Wednesday, March 16, 2016

SCCM Client Certificate (PKI) Value is None

SCCM Client Certificate (PKI) Value is None


Symptoms: Are you seeing the following errors logged?

ClientIDManagerStartup.log - Error: 0x87d00231
[RegTask] - Client is not registered. Sending registration request for GUID:12345678...98C1AE ...
RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup
RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup

LocationServices.log
Failed to send management point list Location Request Message to SiteServer.Domain.local
1 assigned MP errors in the last 10 minutes, threshold is 5.

CcmMessaging.log
Status Agent hasn't been initialized yet. Attempting to create pending event.
Successfully queued event on HTTP/HTTPS failure for server 'SiteServer.Domain.local'.
Post to https://SiteServer.Domain.local/ccm_system_windowsauth/request failed with 0x87d00231.
Failed to open to WMI namespace '\\.\root\ccm' (80041003)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee2

Within the affected clients windows registry you find this key populated HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=1

The issue explained:
SL / TLS renegotiation has been disabled. This was either the result of manual change or as a result of deploying the following Microsoft KB - https://support.microsoft.com/en-us/kb/977377

Within the KB you will find the following statement - Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.

This causes the client to attempt a connection to the Management Point IIS virtual directory. The virtual directory requires a valid client certificate and attempts to respond to the client and perform a SSL/TLS renegotiation.

The client abandons the session immediately which is why you receive the HTTP 500 error (The I/O operation has been aborted) because the server can no longer find the abandoned session.

To Resolve: 

Change the registry key value (DisableRenegoOnClient) from 1 to 0 and restart the CCMExec service.

reg add "hklm\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -v DisableRenegoOnClient /t REG_DWORD /d 0 /f

powershell -executionpolicy bypass -command restart-service ccmexec

PS. CCMCleaner.exe may go along way to clearing out an SCCM client installation issue.




No comments:

Post a Comment