Wednesday, March 16, 2016

SCCM Client Certificate (PKI) Value is None

SCCM Client Certificate (PKI) Value is None


Symptoms: Are you seeing the following errors logged?

ClientIDManagerStartup.log - Error: 0x87d00231
[RegTask] - Client is not registered. Sending registration request for GUID:12345678...98C1AE ...
RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup
RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup

LocationServices.log
Failed to send management point list Location Request Message to SiteServer.Domain.local
1 assigned MP errors in the last 10 minutes, threshold is 5.

CcmMessaging.log
Status Agent hasn't been initialized yet. Attempting to create pending event.
Successfully queued event on HTTP/HTTPS failure for server 'SiteServer.Domain.local'.
Post to https://SiteServer.Domain.local/ccm_system_windowsauth/request failed with 0x87d00231.
Failed to open to WMI namespace '\\.\root\ccm' (80041003)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee2

Within the affected clients windows registry you find this key populated HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=1

The issue explained:
SL / TLS renegotiation has been disabled. This was either the result of manual change or as a result of deploying the following Microsoft KB - https://support.microsoft.com/en-us/kb/977377

Within the KB you will find the following statement - Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.

This causes the client to attempt a connection to the Management Point IIS virtual directory. The virtual directory requires a valid client certificate and attempts to respond to the client and perform a SSL/TLS renegotiation.

The client abandons the session immediately which is why you receive the HTTP 500 error (The I/O operation has been aborted) because the server can no longer find the abandoned session.

To Resolve: 

Change the registry key value (DisableRenegoOnClient) from 1 to 0 and restart the CCMExec service.

reg add "hklm\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -v DisableRenegoOnClient /t REG_DWORD /d 0 /f

powershell -executionpolicy bypass -command restart-service ccmexec

PS. CCMCleaner.exe may go along way to clearing out an SCCM client installation issue.




1 comment:

  1. The certificate of the clients presented for the entry for the department. All the men are pleased to help me do my homework for the completion of the tasks. The charge is filed for the hope of the true width for the supportive means for the home work for the changes.

    ReplyDelete