Communication error with MP in HTTS

Hello,

We have an issue with the HTTPS configuration of the MP.
We followed some procedure and documentation, everthing looks great about certificates and so...

But the SCCM client agent cannot communicate with the MP. Here are some part of LocationServices.log

<![LOG[Retrieved lookup MP(s) from AD]LOG]!><time="08:16:48.900-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsad.cpp:2377">
<![LOG[Attempting to retrieve site information from lookup MP(s) via HTTPS]LOG]!><time="08:16:48.931-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lssecurity.cpp:6006">
<![LOG[LSGetSiteVersionFromAD : Failed to retrieve version for the site 'FR1' (0x80004005)]LOG]!><time="08:16:48.946-120" date="06-26-2015" component="LocationServices" context="" type="2" thread="18868" file="lsad.cpp:5311">
<![LOG[Attempting to retrieve lookup MP(s) from AD]LOG]!><time="08:16:48.962-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsad.cpp:2351">
<![LOG[Lookup Management Points from AD:]LOG]!><time="08:16:48.962-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsutils.h:205">
<![LOG[Name: 'SERVERNAME1' HTTPS: 'N' ForestTrust: 'N']LOG]!><time="08:16:48.962-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsutils.h:211">
<![LOG[Name: 'SERVERNAME2' HTTPS: 'N' ForestTrust: 'N']LOG]!><time="08:16:48.962-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsutils.h:211">
<![LOG[Retrieved lookup MP(s) from AD]LOG]!><time="08:16:48.962-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsad.cpp:2377">
<![LOG[Attempting to retrieve site information from lookup MP(s) via HTTP]LOG]!><time="08:16:48.978-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lssecurity.cpp:6025">
<![LOG[Failed to send site information Location Request Message to SERVERNAME1]LOG]!><time="08:16:49.165-120" date="06-26-2015" component="LocationServices" context="" type="2" thread="18868" file="lssecurity.cpp:5558">
<![LOG[Failed to send site information Location Request Message to SERVERNAME2]LOG]!><time="08:16:49.274-120" date="06-26-2015" component="LocationServices" context="" type="2" thread="18868" file="lssecurity.cpp:5558">
<![LOG[LSIsSiteCompatible : Failed to get Site Version from all directories]LOG]!><time="08:16:49.274-120" date="06-26-2015" component="LocationServices" context="" type="3" thread="18868" file="lsad.cpp:5470">
<![LOG[Won't send a client assignment fallback status point message because the last assignment error matches this one.]LOG]!><time="08:16:49.274-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="fspclientdeployassign.cpp:197">
<![LOG[Won't send client assignment fallback status point message because last assignment message was sent too recently.]LOG]!><time="08:24:14.298-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="fspclientdeployassign.cpp:180">
<![LOG[Processing pending site assignment.]LOG]!><time="08:24:14.298-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsad.cpp:3509">
<![LOG[Assigning to site 'FR1']LOG]!><time="08:24:14.298-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsad.cpp:3515">
<![LOG[LSIsSiteCompatible : Verifying Site Compatibility for <FR1>]LOG]!><time="08:24:14.298-120" date="06-26-2015" component="LocationServices" context="" type="1" thread="18868" file="lsad.cpp:5419">

As you can see, the information in AD is "no HTTPS" : Name: 'SERVERNAME1' HTTPS: 'N' ForestTrust: 'N'

Then later in another log, the agent tried to access to the MP through HTTP, which obviously doesn't work. CcmMessaging.log :

instance of CCM_CcmHttp_Status
{
    DateTime = "20150626063140.945000+000";
    HostName = "SERVERNAME1";
    HRESULT = "0x87d0027e";
    ProcessID = 37480;
    StatusCode = 403;
    ThreadID = 18868;
};
]LOG]!><time="08:31:40.945-120" date="06-26-2015" component="CcmMessaging" context="" type="1" thread="18868" file="event.cpp:715">
<![LOG[Successfully sent security settings refresh message.]LOG]!><time="08:31:41.007-120" date="06-26-2015" component="CcmMessaging" context="" type="1" thread="18868" file="ccmhttperror.cpp:369">
<![LOG[Successfully sent location services HTTP failure message.]LOG]!><time="08:31:41.054-120" date="06-26-2015" component="CcmMessaging" context="" type="1" thread="18868" file="ccmhttperror.cpp:396">
<![LOG[Post to http://SERVERNAME1.LAN/ccm_system/request failed with 0x87d00231.]LOG]!><time="08:31:41.054-120" date="06-26-2015" component="CcmMessaging" context="" type="2" thread="18868" file="messagequeueproc_outgoing.cpp:442">

So I guess there is an error in the AD attributes of the MP? I'm not able to find any information of this, where is saved this information in the AD? We have the "System management" container in the AD, with all the MP, which looks correct. So, where is the information of communication method in the AD ?

