Hello guys,

First of all I would like to tell you that I am kinda new with SCCM, I did read a lot of documentation on the web and follow some courses but this is my first time deploying an SCCM infrastructure in production with a lot of security within the infrastructure.

So, for the story, the SCCM infrastructure in installed in a windows domain dedicated to the management tools, let's say "mgt.local" and I would like to manage servers in other domains, like dev.local, test.local, prod.local and each time we have a network firewall filtering the flows between the domains.

Since I am in a deployment phase, I am actually trying to manage servers in dev.local from the SCCM platform in mgt.local. Regarding our local security policy, it hasn't been allowed to open the ports to deploy agents from the primary site, so I am deploying it through the GPOs.

This works pretty good, the agent is installing itself on the servers, can reach the management point over HTTPS (no HTTP allowed due to security policy). When reviewing the ccmsetup.log I can see the agent contacting the MP, downloading the .cab and installing it. In the end I have a "return code 0". So everything works fine, the certificates are valid, they can contact the CRLs, so far so good.

My problem reside in the fact that once the agent is installed, it doesn't pick the PKI certificate, I can see in the GUI "Client Certificate: None". Once reviewing the CertificateMaintenance.log, I can see the following lines :

Begin searching client certificates based on Certificate Issuers	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Certificate Issuer 1 [E=email@corp.com; CN=XXX RootCA ServerCertificates; OU=XXX; O=CompanyName; L=Location; S=City; C=Country]	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Certificate Issuer 2 [CN=Company ROOT CA; O=CompanyName; C=Country]	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Certificate Issuer 3 [CN=DEVPKI; CN=DEV; CN=LOCAL]	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Finding certificate by issuer chain returned error 80092004	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Completed searching client certificates based on Certificate Issuers	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Unable to find any Certificate based on Certificate Issuers	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Raising pending event:

instance of CCM_ServiceHost_CertRetrieval_Status
{
	DateTime = "20150202090654.138000+000";
	HRESULT = "0x87d00215";
	ProcessID = 5556;
	ThreadID = 5920;
};
	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
CCMDoCertificateMaintenance() failed (0x87d00215).	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
Raising pending event:

instance of CCM_ServiceHost_CertificateOperationsFailure
{
	DateTime = "20150202090654.138000+000";
	HRESULT = "0x87d00215";
	ProcessID = 5556;
	ThreadID = 5920;
};
	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)
CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event.	CertificateMaintenance	2/2/2015 10:06:54	5920 (0x1720)

So as I understand the logs, the agent is looking for a certificate coming from 1 of the 3 CA I provisioned in SCCM. The problem here is the fact that all servers in my dev.local domain have a certificate provisioned by the "certificate issuer 3" (in the logs) and it seems it can't pick it up ... Banging my head on this for over a week, nothing is really helping on the web.

I did read the following articles, so the CA template should be good :

https://technet.microsoft.com/en-us/library/gg699362.aspx

http://sccmguy.com/2013/11/27/pki-certificates-for-configuration-manager-2012-r2-part-24-client-certificate-for-windows-computers/

Check list :

AD Schema extention : OK & publishing

PKI certificate deployed on Primary Site : OK & valid

PKI certificate deployed on MP : OK & valid

PKI certificate deployed on server client : OK & valid

Sorry for the long post, any help would be appreciated.