This one has me stumped. I need some help debugging the signing process of a newly installed SMP's SerializedSMPKey. This works flawlessly in the lab, but nothing I do will work in production. I even let it bake over a weekend to see if it would fix it's self, no luck. Since the production environment is pretty tightly locked down, I suspect a GPO. All other Site rolls are functional, MP, DP, SUP, PXE, OSD, clients are happy. SMP installs fine, I see the three certs in the computer's SMS cert store. (SMS signing, encryption and SMP Encrypt certs.) The registry looks correct (HKLM\software\Wow6432Node\Microsoft\SMS\SMP\Statestore) the SerializedSMPKey is populated, but the SignedSerializedSMPKey is empty Mixed mode, SCCM 2007 R2 SP2 installed on x64 Server '08 The SMP is on it's own x64 Server '08. Does anyone know the process for the SerializedSMPKey to be signed and how can I determine where the process is failing?

I would check the following logs: SmpMSI.log Smpmgr.log Both located in: <ConfigMgrInstallationPath>\Logs I would also look at the status messages for the State Migration Point Role. As a test, I probably would try installing the SMP on the Primary Site Server.

This issue mostly is caused by the SCCM client certificates on the client PC not being correct. This is usually caused when moving a client from one site to another site, or when pusing the SCCM client from one site and then immediately moving and assigning the PC to a new site. There are two ways to resolve the problem: 1) Repush the SCCM client to affected PCs from the new site. This will cause the SCCM client certificate to update to the new site's certificates. 2) When pushing the SCCM client from an old site with the intention of immediately moving and assigning it to a new site, add the option RESETKEYINFORMATION=TRUE To the installtion properties of the SCCM client installation. This will force the SCCM client to updates its certificates to those of the new site as part of the installation. For more information, consult the following links: About Configuration Manager Client Installation Properties http://technet.microsoft.com/en-us/library/bb680980.aspx Appendix B: SMS Certificate Infrastructure http://technet.microsoft.com/tr-tr/library/cc179731(en-us).aspx Hope it helps.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Will, thanks for the reply. Good idea to install in the Site server, but it is exhibiting the same behavior. Which would rule out a transport issue between the site server & SMP SMP installed fine, (No errors in logs), the SMP self creates a certificate (visible in the computer's SMS certificate store) smpmgr.log looks good. The SMP is able to create the share (smpisapi.log happily creating the test directory and returning 200) Things go awry when a client requests a State store: From the smsisapi.log: ========== BEGIN: HttpExtensionProc ========== 11/29/2010 8:38:40 AM 16760 (0x4178) Query string to parse: 'op=KeyInfo'. 11/29/2010 8:38:40 AM 16760 (0x4178) SMP SignedSerializedKey is empty 11/29/2010 8:38:40 AM 16760 (0x4178) StatusRequest::HandleMessage failed with errorcode (0x80040067) 11/29/2010 8:38:40 AM 16760 (0x4178) Failed to process KEYINFO request for client 11/29/2010 8:38:40 AM 16760 (0x4178) SMPRequestHandler::HandleMessage for StoreOp KEYINFO failed with server errorcode 103 11/29/2010 8:38:40 AM 16760 (0x4178) Returning status "500 Internal Server Error" 11/29/2010 8:38:40 AM 16760 (0x4178) ========== END: HttpExtensionProc ========== 11/29/2010 8:38:40 AM 16760 (0x4178) From the Client SMStl.log: SMP request to "sccm01" failed with error: E_SMPERROR_ENCRYPTKEY_EMPTY (103) 11/29/2010 8:39:11 AM 4220 (0x107C) The Component Status in the AdminUI reports the error: SMS State Migration Point failed to read the SignedSerializedSMPKey from the registry on computer SCCM01. Possible reasons are SMP certificate is not yet signed by Site Server. I checked the registry on the newly installed SMP (HKLM\Machine\Software\Wow6432Node\Microsoft\SMS\SMP\Statestore) and only the SignedSerializedSMPKey is empty. I did some research, and this site was recovered and I'm wondering if the restore munged something which may be interfering with the signing process.

Thanks for the info. I am still investigating. The clients seem to be ok, I have installed new clients to test the idea that the certs were old, but no luck. It appears that the SMP's self generated certificate is not being signed by the central site. I am looking into the SMS Certificate Infrastructure angle right now and this question may need to be moved from the OSD to the Setup/install forum.

