ConfigMgr Advanced Client received policy that could not be verified - HELP!
Site Mode: Native ModeServer: Windows 2003 ServerI am seeing this on a few clients: The ConfigMgr Advanced Client received policy that could not be verified. For more information see PolicyAgent.log on the client machine This seems to be happening mostly on Server OS and not PCs. PolicyAgent.log The 'Certificate Store' is empty in the registry, using default store name 'MY'. PolicyAgent_ReplyAssignments 12/29/2008 5:38:50 AM 5960 (0x1748) Raising event: instance of CCM_ServiceHost_CertRetrieval_Status { ClientID = "GUID:D0C3630B-F4EE-409A-8BE6-004962D52895"; DateTime = "20081229133850.033000+000"; HRESULT = "0x00000000"; ProcessID = 2284; ThreadID = 5960; }; PolicyAgent_ReplyAssignments 12/29/2008 5:38:50 AM 5960 (0x1748) Signature verification failed for PolicyAssignmentID {1acfb3c1-59c1-410a-9c03-8585744372d2}. PolicyAgent_ReplyAssignments 12/29/2008 5:38:50 AM 5960 (0x1748) Signature verification failed for PolicyAssignmentID {d5272d71-b04d-4f5e-b9c6-e92a8f5183c8}. PolicyAgent_ReplyAssignments 12/29/2008 5:38:50 AM 5960 (0x1748) Signature verification failed for PolicyAssignmentID {027a8351-43d1-4e05-992d-0f95956f80d4}. PolicyAgent_ReplyAssignments 12/29/2008 5:38:50 AM 5960 (0x1748) Raising event: instance of CCM_PolicyAgent_PolicyAuthorizationFailure { ClientID = "GUID:D0C3630B-F4EE-409A-8BE6-004962D52895"; DateTime = "20081229133850.064000+000"; PolicyNamespace = "\\\\SERVER76\\ROOT\\ccm\\Policy\\Machine\\RequestedConfig"; PolicySource = "SMS:XXX"; ProcessID = 2284; ThreadID = 5960; }; PolicyAgent_ReplyAssignments 12/29/2008 5:38:50 AM 5960 (0x1748)Steps I have taken so far: 1. Ive removed the computer certificate on the client(s) and ran gpupdate to generate a new cert on the client 2. Ive removed the Site Signing Certificate on my MP and issued a new one 3. Ive reissued the Web Certificate These steps have not helped resolve this. Anyone know where else I can look, or a way to resolve this issue.
December 29th, 2008 7:32pm

This is due to the site signing cert. You don't need to change the MP cert. Also there are times when the client will work but still send back cert requests. When this happens you can repair the client with theclient with this command:CCMSetup.exe RESETKEYINFORMATION=TRUEhttp://technet.microsoft.com/en-us/library/bb680980.aspxWe had this problem after a crashed primary site. We reissued a cert with a new key and it took 2 policy refresh cycles for the clients to start catching on.http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 29th, 2008 9:46pm

Hey Matt-Thank you for the reply. Where there any other steps you took for this? I've removed the site signing certificate, and ran a few policy refreshes and the client still is not happy. My site was working perfect and then one day...(only to servers) I noticed software distribution wasn't working...and that's what got me here. On the clients I'm seeing many many with this error:The ConfigMgr Advanced Client received policy that could not be verified. For more information see PolicyAgent.log on the client machine.
December 30th, 2008 11:59pm

Another step would be to remove the client and reinstall with the resetkeyinformation. I killed the old cert and renewed with a new key. Since it was a 2008 server with a 2003 pki server I just put the basic information in the cert.txt file and sent it up. The new cert was installed and set in the Site mode. It took a little while but about half took the cert right a way. I have change the client install toCCMSetup.exe RESETKEYINFORMATION=TRUESMSSiteCODE=XXX Then I would right click on the client and do a repair. Wait The odd part was the client was still performing advertisements like it was happy. I belive it was happy with the new cert but something wasn't reset internally.I will see if I can connect to my server and pull some logs to what else I Can give you.http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
December 31st, 2008 3:04am

Bit of a long shot, but worth asking if these client computers that were working and suddenly stopped did this happen after they renewed their client native mode certificate? If so, check whether they are still successfully assigned (LocationServices.log and ClientIDManager.log). We saw a similar issue with this post http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/208fb47a-54bc-4f85-858e-d37b0616ab61 where a client renewed its certificate, site assignment was automatically retriggered and failed because of newly introduced overlapping boundaries. It resulted in errors about rejecting policy requests, which sounded like a certificate problem but was actually a site assignment problem. - Carol This posting is provided AS IS with no warranties and confers no rights.
January 3rd, 2009 10:26pm

For what it's worth, I had this issue with getting the client on a newly installed mixed mode primary site server. The RESETKEYINFORMATION=TRUE installation parameter resolved this for me.Regards, Tom Watson, E-Mail: Tom_...@... Blog: http://myitforum.com/cs2/blogs/tom_watson
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2009 1:31pm

Hisince one week (installation of SCCM SP2) I have the same issue in my test environment to. As soon as I assign a software deployment (assignment) the Client cannot verify the policies anymore. After removing the client from the collection the verification seems to work. I changed all the certificates, set up the SCCM server and the clients several times but this behavior still exist. Thanks for help.. Environment: AD 2008 R2, SCCM Server 2008 R2, SCCM SP2 R2, Clients XP, Vista, W7 Richard
November 30th, 2009 2:44pm

Did you ever find a solution to this, Richard? I can also reproduce this issue now on a complete reinstall using the same platforms you describe. This is a Native Mode configuration, clean install on 2008 R2 following the technet instructions accurately. Everything else working (PXE-based OSD, software updates etc). The site signing certificate sure looks correct - it is trusted by the same enterprise root CA as the client certificates. I made sure the subject name is verbatim, the template has "Document Signing" selected, and the CRLs are accessible everywhere. AD is extended.
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2010 1:00am

On all machines (Workgroup as well as domain members), I get the lines like the following in PolicyAgent.log: The 'Certificate Store' is empty in the registry, using default store name 'MY'. Signature verification failed for PolicyAssignmentID {ef22153c-8ec5-4058-b376-2f621888e689}. For the workgroup machines, I exported the sitesigning.cer and provided it at install time using "SMSSIGNCERT=c:\sitesigning.cer".
May 25th, 2010 1:35am

Tried issuing a new signing cert. No luck. New client certs - no luck. I'm going to try one more thing and then give up... I diverged slightly from the provided instructions, insofar as to using SQL Server 2008 R2. Not really sure how that could cause signing issues like this, but I'm otherwise at a loss. Will reply (to myself?) once I have results. Sure hope "vnext" receives a substantial degree of improvement.
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2010 2:40am

Again, just replying to myself again in case someone stumbles upon this thread with a similar issue... It was SQL Server 2008 R2. Reinstalled on the same server with SQL Server 2008 SP2, and everything works peachy. I'm really quite surprised - the site otherwise appeared to be working perfectly with nary a complaint.
May 28th, 2010 7:17am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics