Troubleshooting Workgroup Clients with PKI not talking with MP

I had a ConfigMgr 2012 R2 case going on for a while with Workgroup clients in a DMZ zone that wouldn’t communicate with the Management Point.

A PKI infrastructure was in place and running, and the ConfigMgr Client was installing fine on these workgroup clients – but when the time came for the client to start talking with the Management Point i had numerous errors in LocationService.log and ClientIDManagerStartup.log and in a couple of other logs.

Errors in the LocationServices.log

>> Failed to send request to /ccm_system_AltAuth/request at host MPServerFQDN, error 0x2f8f

>> Error sending HEAD request. HTTP code 600, status

Errors in the ClientIDManagerStartup.log

>> RegTask: Failed to refresh site code. Error: 0x8000ffff

Pretty sure that I had all the right certificates in place! (Turned out i didn’t!)

Depending on the Certification Authority structure you have there are some rules when the Workgroup client must authenticate its PKI certificate. With a single CA as a Root CA the certificate must be in the “Trusted Root Certification Authorities”, but if you have a multiple CA structure with a Root CA and underlying Issuer CA’s then the Issuer CA must also be in the “Intermediate Certification Authorities” store.
(This all goes on in the Local Computer Certificate location ofc.)

In most cases when you export a certificate for use on an out of reach CA you are presented with the option to “Include all certificates in the certification path if possible”, and rightly so, these Root & Issuer CA’s are exported with the PKI certificate.

clip_image001

But but but but, what I saw was that both certificates, the Root CA & the Issuer CA was located in the “Trusted Root Certification Authorities” store – so the fix to this whole problem was to get that Issuer CA certificate down into the “Intermediate Certification Authorities” store and after a minute or two, or a restart of the “SMS Agent Host” Service i saw the logs files starting to pass through these errors and connect to the MP and start downloading policies etc. etc.

So to sum up – make sure that if you have a CA structure with more than one level, and see these errors, then make sure your CA certificates are placed properly!

clip_image002[4]

  • The Client PKI certificate goes into the Personal store.
  • The Root CA certificate goes into Trusted Root Certification Authorities store.
  • The Issuer CA certificate goes into Intermediate Certification Authorities store.

Because of this I’m a balder man today! Hope this helps someone.

/ConfigMgr is my High!

By | 2014-08-21T14:32:47+00:00 August 21st, 2014|Configuration Manager (SCCM)|1 Comment

About the Author:

Henrik Hoe
ConfigMgr specialist that started many years ago with SMS 2003 and been with the product/concept ever since. (Fanatical some would say - i can only agree) Experienced with large customer environments and architecture.MCPMCTS: ConfigMgr 2012MCSA: Windows Server 2012MCT

One Comment

  1. Dustin Hedges July 21, 2017 at 21:52 - Reply

    You get the same error messages if the CRL (Certificate Registration List) is inaccessible as well.

Leave A Comment