Problem managing DMZ servers

Hello all,

I've got an SCCM 2012 R2 deployment with which I succesfully manage a whole bunch of serves in the internal LAN (all domain joined).

I'm now looking to also manage my DMZ servers with this same deployment.

To accomplish this, I've deployed an additional server (also on the internal lan and domain joined) and installed the MP and DP role on it.

I've configured these 2 roles to listen to HTTPS.

On my site settings, I've checked the box to use PKI client certificate when available and imported the Root CA from our AD DS Certificate server.

The firewall team has allowed communication from the DMZ range to the newly created site system over ports 80 and 443.

On my Certificate Server, I created a certificate with purpose of Server and Client authentication.
The properties that I've filled in on the certificate is Common Name and DNS name.

I then manually imported this certificate in the personal computer store of the server I want to manage and the CA certificate into the Trusted Root CA computer store.

Within the SCCM Console I also created a boundary group and corresponding boundary for the DMZ range.
I set the newly created site system as content server for that boundary group.

On the DMZ server, I also updated the hosts & LMHosts file with the proper entries to point to the newly created site system.

After that, I was ready to install the client and I did so with the following cmdline:

ccmsetup /usePKICert /NOCRLCheck SMSSITECODE=CLD SMSMP=Sitesystem.domain.infra

The locationservices log show the following:

Assigning to site 'CLD' LocationServices 24/02/2014 7:44:36 2392 (0x0958)
LSIsSiteCompatible : Verifying Site Compatibility for <CLD>
Retrieved MP [Sitesystem.domain.infra] from Registry LocationServices 24/02/2014 7:44:36 2392 (0x0958)
Attempting to retrieve site information from lookup MP(s) via HTTPS LocationServices 24/02/2014 7:44:36 2392 (0x0958)
Failed to send site information Location Request Message to Sitesystem.domain.infra LocationServices 24/02/2014 7:44:36 2392 (0x0958)
LSIsSiteCompatible : Failed to get Site Version from all directories LocationServices 24/02/2014 7:44:36 2392 (0x0958)

The ClientIDManagerStartup log shows the following:
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 23/02/2014 21:20:00 2392 (0x0958)

The CCMMessaging.log show the following:

Here is where I'm a bit surprised. Eventough the client should try to connect over HTTPS, I see in this log that it only tries on HTTP..

Successfully sent location services HTTP failure message. CcmMessaging 24/02/2014 7:27:13 444 (0x01BC)
Post to http://Sitesystem.domain.infra/ccm_system/request failed with 0x87d00231. CcmMessaging 24/02/2014 7:27:13 444 (0x01BC)
[CCMHTTP] ERROR: URL=http://sitesystem.domain.INFRA/ccm_system/request, Port=80, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 24/02/2014 7:34:59 2392 (0x0958)
Raising event:
instance of CCM_CcmHttp_Status
{
 DateTime = "20140224063459.629000+000";
 HostName = "sitesystem.domain.INFRA";
 HRESULT = "0x87d0027e";
 ProcessID = 2432;
 StatusCode = 403;
 ThreadID = 2392;
};
 CcmMessaging 24/02/2014 7:34:59 2392 (0x0958)

When I go into Control Panel and open the Configuration Manager Applet, then it shows as follows:

http://1drv.ms/MnkXSh

I was expecting that there it would say: "Client certificate: PKI" as I installed the client with a commandline that specifically instructs it to use the PKI certificate.

Can anyone help me on my way in finding out what I've missed?

Many thanks in advance!

Filip



February 24th, 2014 2:01am

You should find an error in the ccmsetup.log because of the Certificate Problem. Your screenshot clearly Show, that there is a Problem with the certificate.

Have you checked this:
http://technet.microsoft.com/en-us/library/gg699362.aspx

If your certificate is valid for using it with SCCM?

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 3:11am

Hello Martin,

I've checked the ccmsetup.log, but no errors related to the certificate can be found in there..

The certificate template I've used to generate the certificates for the site server and client is based of mu Operations Manager 2012 Certificate template (for gateway servers).

It contains both client and server authentication as intended purpose and has the compatibility setting set to Windows Server 2003.

So in my opinion, it should be compatible for use with SCCM, no?

Kind regards,

Filip

February 24th, 2014 3:39am

I've checked the certificate on the server and when I navigate to the details tab of the certificate, then it shows: Version: V3

The link which you placed in your post reads the following:

When you use an enterprise certification authority and certificate templates, do not use the version 3 templates. These certificate templates create certificates that are incompatible with Configuration Manager. Instead, use version 2 templates by using the following instructions:

  • For a CA on Windows Server 2012: On the Compatibility tab of the certificate template properties, specify Windows Server 2003 for the Certification Authority option, and Windows XP / Server 2003 for the Certificate recipient option.

I've doublechecked my template and it is setup, the way that article describes it.

Why doesn't my certificate get deployed with a version number of 2 then?

Thanks!

Filip

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 3:50am

When you dublicate a certificate template, you should be asked if you want to user Server 2000 (I don't mind the exact words) or to use next gen certificate (Server 2008). You have to choose Server 2000, and not Server 2008 for your template.
February 24th, 2014 4:00am

Hello Martin,

Server 2000 is not an option in the list.

Server 2003 is the oldest version you can select.

In my current template I have selected 2003 and XP/2003 as outlined in the microsoft documentation and still it shows as v3..

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 4:11am

Have you duplicated the "Computer" Certificate Template? If you have duplicated the Workstation, this would be V3, but the Computer is a V1 template.

You can look at the Version Number in the CA Template Manager.

February 24th, 2014 4:17am

Hello Martin,

I had previously duplicated the Workstation Authentication template, but have now used the Computer template as you suggested.

I've deployed a certificate from it, but is still show as V3.

http://1drv.ms/MnEr9C

Is this maybe not the right place to check the version of the certificate?

Free Windows Admin Tool Kit Click here and download it now
February 24th, 2014 4:55am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics