question

ChrisLardaro-3341 avatar image
0 Votes"
ChrisLardaro-3341 asked saldana-msft edited

CCMsetup failing with error WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set

Hello,

We are having trouble installing software center on internet clients pointed to our CMG. In the ccmsetup log, I am seeing the error: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
Our CMG is secured with a cert from an internal PKI. The root and intermediate CA are trusted on the client, and navigating to the CMG site in a browser, says the cert is OK. Additionally, the CRL is externally published via Azure. Installing using the /NoCRLCheck switch is successful, so it is definitely an issue with CRL checking.

Log snipped below. Any help you can provide would greatly appreciated. Thanks.


<![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="08:59:08.352+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="ccmhttperror.cpp:58">
<![LOG[[CCMHTTP] : dwStatusInformationLength is 4
]LOG]!><time="08:59:08.352+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="ccmhttperror.cpp:59">
<![LOG[[CCMHTTP] : *lpvStatusInformation is 0x1
]LOG]!><time="08:59:08.352+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="ccmhttperror.cpp:60">
<![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
]LOG]!><time="08:59:08.352+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="ccmhttperror.cpp:64">
<![LOG[[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="08:59:08.352+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="ccmhttperror.cpp:90">
<![LOG[Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f]LOG]!><time="08:59:08.353+240" date="03-31-2022" component="ccmsetup" context="" type="2" thread="12536" file="requestresponse.cpp:826">
<![LOG[[CCMHTTP] ERROR: URL=https://MYCMG.EASTUS.CLOUDAPP.AZURE.COM/CCM_Proxy_ServerAuth/72057594037927939/CCM_STS, Port=443, Options=224, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE]LOG]!><time="08:59:08.353+240" date="03-31-2022" component="ccmsetup" context="" type="1" thread="12536" file="ccmhttperror.cpp:306">
<![LOG[[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=]LOG]!><time="08:59:08.353+240" date="03-31-2022" component="ccmsetup" context="" type="1" thread="12536" file="ccmhttperror.cpp:317">
<![LOG[RetrieveTokenFromStsServerImpl failed with error 0x80072f8f]LOG]!><time="08:59:08.353+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="ccmtoken.cpp:624">
<![LOG[Failed to create SMS client object. Error 0x80040154]LOG]!><time="08:59:08.354+240" date="03-31-2022" component="ccmsetup" context="" type="2" thread="12536" file="ccmtoken.cpp:456">
<![LOG[Failed to get CCM access token and client doesn't have PKI issued cert to use SSL. Error 0x80070002]LOG]!><time="08:59:08.354+240" date="03-31-2022" component="ccmsetup" context="" type="3" thread="12536" file="requestresponse.cpp:347">
<![LOG[[CCMHTTP] ERROR: URL=https://MYCMG.EASTUS.CLOUDAPP.AZURE.COM/CCM_Proxy_MutualAuth/72057594037927939/CCM_Client/ccmsetup.cab, Port=0, Options=224, Code=0, Text=CCM_E_NO_TOKEN_AUTH]LOG]!><time="08:59:08.354+240" date="03-31-2022" component="ccmsetup" context="" type="1" thread="12536" file="ccmhttperror.cpp:306">
<![LOG[[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=]LOG]!><time="08:59:08.354+240" date="03-31-2022" component="ccmsetup" context="" type="1" thread="12536" file="ccmhttperror.cpp:317">

mem-cm-generalmem-cm-co-management
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SimonRenMSFT-3639 avatar image
0 Votes"
SimonRenMSFT-3639 answered SimonRenMSFT-3639 commented

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

A similar thread: Unable to install SCCM agent over internet using CMG and bulk enrollment token

As you are using a certificate issued from an internal CA on the CMG, this is an issue as non-domain joined clients won't automatically trust the cert on the CMG. This is all standard, by design PKI behavior and not specific to CMG or ConfigMgr. This is why we recommend using a cert from public CA for the CMG as this kind of cert is trusted by Windows by default.

Hope it helps. Thanks for your time.

Best regards,
Simon

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 4
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChrisLardaro-3341 avatar image ChrisLardaro-3341 ·

Hi Simon,

We have pushed the root and intermediate CA certs to all AzureAD clients via Intune. On the device where the logged were pulled from, it already trusts our internal PKI.

0 Votes 0 ·
SimonRenMSFT-3639 avatar image SimonRenMSFT-3639 ChrisLardaro-3341 ·

Hi @ChrisLardaro-3341,

How about uncheck the option "Clients check the certificate revocation list (CRL) for site systems" on the site properties?

Best regards,
Simon

0 Votes 0 ·
ChrisLardaro-3341 avatar image ChrisLardaro-3341 SimonRenMSFT-3639 ·

Hi Simon, already unchecked

0 Votes 0 ·
Show more comments