Management Point Post-Installation issues
Hi all, I've been going through rebuilding several SCCM site systems on Windows Server 2008 (going from 2003) and for the most part I've been working through the restores and post-restore issues quite well. Now I've hit a snag that I had not encountered previously with the Management point component. The component is installed happily (mpsetup.log indicates install was successfull with return code 0). As far as I can tell the MP is working properly, but I have some functionality not working which I can only put down to the Management point having an issue 1) I cannot PXE Build machines through OSD. Errors in smsts.log show up right after it loads into WinPE and it almost fails immediately: Error. Received 0x80072efd from WinHttpSendRequest. TSPxe There are no events on the Site system IIS log that correspond to the above, it is like it 2) MP Troubleshooter returning 3 tests as failed: - If Active Directory is extended, confirm that the management point certificate is released in Active Directory Detail result information: Exception Message:Verify whether the firewall is blocking the query. Can not found the property:[serviceBindingInformation] in the machine. Exception Message:Object reference not set to an instance of an object. - Test MPCERT HTTP or HTTPS request functionality. Detail result information: Exception Message:Fail to retrieve the content in [HTTPS://<SMS SITE SERVER NAME>:443/SMS_MP/.SMS_AUT?MPCERT] with certificate:[C:\TEMP\CERTIFICATES\CLIENT-CERT.CER]. Exception Message:The underlying connection was closed: An unexpected error occurred on a send.a) Create and Configurate Certificate for native mode: For Windows Server 2003: http://technet.microsoft.com/en-us/library/bb694035.aspx For Windows Server 2008: http://technet.microsoft.com/en-us/library/cc872789.aspx b) Export the client certificate from MMC tools' Certificates to file in X.509 format without username and password. The exported file is the client certificate needed in this program. - Test MPLIST HTTP or HTTPS request functionality. Same detailed result information as the above... obviously the same underlying issue. I've tried the following so far - Removing the MP, run ccmclean /all, reboot site system and then reinstall MP - Recreate the SCCM Site Signing certificate and Web server certificate and reinsert them - Leave/rejoin the Site Server from the domain - Checking/testing various different IIS permissions One thing I've noticed which may hold some key information is if I log onto another machine and try to access the MP http(s) addresses: https://<server name>/sms_mp/.sms_aut?mpcert gives me "Page Cannot be displayed" -- which I consider normal http://<server name>/sms_mp/.sms_aut?mpcert gives me 403 Forbidden errors When accessing the above URLS I can see the 403 entries generated in the Site servers IIS log: 2010-07-23 03:21:03 192.168.153.67 GET /sms_mp/.sms_aut mpcert 80 - 192.168.X.X Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729) 403 4 5 156 However I do not see any entries whatsoever for the https request. The firewalls are allowing port 443 and I know it is accessible, but IIS doesn't appear to want to listen. So clearly there is something not right with the certificates and MP and I'll need to do some kind of removal/reinstall but I am unsure of what exactly needs to be done, I feel like I've already removed/reinstalled everything 5 times over with no success. Before logging a Support call with MS about it I figure I'd see what kind of ideas and suggestions you guys might have - anything? Regards, Tim
July 23rd, 2010 6:39am

Okay a little bit of progress... In IIS if I go into "Edit bindings" and try to add a HTTPS binding under any user account other than local administrator it whinges and gives me an error when I select the certificate and click ok: "There was an error while performing this operation. Details: A specified logon session does nto exist. It may have already terminated." If I log off and then logon as local administrator I can assign the binding without and errors and then consequently 2 of my MP Troubleshooter tests now pass: - Test MPCERT HTTP or HTTPS request functionality. - Test MPLIST HTTP or HTTPS request functionality. and now I can see the IIS logs showing connections on 443, huzzah! However the first test is still erroring: - If Active Directory is extended, confirm that the management point certificate is released in Active Directory Detail result information: Exception Message:Verify whether the firewall is blocking the query. Can not found the property:[serviceBindingInformation] in the machine. Exception Message:Object reference not set to an instance of an object. Does anyone know the cause for this?
Free Windows Admin Tool Kit Click here and download it now
July 23rd, 2010 6:48am

