Have a few questions, so I created my certs per the
http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012.
I guess my main concern is this:
1. Client cert is set to autoenroll
2. IIS Server for primary was published and then requested on the server
3. IIS has the correct thumbprint
4. The DP on the primary has the DP cert / password
The same process was executed on the secondaries
In the Status Manager, I'm seeing that my MP_Control_Manager is sending out
5480, 5436
If I test the mpcert / mplist / mplist1 I see a forbidden (403)
The bindings on the IIS show the proper thumbprint per each MP
Also in the BGBServer.log per each secondary:
ERROR: Client certificate error: RemoteCertificateChainErrors
SMS_NOTIFICATION_SERVER 9/5/2013 1:38:09 PM 13004 (0x32CC)
ERROR: Authentication failed - closing the connection. Exception: The remote
certificate is invalid according to the validation procedure..
SMS_NOTIFICATION_SERVER 9/5/2013 1:38:09 PM 13004 (0x32CC)
ERROR: Client certificate error: RemoteCertificateChainErrors
SMS_NOTIFICATION_SERVER 9/5/2013 1:39:21 PM 13004 (0x32CC)
ERROR: Authentication failed - closing the connection. Exception: The remote
certificate is invalid according to the validation procedure..
SMS_NOTIFICATION_SERVER 9/5/2013 1:39:21 PM 13004 (0x32CC)
ERROR: Client certificate error: RemoteCertificateChainErrors
SMS_NOTIFICATION_SERVER 9/5/2013 1:39:38 PM 3172 (0x0C64)
ERROR: Authentication failed - closing the connection. Exception: The remote
certificate is invalid according to the validation procedure..
SMS_NOTIFICATION_SERVER 9/5/2013 1:39:38 PM 3172 (0x0C64)
ERROR: Client certificate error: RemoteCertificateChainErrors
SMS_NOTIFICATION_SERVER 9/5/2013 1:40:21 PM 13004 (0x32CC)
ERROR: Authentication failed - closing the connection. Exception: The remote
certificate is invalid according to the validation procedure..
SMS_NOTIFICATION_SERVER 9/5/2013 1:40:21 PM 13004 (0x32CC)
ERROR: Client certificate error: RemoteCertificateChainErrors
SMS_NOTIFICATION_SERVER 9/5/2013 1:40:38 PM 13004 (0x32CC)
ERROR: Authentication failed - closing the connection. Exception: The remote
certificate is invalid according to the validation procedure..
SMS_NOTIFICATION_SERVER 9/5/2013 1:40:38 PM 13004 (0x32CC)
In the enrollment log for a Mac client, there are no issues. But in the
SMS_DM.log I'm seeing this: COMException : Exception from HRESULT: 0x87D00238
MP_Status.log is showing
Mp StatusForwarder FinalConstruct succeeded MP_StatusManager 9/4/2013
4:11:51 AM 35984 (0x8C90)
Mp Status: processing event: MpEvent_Repaired, for machine: "SERVER-PRIMARY"
MP_StatusManager 9/4/2013 4:11:51 AM 35984 (0x8C90)
MP Status: SVF file written successfully to "D:\Program Files\Microsoft
Configuration Manager\inboxes\statmgr.box\statmsgs\D7S0WFHM.SVF"
MP_StatusManager 9/4/2013 4:11:51 AM 35984 (0x8C90)
Mpcontrol.log shows:
Begin validation of Certificate [Thumbprint
4c3d14b1c7446533260db1a3c9b712ff1395e4a5] issued to 'SERVER'
SMS_MP_CONTROL_MANAGER 9/5/2013 1:45:41 PM 9576 (0x2568)
Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER
9/5/2013 1:45:41 PM 9576 (0x2568)
Completed validation of Certificate [Thumbprint
4c3d14b1c7446533260db1a3c9b712ff1395e4a5] issued to 'SERVER'
SMS_MP_CONTROL_MANAGER 9/5/2013 1:45:41 PM 9576 (0x2568)
>>> Selected Certificate [Thumbprint 4c3d14b1c7446533260db1a3c9b712ff1395e4a5]
>>> issued to 'SERVER' for HTTPS Client Authentication
>>> SMS_MP_CONTROL_MANAGER 9/5/2013 1:45:41 PM 9576 (0x2568)
Call to HttpSendRequestSync succeeded for port 443 with status code 200, text:
OK SMS_MP_CONTROL_MANAGER 9/5/2013 1:45:41 PM
9576 (0x2568)
STATMSG: ID=5462 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER"
SYS=SERVER SITE=ITX PID=4340 TID=9576 GMTDATE=Thu Sep 05 18:45:41.499 2013
ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7=""
ISTR8="" ISTR9="" NUMATTRS=0 SMS_MP_CONTROL_MANAGER
9/5/2013 1:45:41 PM 9576 (0x2568)
So I'm not quite sure what else I need to look for, and I'm not even sure I'm
having issues or just don't know what the HE!! I'm doing....
Thanks,
NON-PKI KNOWLEDGE
