.:: (MVP) Raphael ::. : ibcm, certificates

SCCM & NAT

Raphael — Thu, 14 Oct 2010 13:11:00 GMT

Hi All,

installing a sccm client today and got the following errors on the ccmsetup.log

o [CCMSETUP] AsyncCallback(): -----------------------------------------------------------------
o [CCMSETUP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
o [CCMSETUP] : dwStatusInformationLength is 4
o [CCMSETUP] : *lpvStatusInformation is 0x9 o [CCMSETUP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
o [CCMSETUP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
o [CCMSETUP] AsyncCallback(): -----------------------------------------------------------------
o Failed to send HTTP request. (Error at WinHttpSendRequest: 12175) o DownloadFileByWinHTTP encountered an unrecoverable error.
o Sending Fallback Status Point message, STATEID='308'. o State message with TopicType 800 and TopicId {F29C31A1-173D-4DAC-88C4-D3C51F936655} has been sent to the FSP

At this point, as good sccm admin as I am, used the trace32 error lookup and found that 12175 means: "A security error occurred"

As this message is really good, searched over the internet and found the the MSDN have a more usefull message at http://msdn.microsoft.com/en-us/library/aa383770(VS.85).aspx
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. To determine what type of error was encountered, check for a WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification in a status callback function. For more information, see WINHTTP_STATUS_CALLBACK.

At this point, i'm pretty sure that there is a problem with SSL as I'm installing a native mode client (I haven't seen this issue in a mixed mode). As it wasn't clear yet, I asked help from network/firewall guys and found that the client was in a NAT network...as this is not supported (http://technet.microsoft.com/en-us/library/dd547071.aspx, see network adapter), we changed to be a routed network and voilà, client installed :)

[SCCM] SCCMNativeModeReadiness - Client is not ready

Raphael — Thu, 14 Oct 2010 12:50:00 GMT

Hi All,

quick post to share my experience..

i'm finishing one native mode/ibcm project and I came across the following issue today when running the SCCMNativeModeReadiness

Initializing ModeReadiness tool. ModeReadiness 10/14/2010 9:57:21 AM 2680 (0x0A78)

Setting default logging component for process. ModeReadiness 10/14/2010 9:57:21 AM 2680 (0x0A78)

The 'Certificate Store' is empty in the registry, using default store name 'MY'. ModeReadiness 10/14/2010 9:57:21 AM 2680 (0x0A78)

Failed to load default certificate selection criteria. (0x80004005) ModeReadiness 10/14/2010 9:57:21 AM 2680 (0x0A78)

ModeReadiness initializiation succeeded. ModeReadiness 10/14/2010 9:57:21 AM 2680 (0x0A78)

Client SSL is enabled. The current state is 0x127. ModeReadiness 10/14/2010 9:57:21 AM 2680 (0x0A78)

Certificate issued to 'FQDN' doesn't have private key. ModeReadiness 10/14/2010 9:57:34 AM 2680 (0x0A78)

Client is NOT ready for native mode. ModeReadiness 10/14/2010 9:57:34 AM 2680 (0x0A78)

Sending state message. ModeReadiness 10/14/2010 9:57:34 AM 2680 (0x0A78)

Looking at the log lines, it's easy to think that the certificate doesn't have private key...but when i open the MMC, I found that the certificate has it:

to fix the issue,I had to:

- Deleted all certificates from machine using MMC
- revoked all certificates issued to the computer
- Stopped the Crypto Service
- Stopped the Cryptographic Services (net stop CryptSvc)
- Renamed the folders under the Crypto Folder (C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto)
- Rebooted machine
- All the machine is domain member, it got a new certificate by the autoenrollment