SCCM Client Management 2 separate domains with two-way trust

Blacksuit 46

I am trying to manage a 2nd domain, separate forest with two-way domain trust but I cannot install the SCCM Client.

Setup:
Domain A (SCCM Server, etc.)
PKI CA configuration
SCCM CB with HTTPS communication

Domain A is working fine and has been for over a year.

We setup a two-way trust with Domain B
Added DNS secondary zones between both domains
Established site to site VPN and routing. I can ping and RDP to to either domain from either domain.
Added Domain A SCCM Service accounts to a security group on Domain B for necessary permissions to manage the client.
Extended the Schema on Domain B and imported the PKI CA from Domain A into Domain B for Cross-Forest PKI implementation.
Domain B does not have CA
Added Domain B into the Hierarchy configuration on SCCM, I can see users and computers imported from AD on Domain B
I push client install to a couple of machines for testing but they fail.

CCMSetup Error Snippet:

Sending message body '<ContentLocationRequest SchemaVersion="1.00"  BGRVersion="1">
  <AssignedSite SiteCode="111"/>
  <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
  <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
    <ADSite Name="Domain.B"/>
    <Forest Name="Domain.B"/>
    <Domain Name="Domain.B"/>
<IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters>  </ClientLocationInfo>
</ContentLocationRequest>
'   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Sending location request to 'SCCM.Domain.A' with payload '<ContentLocationRequest SchemaVersion="1.00"  BGRVersion="1">
  <AssignedSite SiteCode="111"/>
  <ClientPackage RequestForLatest="0" DeploymentFlags="4098"/>
  <ClientLocationInfo LocationType="SMSPACKAGE" DistributeOnDemand="0" UseProtected="0" AllowCaching="0" BranchDPFlags="0" AllowHTTP="1" AllowSMB="0" AllowMulticast="0" UseAzure="1" DPTokenAuth="1" UseInternetDP="0">
    <ADSite Name="Domain.B"/>
    <Forest Name="Domain.B"/>
    <Domain Name="Domain.B"/>
<IPAddresses><IPAddress SubnetAddress="172.16.1.0" Address="172.16.1.238"/></IPAddresses><Adapters><Adapter Name="Ethernet" IfType="6" PhysicalAddressExists="1" DnsSuffix="" Description="Realtek PCIe GBE Family Controller" /></Adapters>  </ClientLocationInfo>
</ContentLocationRequest>
'   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
IsSslClientAuthEnabled - Determining provisioning mode state failed with 80070002. Defaulting to state of 480.  ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
MapNLMCostDataToCCMCost() returning Cost 0x1    ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Failed to connect to machine policy namespace. 0x8004100e   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Client is on internet   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Client is set to use webproxy if available. ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Client is not allowed to use or doesn't have PKI cert while talking to HTTPS server.    ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
[CCMHTTP] ERROR: URL=https://SCCM.Domain.A/ccm_system/request, Port=0, Options=480, Code=0, Text=CCM_E_NO_CLIENT_PKI_CERT   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
[CCMHTTP] ERROR INFO: StatusCode=200 StatusText=    ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Failed (0x87d00454) to send location request to 'SCCM.Domain.A'. StatusCode 200, StatusText ''  ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Failed to send location message to 'HTTPS://SCCM.Domain.A'. Status text ''  ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
GetDPLocations failed with error 0x87d00454 ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Failed to get DP locations as the expected version from MP 'HTTPS://SCCM.Domain.A'. Error 0x87d00454    ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Sending state '101'...  ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Updating MDM_ConfigSetting.ClientDeploymentErrorCode with value 0   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Failed to get client version for sending state messages. Error 0x8004100e   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
[] Params to send '5.0.9068.1008 Deployment Error: 0x0, '   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
Sending Fallback Status Point message to 'SCCM.Domain.A', STATEID='101'.    ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
<ClientDeploymentMessage ErrorCode="0"><Client Baseline="1" BaselineCookie="" Platform="2" Langs=""/></ClientDeploymentMessage>   ccmsetup    2/14/2022 5:46:48 PM    12672 (0x3180)
State message with TopicType 800 and TopicId {7E7B1ABB-69EC-477A-B8AE-C55E383EBE6D} has been sent to the FSP    FSPStateMessage 2/14/2022 5:46:48 PM    12672 (0x3180)

I know it is a Cert issue but I do not know how to resolve it and I have used all my Goofu then Binged everywhere to no avail. Any guidance would greatly be appreciated!!

Thank you.

Accepted answer

Jason Sandys 31,146 Reputation points Microsoft Employee

2022-02-25T15:47:33.937+00:00

A quick web search will get you many articles on how to validate CRLs including this one: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/basic-crl-checking-with-certutil/ba-p/1128367.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

10 additional answers

Jason Sandys 31,146 Reputation points Microsoft Employee

2022-02-16T19:10:27.873+00:00

How are clients in domain B being issued PKI client auth certs?

Can clients in domain B access the CRL for the PKI in domain A?
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment
Blacksuit 46 Reputation points

2022-02-17T18:28:51.753+00:00

I followed the steps for Cross Forest PKI so they should now be able to get PKI Client certs from Domain A. I was able to access via browser to the IIS on the CA from Domain B but when I try https://CAServer/CertEnroll, I get access denied.

That helps me to at least look into that portion and perhaps once I figure that out, this will resolve my issue?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Jason Sandys 31,146 Reputation points Microsoft Employee

2022-02-17T18:35:48.367+00:00

so they should now be able to get PKI Client certs from Domain A

"Should be able to" are actually are getting are two different things. Have you validated that they are getting certs?

https://CAServer/CertEnroll

This URL is unrelated to the CRL. The CRL is listed in the certificate itself.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Blacksuit 46 Reputation points

2022-02-18T03:58:08.24+00:00

Jason,

Can you provide further instructions? I am not an expert with certificates. How can I confirm they can access the CRL? I assumed it was the URL to the CA...
Please sign in to rate this answer.

0 comments No comments
Sign in to comment