question

MattD-7613 avatar image
0 Votes"
MattD-7613 asked saldana-msft edited

PKI Certificate Setup

Setting up PKI Certs for a new SCCM instance in an environment with a SCCM server setup with PKI. I followed the directions from here: https://www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/

This is the 4th time I have followed these directions to a tee and the first time having an issue.

The Clients will not change to PKI. I get a bunch of errors that point to a certificate issue.

To start - on the Site Server MPCONTROL.log - I see the entry Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

The WCM.log, SIteComp.log and MPSetup.log show no errors.

I verified on the Client side that the SCCM Client Certificate is listed.

The ClientIDManagerSTartup.log shows a Client PKI cert available, but has RegTask: Failed to send registration request message. Error: 0x87d00231 and RegTask: Failed to send registration request. Error: 0x87d00231 listed over and over.

On the Site Server, I tried going to https://serverfqdn/SMS_MP/.SMSAUT?MPLIST and it prompts me to choose one of two certs.

I ran the netsh show http sslcert command and it does not show the 0.0.0.:443 entry - only the 8531 entry.


I am almost certain this is a old cert issue, but have not been able to figure out the solution. 98723-mpcontrol.log


mem-cm-generalmem-cm-site-deployment
mpcontrol.log (2.5 MiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
0 Votes"
HanyunZhu-MSFT answered

Hi,

As you mentioned before, we can firstly try the following steps to change the port WSUS uses from 8531 to 443,
1) Open a command prompt on the WSUS server, and go under "c:\program fils\update services\tools"
Command: cd c:\program files\update services\tools
2) Run the command as below, this command will change the WSUS website to use port 443.
Command: wsusutil usecustomwebsite false
Then run the following command to confirm that the return value become https://<servername>:443
Command:wsusutil configuressl <server name>
100110-w.png
Then we can use netsh http show sslcert command to check whether the result show the 443 entry.

After that, we can run the following telnet command on the client side to check if the client can access the site via 443 port
Command: telnet <host> [<port>]
For example: telnet 192.168.22.1 443

And to check the client certification, open certlm.msc, find the certificate with Client Authentication, check whether the certificate meet the requirements.
For the detailed requirements, please refer to the "PKI certificates for clients" part in this article:
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/network/pki-certificate-requirements#BKMK_PKIcertificates_for_clients

What's more, I found an article that have similar error with the log you provide, you can try it to troubleshooting:
https://www.syswow64.co.uk/2016/03/sccm-client-certificate-pki-value-is.html
Note: This is not from MS, just for your reference.

Hope the information can be helpful to you.


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




w.png (17.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HanyunZhu-MSFT avatar image
0 Votes"
HanyunZhu-MSFT answered MattD-7613 commented

@MattD-7613

Thanks for posting in Microsoft Q&A forum.

Accroding to the log you provided, it has successfully performed MP availability checks.
99106-log.png

It seems that we've done a lot of research and perform some trouble-shooting steps to find out the root cause. For this problem, to move on, we may need some additional information. Could you help to share CcmMessaging.log(with sensitive information masked to view)?


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




log.png (200.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

yannara avatar image
1 Vote"
yannara answered MattD-7613 commented

When you swap from http or https to https only, the site server actually performs re-install of components. That was my mistake at the very beginning, I didn't let it calm down.

Check first client can access to main IIS site via 443 port. Also check client cert path and its validation.

If your site server components are all green, and client certs status ok, statt looking at client logs like clientauth, ccmmessaging, cliendstartID etc. Also check your ccm client has change to pki.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The client will not change to PKI which is the issue. When I run the netsh command, the results do not come back with anything for 443 - only 8531. This smells of a cert issues somewhere, but I just cannot seem to locate where.

I am willing do anything at this point - how shall I verify a client can access the main IIS via 443 and how can I check the client cert path and its validation?

0 Votes 0 ·
MattD-7613 avatar image
0 Votes"
MattD-7613 answered

I ended up just setting up Enhanced http. I copied your notes and may suggest we try it again.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.