Many thanks for your help
Regards

June 26th, 2015 2:48am

The only place in AD that ConfigMgr stores info is the System Management container. The objects within it have all the necessary lookup information in them (as attributes). Check the MP objects and check their modified time to make sure that they've been updated lately. You can delete the objects and ConfigMgr will recreate them (assuming that site server has the appropriate permissions).

Are you sure that your MPS are configured as HTTPS MPs in the ConfigMgr console and have a valid certificate configured in IIS bindings for the web site?

Are the MPs listed as healthy in the console under monitoring site status?

Free Windows Admin Tool Kit Click here and download it now
June 26th, 2015 8:28am

Thank you for your answer.

The last modified time of the AD objects is 1 hour ago, so yes it writes correctly in the AD.

Then I tried to change the option to HTTP in the MP role properties, then back to HTTPS, and the modified time was set to current time, everything looks OK there.

Yes I'm sure about the config and the certificates. Anyway as you can see in the log, the SCCM client tries to contact the server at http://SERVERNAME1.LAN/ccm_system/request, and obviously has an error (the ccm_system virtual directory require SSL)

Yes the MP's are healthy in monitoring.

I've just tried to remove the MP role and add it again with HTTPS option. (so the AD object was deleted the recreated correctly)

But nothing change about the agent, they cannot contact the MP.

But what about this log line : Name: 'SERVERNAME1' HTTPS: 'N' ForestTrust: 'N'
Am I misunderstanding? It should be Y for HTTPS I guess? It looks this is all the cause of our issue, but maybe not...

June 26th, 2015 10:45am

The line you are calling out is based on info retrieved from AD and indicates that the objects in AD are incorrect (assuming the MP is healthy and correctly configured for HTTPS).

Have you verified that the info in the AD container is properly replicated to all of your DCs in the domain and forest (forest because the client uses a global catalog lookup to get this info)?

Free Windows Admin Tool Kit Click here and download it now
June 26th, 2015 11:11am

Thanks for this good idea.

But yes, the info in the AD container are correctly replicated to all our DCs.
But since SCCM server is in a sub-domain, I'm not sure about the forest info.

We have xxx.yyy.lan domain. SCCM server is in xxx. The "System management" container is correctly replicated at the "xxx" level. But there is nothing at all about SCCM in the yyy domain.(There is no server nor workstation in the yyy domain, old migration story...)

Which looks correct to me. Or... ?

June 29th, 2015 2:09am

It looks like a communication issue as in the logs its evident that clients cant even retrieve the version of the Site FR1. They cant send requests to SERVERNAME1 and SERVERNAME.

Would suggest you to establish that the ports are configured properly through firewalls/proxies at all the required places in SCCMSITE-DC-CLIENT-SCCMSITE communication. Also consider if anything has changed recently which could affect the communication.

https://technet.microsoft.com/en-us/library/hh427328.aspx

-RG

Free Windows Admin Tool Kit Click here and download it now
July 7th, 2015 4:54pm

It looks like a communication issue as in the logs its evident that clients cant even retrieve the version of the Site FR1. They cant send requests to SERVERNAME1 and SERVERNAME.

Would suggest you to establish that the ports are configured properly through firewalls/proxies at all the required places in SCCMSITE-DC-CLIENT-SCCMSITE communication. Also consider if anything has changed recently which could affect the communication.

https://technet.microsoft.com/en-us/library/hh427328.aspx

-RG

July 7th, 2015 8:52pm

It looks like a communication issue as in the logs its evident that clients cant even retrieve the version of the Site FR1. They cant send requests to SERVERNAME1 and SERVERNAME.

Would suggest you to establish that the ports are configured properly through firewalls/proxies at all the required places in SCCMSITE-DC-CLIENT-SCCMSITE communication. Also consider if anything has changed recently which could affect the communication.

https://technet.microsoft.com/en-us/library/hh427328.aspx

-RG

Free Windows Admin Tool Kit Click here and download it now
July 7th, 2015 8:52pm

Thanks for your suggestions.

The logs you can read here are from a server machine, which is exactly in the same subnet/vLAN than the SCCM. There is no windows firewall activated on the SCCM server.

So it could no be communication issue :(

This case is currently troubleshooted by Microsoft (since more than one month)
Wait n see...

July 10th, 2015 2:15am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics