Hi folks, Jagat Singh Kathiar here from the Configuration Manager team with another support tip for you. Implementation of a Microsoft PKI with Configuration Manager has been very popular so I thought it would be worth sharing an issue I came across a few weeks back where System Center 2012 Configuration Manager (ConfigMgr 2012) clients were not getting registered when the Site Server was configured for SSL (HTTPS only mode).
In my scenario the ConfigMgr site was configured for “HTTPS only” mode with what appeared to be the appropriate certificates in the personal computer store of the Site Server and the clients. However, the clients were not getting registered and were seeing 80092004 and 0x87d00215 errors in ClientIdMangerStartup.log:
We also found 80092004 and 0x87d00231 errors in CCMmessaging.log:
These errors generally mean that some object cannot be found and it was clear in this case that we were unable to find a proper certificate.
We knew at this point that it was certificate related, and after doing a little more investigating we found that there were two Enterprise Certificate Authorities (CAs) in the environment. We checked the certificates again and discovered that our problem was due to the fact that the client had a certificate issued by one of the CAs and the Site Server was configured to use a certificate from the other.
When you configure ConfigMgr 2012 for SSL/HTTPS, it is recommended that you either use the same CA for the server and clients, or if that’s not possible, that you add both/all CA certificates to the Trusted Root Certificate Authorities option on the Client Computer Communication tab on the Configuration Manager server.
To check the Root CA used in Configuration Manager, connect to the Configuration Manager console and open the Properties for the site in question.
From there go to the Client Computer Communication tab. When you configure a site for HTTPS only mode you will see “Root CA specified” under Trusted Root Certification Authorities. By default this option doesn’t contain any issuer certificate but as soon as the site is configured for HTTPS only mode it loads the Certificate Authority certificate which was used to issue certificates to the Site Server.
Just for reference, below is what that same tab looks like when the site is not configured for SSL (this is the default setting).
Summary
Keeping all of this in mind, here are a few ways you can ensure that this issue doesn’t occur in your environment:
1. Issue certificates to the site server and the clients using the same Certificate Authority (Recommended).
2. Alternatively, you could keep both (or multiple) Root CA certificates in the “Trusted Root Certificate Authority” setting on the Site’s Properties –> Client Computer Communication tab. Note that in this case, since the CA for the client certificate is different, you must export the Root CA certificate from the alternate CA that the client is using in .cer format and then import it via the same Trusted Root Certificate Authorities option on the Client Computer Communication tab on the ConfigMgr server.
3. Although not recommended, you could also keep no Trusted Root CAs in the Trusted Root Certificate Authority setting on the Client Computer Communication tab. This will skip the ConfigMgr trusted check but assumes that Trusted Root certificates are otherwise properly implemented on clients and servers in the environment.
For more information on configuring certificates in System Center 2012 Configuration Manager (and R2), please see the following:
PKI Certificate Requirements for Configuration Manager: http://technet.microsoft.com/en-us/library/gg699362.aspx
Jagat Singh Kathiar | Sr. Technical Lead | Microsoft
Get the latest System Center news onFacebookandTwitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/