I used the link below to get started. I'm testing now on my test client. The test client is showing Client Certificate: Self-signed. The connection type however is correct: Currently Internet. Also under Internet-based management point. The server name is correct. However when looking at the client's ccmexec.log. It appears to be trying HTTP instead of HTTPS. 

http://www.systemcenterdudes.com/internet-based-client-management/

Thoughts?

If it shows a self-signed certificate the client won't be able to connect. The Internet-based management could be because you've provided it during the installation of the client, or if the client was on the intranet before, received via a client policy.

If you just installed that client while not on the intranet, start with the ClientIDManagerStartup.log. If the client was working before on the intranet, start with the CcmMessaging.log.

Clients must each have a unique client auth cert from a trusted PKI. Have you issued one of these to this test client?

The ccmmessaging.log is giving errors trying to connect to the "http"

I went by the above web link. It was by far the easiest article to comprehend. I have SCCM 2012 R2 cu4.

Not sure how the clients get the cert. The template was created as per the web link and the group policy was also created. I left the test client on our network until it picked up the group policy.

So what step is missing from the web link above that I still need to create?

 

No offense but clients getting the cert isn't an SCCM question, it's a PKI one.

That said the doc in the link is pretty complete, but make sure you follow all of the steps and not just the ones with pictures.  Key example: section 1.3.  It _tells_ you to make sure your issuing CA is publishing said templates but there's no accompanying screenshots.

Easiest first step is to RSOP and make sure your workstations are actually getting your enrollment GPOs applied and there's no overriding GPOs or blocked inheritance at play.

That's an artifact in the log and is not indicative of the clients not trying to use https.

The GPO is applying just find to the clients. I'm just not getting certs issued to the clients.

We are using a Microsoft CA server to generate the certs. The IIS, DP certs appear to be working just fine.

Where can I look to see what's not happening correctly?

Just because the GPO is applying doesn't mean you've got your PKI infrastructure set up or configured correctly. No cert, no communication.

Have you reviewed the event logs on the client?

As a side-note, using a generic walk-through to deploy a PKI is a dangerous proposition.

The ClientIDmanagerstartup.log on a test machine has the following entry:

PKI Client Certificate matching SCCM certificate selection criteria is not available

FYI - We do not control the certificate server. Our security section does that task.

That message is pretty self-explanatory.

Do note though that simply looking at a single line from a log file is not going to help and is generally meaningless ... log files are about context and flow. You need to review much more than just a single line.

I think I may have found the problem. I tried certificate enrollment to install the certificate directly on a client. I got you cannot request a certificate at this time because no certificate types are available. I checked off the show all templates box and my "ConfigMgr 2012 Client Certificate" status is unavailable. "The permissions on the certificate template do allow the current user to enroll for this type of certificate." "You do not have permission to request this type of certificate."

I will work with our security group to see what's not set right. If anybody knows what permissions need to be set and where, that would be great!

As a follow up, I noticed that everything talks about "computer" permissions but the says "user". Does anybody know if authenticated users needs the enroll and auto-enroll permissions for the client cert template?

If there is a CA forum that deals with this sort of thing. Then please direct me towards it.

    

It all depends on the configuration of the template an the usage of it. If we're talking about the computer authentication certificate than I would expect something like a auto enrollment, as it's probably required by all clients. Again it's all about the requirements and the configuration.

You can find the security forum here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity

For configmgr 2012 client cert properties under the general tab. Should "Publish certificate in Active Directory" checkbox be checked? 

Doesn't matter. That is used to distribute public keys to other entities that have access to AD. ConfigMgr doesn't use or rely on this at all.

I would recommend giving this a read:

https://technet.microsoft.com/en-us/library/gg682023.aspx

William,

I have been to that web site many, many times. Unfortunately it doesn't talk about what to do when it doesn't work. I got Microsoft working on it now. 

OK.  Keep us posted!