Client installing but not registering
Hi all,
Any new (or existing) machine that is imaged is not registering with SCCM. I can see the machine in the SCCM console but Client is
listed as No. The site code is listed and Assigned = yes.
Site is running in Native mode.
From the client machine I cannot see any software advertisements.
ClientIDManagerStartup.log has this:
RegTask: Failed to refresh MP. Error: 0x80004005
ClientIDManagerStartup 29/03/2012 12:09:03 PM
3624 (0x0E28)
CcmExec.log:
Error registering hosted class '{E67DBF56-96CA-4e11-83A5-5DEC8BD02EA8}'. Code 0x80040154
CCMEXEC
19/03/2012
9:10:52 AM 3728 (0x0E90)
LocationServices.log:
Failed to reset certificate request times. (0x80041002) LocationServices 31/10/2011 4:15:11 PM 3616 (0x0E20)
Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f0c LocationServices 9/06/2011 6:55:05 PM 1812 (0x0714)
Failed to update Signing Certificate over HTTP with error 0x80072f0c. LocationServices 9/06/2011 6:55:05 PM 1812 (0x0714)
Im not sure where to go from here any help would be greatly appreciated.
Regards,
Locust12
April 2nd, 2012 1:00am
0x2f0c = ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED.
Is this a general problem or are only some clients affected? Are the required certificates in place?Torsten Meringer | http://www.mssccmfaq.de
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2012 4:35am
This seems to be a problem for the majority of machines - it is affecting all new machines.
Client Auth certificates are given out via GP. SCCM certs were renewed about 3 months ago.
April 2nd, 2012 7:23pm
could you please let me know the below information?
1. Is it only happening on imaged machines or other machines too?
2. Which OS is it - XP/Windows7?
3. Did you check MPcontrol.log on the management point server? do you see any error?
4. do you see any error within execmgr.log (just to get an idea if something wrong with WMI)?
Regards,
AT\
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 2:48am
All machines are imaged.Windows 7These four lines are repeated in the MPcontrol.log
CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0)
Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0)
CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0)
Certificate doesn't have "SSL Client Authentication" capabilities. SMS_MP_CONTROL_MANAGER 1/04/2012 12:09:21 PM 4032 (0x0FC0)
4. Execmgr.log
Failed to instantiate UI Server {C2F23AE4-82D8-456F-A4AF-A2655D8CA726} with error 80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394)
Failed to instantiate UI Server 2 {E8425D59-451B-4978-A2AB-641470EB7C02} with error 80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394)
Failed to instantiate Updates UI Server {2D023958-73D0-4542-8AD6-9A507364F70E} with error 80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394)
Failed to instantiate VApp UI Server {00AAB372-0D6D-4976-B5F5-9BC7605E30BB} with error 0x80004005 execmgr 16/03/2012 11:50:19 AM 5012 (0x1394)
Regards,
Locust12
April 3rd, 2012 3:14am
Locust
Can you verify that the client certificate is actually getting down to the workstation? Certificates MMC console, Local Machine, Personal Store. Are there multiple certificates in the machine store? You might be selecting the wrong one.
Try exporting the certificate which you believe is the problem one and import it into your user personal store. Then try to HTTPS to the MP. It should challenge you for the cert. What happens when you select that cert?
Do the IIS Logs give you any clue?
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 5:58am
Yes the client cert is making it to the workstation. Yes there are multiple certs (two) in the machine store.
When I put the suspect cert into the current user\personal store I get a 403 Forbidden when trying to access
https://FQDN.SMS_MP (I get this even before moving certs over).
IIS logs look ok alot of 200's.
I deleted both certs and rebooted on my machine (which was receiving advertisments) and on another which wasnt:
The Client Auth cert is re-applyed via GPO to the computer\personal store.
I can still view/run advertisments from my machine
Still cannot see any advertisments from the other machine.
Regards,
Locust12
April 4th, 2012 2:15am
Sorry for delayed response.