So I've been beating at this for days now with no success. OSD would appear to be my only non working component. My SMSts.log complains about not getting a reply from the server. I can see the request (200) reach the SCCM server, the IIS log shows the following: 2010-07-25 06:03:35 192.168.2.10 CCM_POST /ccm_system_AltAuth/request - 443 - 192.168.2.39 OSD+Client 200 0 0 15 but thats it for the client IP (192.168.2.39)... nothing else! More traffic is expected, if I compare the IIS logs from another site server you can see the following entries in the IIS logs: 2010-07-21 02:49:06 192.168.1.10 CCM_POST /ccm_system_AltAuth/request - 443 - 192.168.1.25 OSD+Client 200 0 0 31 2010-07-21 02:49:07 192.168.1.10 CCM_POST /ccm_system_AltAuth/request - 443 - 192.168.1.25 OSD+Client 200 0 0 15 2010-07-21 02:49:07 192.168.1.10 CCM_POST /ccm_system_AltAuth/request - 443 - 192.168.1.25 OSD+Client 200 0 0 46 2010-07-21 02:49:07 192.168.1.10 CCM_POST /ccm_system_AltAuth/request - 443 - 192.168.1.25 OSD+Client 200 0 0 15 2010-07-21 02:49:07 192.168.1.10 GET /SMS_MP/.sms_pol PD120096-PD100006-DBBBC9D6.9_00 443 - 192.168.1.25 OSD+Client 200 0 0 203 2010-07-21 02:49:08 192.168.1.10 GET /SMS_MP/.sms_pol PD12009C-PD100022-DBBBC9D6.6_00 443 - 192.168.1.25 OSD+Client 200 0 0 640 and so on... Here is the end of my SMSTS.log which is showing how its failing. The failed message is "Failed to get client identity (80004005)" <Msg SchemaVersion="1.1" ReplyCompression="zlib"><ID/><SourceID>f3e99915-41bd-473a-8e19-f44cc51f8143</SourceID><SourceHost/><TargetAddress>mp:[http]MP_ClientIDManager</TargetAddress><ReplyTo>direct:OSD</ReplyTo><Priority>3</Priority><Timeout>3600</Timeout><SentTime>2010-07-26T00:03:18Z</SentTime><Protocol>http</Protocol><Body Type="ByteRange" Offset="0" Length="306"/><Hooks><Hook2 Name="clientauth"><Property Name="Token"><![CDATA[CCMClientID: f3e99915-41bd-473a-8e19-f44cc51f8143 CCMClientIDSignature: 56D457CC7EF6BF82DD08E5692649A8F4D30BF3817A38C192616EB37A50703B86F03675EA9ADFEBEC1D7A7C8196C57D85DBC1B84C2BA89A4BBF86E8551384335B5D562D61F1A81C2961914A392456195628D573C0B4084AE3BA1D2C98BB87481851835F098D21F4EE804FF447DBF9585E4D55E71B30E54D6662B827C7BF2F6F64 CCMClientTimestamp: 2010-07-26T00:03:18Z CCMClientTimestampSignature: 65C3CFE5E9695DBC1DC580848D9B24D6245F8C4532D774A9CED082D5A979DFCCEE14048347FC85B6162D9B856E07CA04B3D82AE1C3E9D6AFFE080F3A447337DABA3B89032F4615AC4A835535DFAC64BB3434639F2F42727177C652680962AFE390B8FDCAB6B4E8FAD9348638B89DF9F898EC9A1192472A34367B3A4A57E7B31E ]]></Property></Hook2></Hooks><Payload Type="inline"/><TargetHost/><TargetEndpoint>MP_ClientIDManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><CorrelationID/></Msg> TSPxe 25/07/2010 4:03:18 PM 1292 (0x050C) CLibSMSMessageWinHttpTransport::Send: URL: SCCMSRV01.DOMAIN.LOCAL:443 CCM_POST /ccm_system_AltAuth/request TSPxe 25/07/2010 4:03:18 PM 1292 (0x050C) In SSL, but with no client cert TSPxe 25/07/2010 4:03:18 PM 1292 (0x050C) The request has succeeded. 200 OK TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) reply from server is 'NoReply' TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) DoRequest (sReply, true), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\osdmessaging\libsmsmessaging.cpp,5010) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) Failed to get client identity (80004005) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) ClientIdentity.RequestClientIdentity (), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,814) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) failed to request for client TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) Exiting TSMediaWizardControl::GetPolicy. TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) GetPolicy(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,2058) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) RunWizardForPXE(), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,2383) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) oTSMediaWizardControl.Run( sMediaRoot, true, true ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmbootstrap.cpp,936) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) Execute( eExecutionEnv, sConfigPath, sTSXMLFile, uBootCount, &uExitCode ), HRESULT=80004005 (e:\nts_sms_fre\sms\client\tasksequence\tsmbootstrap\tsmbootstrap.cpp,1105) TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) Exiting with return code 0x80004005 TSPxe 25/07/2010 4:03:35 PM 1292 (0x050C) Execution complete. TSBootShell 25/07/2010 4:03:35 PM 852 (0x0354) Finalizing logging from process 828 TSBootShell 25/07/2010 4:03:35 PM 852 (0x0354) Finalizing logs to root of first available drive TSBootShell 25/07/2010 4:03:35 PM 852 (0x0354) Successfully finalized logs to X:\SMSTSLog TSBootShell 25/07/2010 4:03:35 PM 852 (0x0354) Cleaning up task sequencing logging configuration. TSBootShell 25/07/2010 4:03:35 PM 852 (0x0354) The first test in the MP Troubleshooter is still failing too - "If Active Directory is extended, confirm that the management point certificate is released to Active Directory" .. I have a feeling the two problems are related but I don't know what the MP Troubleshooter is telling me to check, can anyone elaborate on what its telling me? Regards, Tim
July 25th, 2010 11:40am

hi man i faced the same thing the optimal solution for such situation is disabling windows firewall and the test will run smoothly .
Free Windows Admin Tool Kit Click here and download it now
June 1st, 2011 5:17am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics