Yes. This is the management point cert in the personal store on the MP. Thanks, Renae Mead DTMB IS OA Enterprise Services mea...@michigan.gov<mailto:mea...@michigan.gov> (517) 636-0761 Office (517) 388-2737 Mobile
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Troy Martin Sent: Wednesday, February 8, 2017 11:49 AM To: mssms@lists.myitforum.com Subject: [mssms] RE: PKI Certificate hell Once the MP cert is imported into the MP's machine/computer cert store, if you double-click, is the certificate path OK/validated? Troy L. Martin | Technical Architect 1E | Software Lifecycle Automation for the Digital Business US Mobile: +1 (678) 898-6147 | UK Phone : +44 208 326 9141 troy.mar...@1e.com<mailto:troy.mar...@1e.com> | www.1e.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.1e.com_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=lfm9K0cSqM44FHIoBa6p0wzT4MWYkn_0HYGNmWgkATs&e=> Facebook<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_1eglobal&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=RRWJDZaMGcmivktB58TkvRLoQr1bC6jIDj-MN1oDLlE&e=> | Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_1e-5Fglobal_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=6SY99zYqJ1R5pAavjFi-JmFdxUD0lt-n0XwOK-omJcI&e=> | YouTube<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.youtube.com_1enews&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=XWjlpxF0vI8J3n42uqWMrEXgHphlWI2PD9XZHOHhX8U&e=> | Blogs<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=tKrxeysyE64idSmjz1G3NP2ojp9RhRdpv1OljUgTbyg&e=> | RSS<https://urldefense.proofpoint.com/v2/url?u=http-3A__blogs.1e.com_index.php_feed_&d=BQMFAg&c=Ln8c1CLEgbhz4W2FGOnrXYpHvIYN4k_cXHVmsANM4XI&r=zAhc69MwvUId2afOheLZsnttbIFqxDANe5KRT-ZKir4&m=uHdy6p01-w9GZjdBVTraJ5PHeWP6yKoA_xCBrm33uC4&s=qGt8-ZGt5rG-J3ClWoppG9TfmFKmktUZprrf0vtNjII&e=> [1E events banner]<http://info.1e.com/1e-regional-events> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Mead, Renae (DTMB) Sent: Wednesday, February 8, 2017 9:30 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] PKI Certificate hell SCCM Setup: CAS with 2 primary sites running ConfigMgr 1610 Primary Site System - under Client Computer Communication tab site system settings is set with HTTPS or HTTP. Use PKI certificates is checked, Trusted Root Certificate authorities has both old root CA and new root CA. MP & DP are setup to use HTTPS only Setup: Domain A has a two way trust with Domain B. Will try to make a long story short. The old root CA expires next month so we are in the process of updating all the intermediate certs, client certs, MP certs, DP certs, etc. One year ago we setup a new PKI infrastructure and generated a new root CA cert and started deploying that. It has been working fine. A week ago generated new management point certificates and bound them in IIS. Everything in Domain A works fine but all the machines in Domain B (the trusted domain) are now throwing errors. Client Logs: Location Services: CCMVerifyMsgSignature failed. LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) Failed to verify received message 0x80090006 LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) CCMVerify failed with 0x80090006 LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) Failed to verify message. Could not retrieve certificate from MPCERT. LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) MPCERT requests are throttled for 00:04:54 LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) Failed to verify message. Sending MP [HCS084SCCMxxx] not in cached MPLIST. LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) MPLIST requests are throttled for 00:59:54 LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC) ClientIDManagerStatus.log RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup 2/8/2017 2:29:55 AM 8668 (0x21DC) RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup 2/8/2017 2:29:55 AM 8668 (0x21DC) CertificateMaintenance.log Failed to verify signature of message received from MP using name 'HCS084SCCMxxxx.fqdn' Management Point Logs: Processing Registration request from Client 'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746' MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90) Begin validation of Certificate [Thumbprint 8379EDA0CDA8E46DFA0913E40037543D4AC08CA4] issued to 'T6000F4P6NX1.fqdn.' MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90) Completed validation of Certificate [Thumbprint 8379EDA0CDA8E46DFA0913E40037543D4AC08CA4] issued to 'T6000F4P6NX1'certif MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90) Verifying message signature for client 'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746' failed with 0x80090006. MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90) CCMValidateAuthHeaders failed (0x80090006) to validate headers for client 'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746'. MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90) MP Reg: Failed to verify RegistrationHint, 0x80090006, Registration Hint was not signed with the associated private key whose public key was registered with the SMSID (GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746). MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90) We have double checked the MP certificate and even recreated it but can't seem to get the machine in Domain B to stop throwing errors. If we bind the old MP cert in IIS the machines in DOMAIN B start working again. Do these errors point to an MP cert issue, or is it possibly higher up the chain. In addition to the client errors if the machine needs software it will create a folder under ccmcache like aj.work<http://aj.work> but not download any content. The MP cert is a sha256 with subject alternative name using both short name and FQDN Any help would be greatly appreciated. Thanks, Renae Mead DTMB IS OA Enterprise Services mea...@michigan.gov<mailto:mea...@michigan.gov> (517) 636-0761 Office (517) 388-2737 Mobile ________________________________ Legal Notice: This email is intended only for the person(s) to whom it is addressed. If you are not an intended recipient and have received this message in error, please notify the sender immediately by replying to this email or calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any attachments may be privileged and/or confidential. The unauthorized use, disclosure, copying or printing of any information it contains is strictly prohibited. The opinions expressed in this email are those of the author and do not necessarily represent the views of 1E Ltd. Nothing in this email will operate to bind 1E to any order or other contract.