Wednesday, March 16, 2016

SCCM Client Certificate (PKI) Value is None

SCCM Client Certificate (PKI) Value is None


Symptoms: Are you seeing the following errors logged?

ClientIDManagerStartup.log - Error: 0x87d00231
[RegTask] - Client is not registered. Sending registration request for GUID:12345678...98C1AE ...
RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup
RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup

LocationServices.log
Failed to send management point list Location Request Message to SiteServer.Domain.local
1 assigned MP errors in the last 10 minutes, threshold is 5.

CcmMessaging.log
Status Agent hasn't been initialized yet. Attempting to create pending event.
Successfully queued event on HTTP/HTTPS failure for server 'SiteServer.Domain.local'.
Post to https://SiteServer.Domain.local/ccm_system_windowsauth/request failed with 0x87d00231.
Failed to open to WMI namespace '\\.\root\ccm' (80041003)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee2

Within the affected clients windows registry you find this key populated HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=1

The issue explained:
SL / TLS renegotiation has been disabled. This was either the result of manual change or as a result of deploying the following Microsoft KB - https://support.microsoft.com/en-us/kb/977377

Within the KB you will find the following statement - Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.

This causes the client to attempt a connection to the Management Point IIS virtual directory. The virtual directory requires a valid client certificate and attempts to respond to the client and perform a SSL/TLS renegotiation.

The client abandons the session immediately which is why you receive the HTTP 500 error (The I/O operation has been aborted) because the server can no longer find the abandoned session.

To Resolve: 

Change the registry key value (DisableRenegoOnClient) from 1 to 0 and restart the CCMExec service.

reg add "hklm\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -v DisableRenegoOnClient /t REG_DWORD /d 0 /f

powershell -executionpolicy bypass -command restart-service ccmexec

PS. CCMCleaner.exe may go along way to clearing out an SCCM client installation issue.




3 comments:

  1. THANK YOU

    This saved my bacon, and the problem had been driving me nuts for weeks.

    ReplyDelete
  2. Thanks for picking out the time to discuss this, I feel great about it and love studying more on this topic. It is extremely helpful for me. Thanks for such a valuable help again. 구글 기프트 판매

    ReplyDelete
  3. Even when you are quite good at using internet or email, you may have problems with it. Some problems are quite common and you can solve it (forgot password, forgot username...) but sometimes, proxy problems... you may cannot sign in your email. If you cannot solve it yourself, hotmail login will be a helpful choice.

    ReplyDelete