As a test on my own test server, I noticed that the SignedSerializedSMPKey stays blank for exactly 5 minutes after the SMP finishes installing, then suddenly gets populated. If you watch the smpmgr.log file after you install the SMP, you will see 3 lines together that say: Set health check timer to 300 seconds Set deletion timer to 86400 seconds Set cleanup timer to 3600 seconds 300 seconds later (or 5 minutes), you should see something similar to the following: HandleSMPRegistryChanges: RegQueryInfoKey succeeded. Number of SMP stores=1 RegOpenKeyEx succeeded for regkeypath SOFTWARE\MICROSOFT\SMS\SMP\STATESTORE\SMPSTOREH_B1665DA5 Directory H:\SMStore\SMPSTOREH_B1665DA5$ exists. Creating share SMPSTOREH_B1665DA5$ succeeded AllowSMPIsapiAccess succeeded for share H:\SMStore\SMPSTOREH_B1665DA5$. SMPPeriodicActivityInterval = 1440 minutes Handling SMP registry Changes succeeded. Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK Health check operation succeeded Also, you can see in the hman.log where it processes the certificates just below a line that reads: Starting processing MP Certificates. Below that you can actually read the certificates for the MP and then the SMP. I would expect an error there in your case. Such bad grammar for a log file! If you thing something internal to SCCM isn't working correctly, you might try a Site Reset: How to Perform a Site Reset http://technet.microsoft.com/en-us/library/bb694286.aspx

As a test on my own test server, I noticed that the SignedSerializedSMPKey stays blank for exactly 5 minutes after the SMP finishes installing, then suddenly gets populated. If you watch the smpmgr.log file after you install the SMP, you will see 3 lines together that say: Set health check timer to 300 seconds Set deletion timer to 86400 seconds Set cleanup timer to 3600 seconds 300 seconds later (or 5 minutes), you should see something similar to the following: HandleSMPRegistryChanges: RegQueryInfoKey succeeded. Number of SMP stores=1 RegOpenKeyEx succeeded for regkeypath SOFTWARE\MICROSOFT\SMS\SMP\STATESTORE\SMPSTOREH_B1665DA5 Directory H:\SMStore\SMPSTOREH_B1665DA5$ exists. Creating share SMPSTOREH_B1665DA5$ succeeded AllowSMPIsapiAccess succeeded for share H:\SMStore\SMPSTOREH_B1665DA5$. SMPPeriodicActivityInterval = 1440 minutes Handling SMP registry Changes succeeded. Call to HttpSendRequestSync succeeded for port 80 with status code 200, text: OK Health check operation succeeded If you thing something internal to SCCM isn't working correctly, you might try a Site Reset: How to Perform a Site Reset http://technet.microsoft.com/en-us/library/bb694286.aspx

Will, We are on the same page. Since the SMP on the SS failed to be signed, I began to focus on the actual signing process. Using the data supplied by Robinson Zhang: Appendix B: SMS Certificate Infrastructure http://technet.microsoft.com/tr-tr/library/cc179731(en-us).aspx I zeroed in on how the Parent/Child relationship affects signing. I detached the site from it's parent and both SMPs signed within 2 minutes. It appears that the Site is functioning properly when on it's own. Something is broken with the Central Site signing process when the child is reporting to a parent. I deleted the old Parent Site's cert from hman.box\pubkey and re-attached. I am now waiting to see if everything will continue to work once all the data is replicated up to the parent.

Figured it out. The empty reg key was a symptom not the root cause. The issue was the process that signs the SMP certificate was broken. I detached from the parent, then re-attached waited for everything to settle down. Something still wasn't right so we did a manual public key exchange between the parent & child. Everything appears to be functioning again. I was able to create another SMP and have it's key signed. Thanks for the help. Bob

I experienced the same problem with a broken certificate from higher levels down to the hierarchy. It's seams that doing a manual removal of the parent on the properties tab on the primary site system solves the problem. All Roles relying to Signed Certificates like Multicasting will get populated immediatly with a signed certificate! It is definitly not a client problem. If you reenable the connection to the primary site the signedserialzedXXXKey get populated again with the key of the parent! Just have a look at the hman.log when setting Parent Site setting on/off! You not need to deinstall the keys or cancel the jobs using preinst.exe! you will see an entry "Signed MP Cert xxxxxxxx" directly after "Starting processing MP Certificates". All site system which are currently registered and in use will be informed that their is a new certificate! I couldn't find any log entry why that happend! Tarkan Koemuercue