I've a dedicated IBCM site for serving intranet + internet clients. I'm unable to install SCCM client on intranet based clients via client push method. I've taken care of ports, admin$ accessibility, client push installation account permissions, server certs, certificate enrollment on client etc.
The client doesn't get installed & I get the below errors/logs:
ccm.log of IBCM server:
======>Begin Processing request: "IYEWCKFT", machine name: "SCCMTESTWINXP-1" SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Trying the 'best-shot' account which worked for previous CCRs (index = 0x0) SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Attempting to connect to administrative share '\\sccmtestwinxp-1.GEO.CORP.TEST.IN\admin$' using account 'geo\TESTgsccm' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> The 'best-shot' account has now succeeded 5 times and failed 0 times. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Connected to administrative share on machine sccmtestwinxp-1.GEO.CORP.TEST.IN using account 'geo\TESTgsccm' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Attempting to make IPC connection to share <\\sccmtestwinxp-1.GEO.CORP.TEST.IN\IPC$> SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Searching for SMSClientInstall.* under '\\sccmtestwinxp-1.GEO.CORP.TEST.IN\admin$\' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> System OS version string "5.1.2600" converted to 5.10 SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Service Pack version from machine "SCCMTESTWINXP-1" is 3 SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
CWmi::Connect(): ConnectServer(Namespace) failed. - 0x8004100e SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Unable to connect to WMI (r) on remote machine "SCCMTESTWINXP-1", error = 0x8004100e. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Creating \ VerifyingCopying exsistance of destination directory \\SCCMTESTWINXP-1\admin$\system32\ccmsetup. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Copying client files to \\SCCMTESTWINXP-1\admin$\system32\ccmsetup. SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Copying file "E:\Program Files (x86)\Microsoft Configuration Manager\bin\I386\MobileClient.tcf" to "\\SCCMTESTWINXP-1\admin$\system32\ccmsetup\MobileClient.tcf" SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:18 AM 4352 (0x1100)
---> Updated service "ccmsetup" on machine "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)
---> Started service "ccmsetup" on machine "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)
---> Deleting SMS Client Install Lock File '\\sccmtestwinxp-1.GEO.CORP.TEST.IN\admin$\SMSClientInstall.IBC' SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)
---> Completed request "IYEWCKFT", machine name "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)
Deleted request "IYEWCKFT", machine name "SCCMTESTWINXP-1" SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)
<======End request: "IYEWCKFT", machine name: "SCCMTESTWINXP-1". SMS_CLIENT_CONFIG_MANAGER 3/24/2011 6:09:19 AM 4352 (0x1100)
Ccmsetup.log of client:
MSI properties: INSTALL="ALL" SMSSITECODE="IBC" CCMHOSTNAME="GEO-MP-IBCM.TEST.COM" CCMHTTPPORT="80" CCMHTTPSPORT="443" CCMHTTPSSTATE="95" FSP="GEO-TESTT-SCCMP1.GEO.CORP.TEST.IN" CCMFIRSTCERT="0" ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
Source List: ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
\\GEO-TESTT-SCCMP1.GEO.CORP.TEST.IN\SMSClient ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
\\GEO-TESTT-SCCMP1\SMSClient ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
MPs: ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
GEO-TESTT-SCCMP1.GEO.CORP.TEST.IN ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
Updated security on object C:\WINDOWS\system32\ccmsetup\. ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
Sending Fallback Status Point message, STATEID='100'. ccmsetup 3/24/2011 6:09:19 AM 3024 (0x0BD0)
State message with TopicType 800 and TopicId {25347404-9ACF-48C7-8CAB-99A38A5CC66F} has been sent to the FSP FSPStateMessage 3/24/2011 6:09:19 AM 3024 (0x0BD0)
Running as user "SYSTEM" ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Detected 12981 MB free disk space on system drive. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
DetectWindowsEmbeddedFBWF() Detecting OS Version ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Client OS Version is 5.1, Service Pack Version 3 ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Client OS is not a supported Windows Embedded Platform ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Ccmsetup is being restarted due to an administrative action. Installation files will be reset and downloaded again. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Successfully ran BITS check. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
The 'Certificate Store' is empty in the registry, using default store name 'MY'. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
The 'Certificate Selection Criteria' was not specified, counting number of certificates present in 'MY' store of 'Local Computer'. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
1 certificate(s) found in the 'MY' certificate store. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Only one certificate present in the certificate store. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
SSL Registry key Software\Microsoft\CCM not found, assuming Client SSL is disabled. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Certificate issued to 'sccmtestwinxp-1.GEO.CORP.TEST.IN' doesn't have private key. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
Sending Fallback Status Point message, STATEID='315'. ccmsetup 3/24/2011 6:09:19 AM 2272 (0x08E0)
State message with TopicType 800 and TopicId {35618507-3DAE-476D-8521-40E9DC3F9A1A} has been sent to the FSP FSPStateMessage 3/24/2011 6:09:19 AM 2272 (0x08E0)
Resolution:
[Certificate issued to 'xyz' doesn't have private key.]
Yes, installation is failing because Configuration Manager can't find or can't read the private key for the certificate. I don't think you're missing anything simple. If you've deployed the certificate by using autoenrollment, I don't know why this would happen either - I more usually see this error message when the certificate has been moved from one store to another in the Certificates MMC. In this scenario, the Certificates MMC still says the private key is available when it really isn't and we've learned that this isn't a reliable way to verify whether the private key really is available. Try running the native mode readiness tool (Sccmnativemodereadiness.exe from %windir%\system32\CCM - see http://technet.microsoft.com/en-us/library/bb680986.aspx) and check the log to see if this verification tool thinks the private key is available.
As a test, have you tried installing the certificate another way - for example, delete the certificate installed by autoenrollment (unless it's being used successfully by another application) and manually request the certificate from the Certificates MMC. Or, use Certreq.exe with an .inf file.
As a long shot, when you were configuring Certificate Services, did you change any cryptographic selections from the defaults - for example, the hash algorithm for the CA or the CSP selection on the certificate template? Native mode cannot support hash algorithms greater than SHA-1 and the default CSP for the Workstation Authentication certificate template is Microsoft RSA SChannel Cryptographic Provider.
Or export & import the cert!
It looks like the client certificate cannot be used because there is no private key for the certificate selected. Running the Native Mode Readiness tool will also check this - see http://technet.microsoft.com/en-us/library/bb680986.aspx. This test sends the results to the fallback status point, but you can also check the sccmnativemodereadness.log file in the client log folder.
The most common reasons for this include:
- Moving the certificate from one store (eg the User store) to another (the Computer store) rather than exporting it with the private key and then importing. We see this a lot because the later versions of the Web enrollment pages don't let you save the certificate directly to the computer store, and the Certificates MMC gives you the dangerous impression that you can move a certificate between stores just like you can move files in Explorer.
- Requesting the certificate from another computer and then exporting/importing it, without the private key.
Do either of these apply to you? Both of these scenarios mean that the certificate template needs to allow the private key to be exported (not enabled by default and considered by many to be a security risk), and then selecting the option to export/import the private key when prompted in the wizard.
No comments:
Post a Comment