PKI Certificate Setup

Matt Dillon 1,211 Reputation points
2021-05-21T18:02:18.513+00:00

Setting up PKI Certs for a new SCCM instance in an environment with a SCCM server setup with PKI. I followed the directions from here: https://www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/

This is the 4th time I have followed these directions to a tee and the first time having an issue.

The Clients will not change to PKI. I get a bunch of errors that point to a certificate issue.

To start - on the Site Server MPCONTROL.log - I see the entry Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

The WCM.log, SIteComp.log and MPSetup.log show no errors.

I verified on the Client side that the SCCM Client Certificate is listed.

The ClientIDManagerSTartup.log shows a Client PKI cert available, but has RegTask: Failed to send registration request message. Error: 0x87d00231 and RegTask: Failed to send registration request. Error: 0x87d00231 listed over and over.

On the Site Server, I tried going to https://serverfqdn/SMS_MP/.SMSAUT?MPLIST and it prompts me to choose one of two certs.

I ran the netsh show http sslcert command and it does not show the 0.0.0.:443 entry - only the 8531 entry.

I am almost certain this is a old cert issue, but have not been able to figure out the solution. 98723-mpcontrol.log

Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. HanyunZhu-MSFT 1,836 Reputation points
    2021-05-27T06:27:13.24+00:00

    Hi,

    As you mentioned before, we can firstly try the following steps to change the port WSUS uses from 8531 to 443,

    1. Open a command prompt on the WSUS server, and go under "c:\program fils\update services\tools"
      Command: cd c:\program files\update services\tools
    2. Run the command as below, this command will change the WSUS website to use port 443.
      Command: wsusutil usecustomwebsite false
      Then run the following command to confirm that the return value become https://<servername>:443
      Command:wsusutil configuressl <server name>
      100110-w.png
      Then we can use netsh http show sslcert command to check whether the result show the 443 entry.

    After that, we can run the following telnet command on the client side to check if the client can access the site via 443 port
    Command: telnet <host> [<port>]
    For example: telnet 192.168.22.1 443

    And to check the client certification, open certlm.msc, find the certificate with Client Authentication, check whether the certificate meet the requirements.
    For the detailed requirements, please refer to the "PKI certificates for clients" part in this article:
    https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/network/pki-certificate-requirements#BKMK_PKIcertificates_for_clients

    What's more, I found an article that have similar error with the log you provide, you can try it to troubleshooting:
    https://www.syswow64.co.uk/2016/03/sccm-client-certificate-pki-value-is.html
    Note: This is not from MS, just for your reference.

    Hope the information can be helpful to you.


    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 11,411 Reputation points
    2021-05-24T18:11:32.623+00:00

    When you swap from http or https to https only, the site server actually performs re-install of components. That was my mistake at the very beginning, I didn't let it calm down.

    Check first client can access to main IIS site via 443 port. Also check client cert path and its validation.

    If your site server components are all green, and client certs status ok, statt looking at client logs like clientauth, ccmmessaging, cliendstartID etc. Also check your ccm client has change to pki.

    1 person found this answer helpful.

  2. HanyunZhu-MSFT 1,836 Reputation points
    2021-05-24T09:55:17.933+00:00

    @Matt Dillon

    Thanks for posting in Microsoft Q&A forum.

    Accroding to the log you provided, it has successfully performed MP availability checks.
    99106-log.png

    It seems that we've done a lot of research and perform some trouble-shooting steps to find out the root cause. For this problem, to move on, we may need some additional information. Could you help to share CcmMessaging.log(with sensitive information masked to view)?


    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  3. Matt Dillon 1,211 Reputation points
    2021-05-27T21:32:42.433+00:00

    I ended up just setting up Enhanced http. I copied your notes and may suggest we try it again.

    0 comments No comments