Certificate doesn't have "SSL Client Authentication" capabilities indicate that it's having some certificate issue. could you please go thru the link and let me know if still it does not help you.
http://technet.microsoft.com/en-us/library/bb680733.aspx
I will try to help you until it gets resolved :)
Regards,
AT\
April 11th, 2012 11:43pm
Microsoft has released a KB article on the same kind of issue so you can try this one-
http://support.microsoft.com/kb/2022502
Free Windows Admin Tool Kit Click here and download it now
April 11th, 2012 11:45pm
Hi Atul, thank you for your response.
I am familiar with that article, I used it along with
http://technet.microsoft.com/en-us/library/cc872789.aspx to provision the new certs.
If it helps I did notice in Control Panel > Configuration Manager (32-bit)
that all components were installed but none enabled also the site code was not set. If I click
Repair it does enable and disable some components and set the correct site code. After the repair the
Run Advertised Programs is still empty but the window now shows the name of my company.
I have also confirmed the Client Auth cert is installed on the MP.
Regards,
Locust12
April 12th, 2012 3:17am
I did not see KB977377 installed on either client or server.
Regards,
Locust12
Free Windows Admin Tool Kit Click here and download it now
April 12th, 2012 3:22am
ok great, it means now client is reporting fine and registering with MP. (correct me if I am wrong)
Now, could you also check whether you have added the respective IP subnet (based on your client machine's IP address) to the SCCM site boundaries.
Please let me know if any help required.
April 20th, 2012 4:44am
The site is listed as an Active Directory site - not by IP subnet.
Regards,
Locust12
Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2012 9:27pm
Ewww, yuck. Using anything but IP Address Range boundaries will lead to issues in many environments.Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
April 23rd, 2012 12:06am
haha ok I have just changed the boundary to IP subnet.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 12:37am
No, not IP Subnet. Those are part of the "Ewww, yuck". You should use IP Address Range boundaries -- there are major differences.Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
April 23rd, 2012 1:55am
Ahh sorry, I have now changed this to IP Address range.
Regards,
Locust12
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 2:02am
Hi Locust,
Any update on the resolution? Have you found your issue fix after configuring right IP address range within SCCM site boundaries. I think now it should be fixed :)
April 23rd, 2012 4:39am
I have just tested with a freshly deployed machine and the problem still exists. I notice the same behaviour as earlier -
"Control Panel > Configuration Manager (32-bit)that all components were installed but none enabled also the site code was not set. If I clickRepair
it does enable and disable some components and set the correct site code. After the repair theRun Advertised Programs
is still empty but the window now shows the name of my company."
The client is showing as "no" in the SCCM console.
Are there any specific logs etc that will help with this?
Regards,
Locust12
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2012 7:27pm
How was the image created?
Was it properly syspreped?
Does it have the ConfigMgr agent in it?
Was the agent properly prepared for imaging:
http://technet.microsoft.com/en-us/library/bb694095.aspx?
Is the client stuck in provisiong mode:
http://blogs.technet.com/b/configurationmgr/archive/2010/09/13/solution-after-a-configmgr-2007-osd-task-sequence-completes-the-client-may-not-automatically-pull-down-policy.aspx?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
April 23rd, 2012 10:30pm
Hi Jason,
The image was created using Capture Media which I created from the SCCM console.
The machine was removed from the domain, and not activated. No other steps were taken in syspreping (I thought the Capture Media done the Generalise step).
I dont think the agent was installed prior to capturing this image. It is depolyed as part of the TS.
I will prepare another machine and go through the provisioning steps in the link you sent, then test again.
The client has all the symptoms listed in the last link except the reg keys are not in provisioning mode ie; Provisioning mode=false SystemTaskExcludes= (empty)
I will update again when I have tested with a new image. If there is anything else please let me know.
Regards,
Locust12
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2012 1:03am
Sorry for the delay in getting to test this, other network issues came about which demanded my attention.
It seems that the client agent was not properly prepared for imaging. After following the steps in the link you provided and recreating the master image all worked fine.
I am now able to see all advertisments again.
Thanks again for your assistance.
Regards,
Locust12
May 3rd, 2012 3:07am