Hi all,

I am having problems with deploying an image from Boot Media, the client can not communicate properly with the server to check its policies and advertised task sequence. The following appears in SMSTS.log in WinPE:

<![LOG[Using SSL]LOG]!><time="14:19:00.000+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="tsmediawizardcontrol.cpp:671">
<![LOG[Using CRL]LOG]!><time="14:19:00.000+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="tsmediawizardcontrol.cpp:678">
<![LOG[Need to create Authenticator Info using PFX ClientCert]LOG]!><time="14:19:00.000+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="tsmediawizardcontrol.cpp:705">
<![LOG[Getting MP time information]LOG]!><time="14:19:00.203+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="tsmediawizardcontrol.cpp:731">
<![LOG[Initializing CLibSMSMessageHeader with authenticator]LOG]!><time="14:19:00.234+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="libsmsmessaging.cpp:946">
<![LOG[Requesting client identity]LOG]!><time="14:19:00.234+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="libsmsmessaging.cpp:4574">
<![LOG[Messaging Auth Using V4 Mode]LOG]!><time="14:19:00.234+000" date="01-10-2008" component="TSMBootstrap" context="" type="0" thread="1284" file="libsmsmessaging.cpp:1200">
<![LOG[CLibSMSMessageWinHttpTransport:end: URL: mgsyd2lhlsms01.lh:443 CCM_POST /ccm_system_AltAuth/request]LOG]!><time="14:19:00.250+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="libsmsmessaging.cpp:6043">
<![LOG[In SSL, but with no client cert]LOG]!><time="14:19:00.265+000" date="01-10-2008" component="TSMBootstrap" context="" type="1" thread="1284" file="libsmsmessaging.cpp:6169">

It then fails to retrieve its policy, it looks like this is because it is not using a certificate. The following is how I set up the boot image:

Created a boot image with the correct network drivers in it then created Task Sequence Media-> Bootable Media. In this wizard I have specified the certificate to use.This certificate wasfrom a trusted root CA, I had deployed itto another machine then exported it with its private key (it has the purpose "Client Authentication" assigned to it).

Any help would be great

Thanks,

Mark

Hi Mark,

Did you also specify the Root CA Certificatas at the properties page of your site?

a. Right click your site and select properties

b. Go to tab Site Mode

c. Go to selection "Operating system deployment settings"

d. Select: Specify Root CA Certificates..

see also: http://technet.microsoft.com/en-us/library/bb632596.aspx

Hope this solves your problem.

Regards,

Kenneth

Hi Kenneth,

Thanks for the info, I've already set this up though. The root CA I specifiedis a MS Enterprise CA which I used to issue the client authentication certificate.

Cheers,
Mark

Hello

Did you add a certificate to the boot media to allow temporary communication with the site? You can export a certificate nad then add it to the media to allow for initial communication. Please review the following link:

http://technet.microsoft.com/en-us/library/bb632961.aspx

Dan Bernhardt, MSFT

Hi Dan,

Yes I did this already as well

Thanks,

Mark

I found this in another post:

Please le tme know if you have also tried this:

After several days and nights of invetsigation,I resolved the problem by changing the 'If multiple certification match criteria' setting in the site mode tab of the site properties to: 'Select any certificate that matches'

Thanks for you help anyway!

Thanks,

Dan Bernhardt, MSFT

Thanks Dan,

I found that post as well and thught it would fix the issue but I tried it yesterdayand it didn't make a difference

Cheers,

Mark

Just a bit more info on this, it bootsinto PEand runs the Task Sequence Wizard, the failure code on the wizard GUI is 0x80072F8F and each time the logs are as mentioned above.

I'm thinking that this may bea problem with the certificates being issued, although I did follow Microsofts directions in the technet documentation.

I've also tried issuing anotehr certificate and using it in the boot media but have the same problem

Concerning the error code:

This is what i found (How to obtain error code descriptions in System Center Configuration Manager 2007 reports : http://support.microsoft.com/kb/944375)

this article is also very helpfull b.t.w. Custom Error Codes for Configuration Manager 2007 : http://technet.microsoft.com/en-us/library/bb632794.aspx

it says: Converted error codes that begin with 80072 are typically WinHTTP error codes, such as "host not found" errors. Convert the trailing four hexadecimal bytes to a decimal value. For example, "2EE7" is "12007" decimal. To view the WinHTTP error codes, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/aa383770.aspx (http://msdn2.microsoft.com/en-us/library/aa383770.aspx) I hope this helps you to figure out your error code and pinpoint where the problem is located. Regards, Kenneth

Mark,
Did you ever figure out the problem? I am having the exact same error (0x80072F8F) after following all the instructions and importing the ROOT CA cert ect.

Hello,

We've had the same issue here and it was because of the misssing CRL.

We have a native mode setup that had Enable CRL checking on clients native mode site option enabled and "accidentally" stopped the web server where the CRL was being published (the one in Active Directory is useless as the boot image cannot access it) :).

So you can disable CRL checking and rebuild the boot image or fix the CRL http location.

The "In SSL, but with no client cert" is a harmless warning. It just means that you are not running the TS from an SCCM client, but instead you are running it from a boot media, and hence, there is no "SCCM client" cert. What you have is TS media cert.

You should look further down in the logs to see what the actual error is. A few things that I can think of are:

1. The cert has FQDN in the subject name, but the server (MP) name is not FQDN

2. The server (MP) has FQDN address, but the cert subject name is not FQDN

3. The server is unreachable (use F8 to open-up a command-prompt and see if you can ping the server)

4. The cert has expired or is not active yet (time zone difference between the CA and the client in WinPE)

5. The CRL server is unreachable. Try turning off the CRL option for the site. The SMSTS.log file would say "Using CRL" if the site has enabled CRL.

Please post a few more of the logs. We might be able to get additional hints in the real issue.

Also, try turning on the logsfor theIIS server of the MP. You should be able to see the reason why the IIS server is rejecting the client requests.

The "In SSL, but with no client cert" is a harmless warning. It just means that you are not running the TS from an SCCM client, but instead you are running it from a boot media, and hence, there is no "SCCM client" cert. What you have is TS media cert.

You should look further down in the logs to see what the actual error is. A few things that I can think of are:

1. The cert has FQDN in the subject name, but the server (MP) name is not FQDN

2. The server (MP) has FQDN address, but the cert subject name is not FQDN

3. The server is unreachable (use F8 to open-up a command-prompt and see if you can ping the server)

4. The cert has expired or is not active yet (time zone difference between the CA and the client in WinPE)

5. The CRL server is unreachable. Try turning off the CRL option for the site. The SMSTS.log file would say "Using CRL" if the site has enabled CRL.

Please post a few more of the logs. We might be able to get additional hints in the real issue.

Also, try turning on the logs for the IIS server of the MP. You should be able to see the reason why the IIS server is rejecting the client requests.

I know this is an old post but we are having simliar problems and do not have the subject name coming in with the Cert's.

When you say "2. The server (MP) has FQDN address, but the cert subject name is not FQDN" which certs need this? (DP,client, server) How exactly do I set that on the CA?