SCCM Setup: CAS with 2 primary sites running ConfigMgr 1610
Primary Site System - under Client Computer Communication tab site system
settings is set with HTTPS or HTTP. Use PKI certificates is checked, Trusted
Root Certificate authorities has both old root CA and new root CA.
MP & DP are setup to use HTTPS only
Setup: Domain A has a two way trust with Domain B.
Will try to make a long story short. The old root CA expires next month so we
are in the process of updating all the intermediate certs, client certs, MP
certs, DP certs, etc. One year ago we setup a new PKI infrastructure and
generated a new root CA cert and started deploying that. It has been working
fine.
A week ago generated new management point certificates and bound them in IIS.
Everything in Domain A works fine but all the machines in Domain B (the trusted
domain) are now throwing errors.
Client Logs:
Location Services:
CCMVerifyMsgSignature failed. LocationServices 2/7/2017 10:14:43
PM 8668 (0x21DC)
Failed to verify received message 0x80090006 LocationServices
2/7/2017 10:14:43 PM 8668 (0x21DC)
CCMVerify failed with 0x80090006 LocationServices
2/7/2017 10:14:43 PM 8668 (0x21DC)
Failed to verify message. Could not retrieve certificate from MPCERT.
LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC)
MPCERT requests are throttled for 00:04:54 LocationServices
2/7/2017 10:14:43 PM 8668 (0x21DC)
Failed to verify message. Sending MP [HCS084SCCMxxx] not in cached MPLIST.
LocationServices 2/7/2017 10:14:43 PM 8668 (0x21DC)
MPLIST requests are throttled for 00:59:54 LocationServices
2/7/2017 10:14:43 PM 8668 (0x21DC)
ClientIDManagerStatus.log
RegTask: Failed to send registration request message. Error: 0x87d00231
ClientIDManagerStartup 2/8/2017 2:29:55 AM 8668
(0x21DC)
RegTask: Failed to send registration request. Error: 0x87d00231
ClientIDManagerStartup 2/8/2017 2:29:55 AM 8668 (0x21DC)
CertificateMaintenance.log
Failed to verify signature of message received from MP using name
'HCS084SCCMxxxx.fqdn'
Management Point Logs:
Processing Registration request from Client
'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746'
MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90)
Begin validation of Certificate [Thumbprint
8379EDA0CDA8E46DFA0913E40037543D4AC08CA4] issued to 'T6000F4P6NX1.fqdn.'
MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90)
Completed validation of Certificate [Thumbprint
8379EDA0CDA8E46DFA0913E40037543D4AC08CA4] issued to 'T6000F4P6NX1'certif
MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90)
Verifying message signature for client
'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746' failed with 0x80090006.
MP_RegistrationManager 2/7/2017 3:17:19 PM 16016 (0x3E90)
CCMValidateAuthHeaders failed (0x80090006) to validate headers for client
'GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746'. MP_RegistrationManager
2/7/2017 3:17:19 PM 16016 (0x3E90)
MP Reg: Failed to verify RegistrationHint, 0x80090006, Registration Hint was
not signed with the associated private key whose public key was registered with
the SMSID (GUID:D56FFACE-0966-48D3-ADCF-68EB4A64F746).
MP_RegistrationManager 2/7/2017 3:17:19 PM 16016
(0x3E90)
We have double checked the MP certificate and even recreated it but can't seem
to get the machine in Domain B to stop throwing errors. If we bind the old MP
cert in IIS the machines in DOMAIN B start working again. Do these errors point
to an MP cert issue, or is it possibly higher up the chain. In addition to the
client errors if the machine needs software it will create a folder under
ccmcache like aj.work but not download any content.
The MP cert is a sha256 with subject alternative name using both short name and
FQDN
Any help would be greatly appreciated.
Thanks,
Renae Mead
DTMB IS OA Enterprise Services
[email protected]<mailto:[email protected]>
(517) 636-0761 Office
(517) 388-2737 Mobile
