A quick web search will get you many articles on how to validate CRLs including this one: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/basic-crl-checking-with-certutil/ba-p/1128367.
SCCM Client Management 2 separate domains with two-way trust
I am trying to manage a 2nd domain, separate forest with two-way domain trust but I cannot install the SCCM Client.
Setup:
Domain A (SCCM Server, etc.)
PKI CA configuration
SCCM CB with HTTPS communication
Domain A is working fine and has been for over a year.
We setup a two-way trust with Domain B
Added DNS secondary zones between both domains
Established site to site VPN and routing. I can ping and RDP to to either domain from either domain.
Added Domain A SCCM Service accounts to a security group on Domain B for necessary permissions to manage the client.
Extended the Schema on Domain B and imported the PKI CA from Domain A into Domain B for Cross-Forest PKI implementation.
Domain B does not have CA
Added Domain B into the Hierarchy configuration on SCCM, I can see users and computers imported from AD on Domain B
I push client install to a couple of machines for testing but they fail.
CCMSetup Error Snippet:
Sending message body '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1">
<AssignedSite SiteCode="111"/>
<ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
<ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
<ADSite Name="Domain.B"/>
<Forest Name="Domain.B"/>
<Domain Name="Domain.B"/>
<IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters> </ClientLocationInfo>
</ContentLocationRequest>
' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Sending location request to 'SCCM.Domain.A' with payload '<ContentLocationRequest SchemaVersion="1.00" BGRVersion="1">
<AssignedSite SiteCode="111"/>
<ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
<ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
<ADSite Name="Domain.B"/>
<Forest Name="Domain.B"/>
<Domain Name="Domain.B"/>
<IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters> </ClientLocationInfo>
</ContentLocationRequest>
' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. Defaulting to state of 480. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
MapNLMCostDataToCCMCost() returning Cost 0x1 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Failed to connect to machine policy namespace. 0x8004100e ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Client is on internet ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Client is set to use webproxy if available. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
[CCMHTTP] ERROR: URL=https://SCCM.Domain.A/ccm_system/request, Port=0, Options=480, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
[CCMHTTP] ERROR INFO: StatusCode=200 StatusText= ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Failed (0x87d00454) to send location request to 'SCCM.Domain.A'. StatusCode 200, StatusText '' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Failed to send location message to 'HTTPS://SCCM.Domain.A'. Status text '' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
GetDPLocations failed with error 0x87d00454 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Failed to get DP locations as the expected version from MP 'HTTPS://SCCM.Domain.A'. Error 0x87d00454 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Sending state '101'... ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0 ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Failed to get client version for sending state messages. Error 0x8004100e ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
[] Params to send '5.0.9068.1008 Deployment Error: 0x0, ' ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
Sending Fallback Status Point message to 'SCCM.Domain.A', STATEID='101'. ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
<ClientDeploymentMessage ErrorCode="0"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage> ccmsetup 2/14/2022 5:46:48 PM 12672 (0x3180)
State message with TopicType 800 and TopicId {7E7B1ABB-69EC-477A-B8AE-C55E383EBE6D} has been sent to the FSP FSPStateMessage 2/14/2022 5:46:48 PM 12672 (0x3180)
I know it is a Cert issue but I do not know how to resolve it and I have used all my Goofu then Binged everywhere to no avail. Any guidance would greatly be appreciated!!
Thank you.
-
Jason Sandys 31,316 Reputation points Microsoft Employee
2022-02-25T15:47:33.937+00:00
10 additional answers
Sort by: Most helpful
-
Jason Sandys 31,316 Reputation points Microsoft Employee
2022-02-16T19:10:27.873+00:00 How are clients in domain B being issued PKI client auth certs?
Can clients in domain B access the CRL for the PKI in domain A?
-
Blacksuit 46 Reputation points
2022-02-17T18:28:51.753+00:00 I followed the steps for Cross Forest PKI so they should now be able to get PKI Client certs from Domain A. I was able to access via browser to the IIS on the CA from Domain B but when I try https://CAServer/CertEnroll, I get access denied.
That helps me to at least look into that portion and perhaps once I figure that out, this will resolve my issue?
-
Jason Sandys 31,316 Reputation points Microsoft Employee
2022-02-17T18:35:48.367+00:00 so they should now be able to get PKI Client certs from Domain A
"Should be able to" are actually are getting are two different things. Have you validated that they are getting certs?
https://CAServer/CertEnroll
This URL is unrelated to the CRL. The CRL is listed in the certificate itself.
-
Blacksuit 46 Reputation points
2022-02-18T03:58:08.24+00:00 Jason,
Can you provide further instructions? I am not an expert with certificates. How can I confirm they can access the CRL? I assumed it was the URL to the CA...