SCCM Client Certificate (PKI) Value is None
Symptoms: Are you seeing the following errors logged?
ClientIDManagerStartup.log - Error: 0x87d00231
[RegTask] - Client is not registered. Sending registration request for GUID:12345678...98C1AE ...
RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup
RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup
LocationServices.log
Failed to send management point list Location Request Message to SiteServer.Domain.local
1 assigned MP errors in the last 10 minutes, threshold is 5.
CcmMessaging.log
Status Agent hasn't been initialized yet. Attempting to create pending event.
Successfully queued event on HTTP/HTTPS failure for server 'SiteServer.Domain.local'.
Post to https://SiteServer.Domain.local/ccm_system_windowsauth/request failed with 0x87d00231.
Failed to open to WMI namespace '\\.\root\ccm' (80041003)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee2
Within the affected clients windows registry you find this key populated HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=1
The issue explained:
SL / TLS renegotiation has been disabled. This was either the result of manual change or as a result of deploying the following Microsoft KB - https://support.microsoft.com/en-us/kb/977377
Within the KB you will find the following statement - Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.
This causes the client to attempt a connection to the Management Point IIS virtual directory. The virtual directory requires a valid client certificate and attempts to respond to the client and perform a SSL/TLS renegotiation.
The client abandons the session immediately which is why you receive the HTTP 500 error (The I/O operation has been aborted) because the server can no longer find the abandoned session.
To Resolve:
Change the registry key value (DisableRenegoOnClient) from 1 to 0 and restart the CCMExec service.
reg add "hklm\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -v DisableRenegoOnClient /t REG_DWORD /d 0 /f
powershell -executionpolicy bypass -command restart-service ccmexec
PS. CCMCleaner.exe may go along way to clearing out an SCCM client installation issue.
Before diving into how to get the perfect Hugh Hefner costume, it’s essential to understand why his style resonates with so many people.
ReplyDelete