Hello all,
I've got an SCCM 2012 R2 deployment with which I succesfully manage a whole bunch of serves in the internal LAN (all domain joined).
I'm now looking to also manage my DMZ servers with this same deployment.
To accomplish this, I've deployed an additional server (also on the internal lan and domain joined) and installed the MP and DP role on it.
I've configured these 2 roles to listen to HTTPS.
On my site settings, I've checked the box to use PKI client certificate when available and imported the Root CA from our AD DS Certificate server.
The firewall team has allowed communication from the DMZ range to the newly created site system over ports 80 and 443.
On my Certificate Server, I created a certificate with purpose of Server and Client authentication.
The properties that I've filled in on the certificate is Common Name and DNS name.
I then manually imported this certificate in the personal computer store of the server I want to manage and the CA certificate into the Trusted Root CA computer store.
Within the SCCM Console I also created a boundary group and corresponding boundary for the DMZ range.
I set the newly created site system as content server for that boundary group.
On the DMZ server, I also updated the hosts & LMHosts file with the proper entries to point to the newly created site system.
After that, I was ready to install the client and I did so with the following cmdline:
ccmsetup /usePKICert /NOCRLCheck SMSSITECODE=CLD SMSMP=Sitesystem.domain.infra
The locationservices log show the following:
Assigning to site 'CLD' LocationServices 24/02/2014 7:44:36 2392 (0x0958)
LSIsSiteCompatible : Verifying Site Compatibility for <CLD>
Retrieved MP [Sitesystem.domain.infra] from Registry LocationServices 24/02/2014 7:44:36 2392 (0x0958)
Attempting to retrieve site information from lookup MP(s) via HTTPS LocationServices 24/02/2014 7:44:36 2392 (0x0958)
Failed to send site information Location Request Message to Sitesystem.domain.infra LocationServices 24/02/2014 7:44:36 2392 (0x0958)
LSIsSiteCompatible : Failed to get Site Version from all directories LocationServices 24/02/2014 7:44:36 2392 (0x0958)
The ClientIDManagerStartup log shows the following:
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 23/02/2014 21:20:00 2392 (0x0958)
The CCMMessaging.log show the following:
Here is where I'm a bit surprised. Eventough the client should try to connect over HTTPS, I see in this log that it only tries on HTTP..
Successfully sent location services HTTP failure message. CcmMessaging 24/02/2014 7:27:13 444 (0x01BC)
Post to http://Sitesystem.domain.infra/ccm_system/request failed with 0x87d00231. CcmMessaging 24/02/2014 7:27:13 444 (0x01BC)
[CCMHTTP] ERROR: URL=http://sitesystem.domain.INFRA/ccm_system/request, Port=80, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 24/02/2014 7:34:59 2392 (0x0958)
Raising event:
instance of CCM_CcmHttp_Status
{
DateTime = "20140224063459.629000+000";
HostName = "sitesystem.domain.INFRA";
HRESULT = "0x87d0027e";
ProcessID = 2432;
StatusCode = 403;
ThreadID = 2392;
};
CcmMessaging 24/02/2014 7:34:59 2392 (0x0958)
When I go into Control Panel and open the Configuration Manager Applet, then it shows as follows:
I was expecting that there it would say: "Client certificate: PKI" as I installed the client with a commandline that specifically instructs it to use the PKI certificate.
Can anyone help me on my way in finding out what I've missed?
Many thanks in advance!
Filip
- Edited by Filip Theyssens 5 hours 20 minutes ago