and with the help of forums

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.