In the case of no client certificate on a ConfigMgr client
Even when you run a ConfigMgr infrastructure in non-HTTPS mode each and every client still has a certificate that it uses when it talks to a Management Point. In the case of a HTTP environment the client will create a self-signed certificate if it doesn’t find a working one in the certificate store for the machine. If that doesn’t happen for any reason the agent will not be able to register with the ConfigMgr MP/Site.
This happened to one of my customers the other day and it took some time troubleshooting it. Here is what we did.
We could see that there were no Client certificate on the client, actions were missing and components were just installed and not enabled.
A typical log file to look in at this point, is the ClientIDManagerStartup.log file. We can see that the client could talk to the Site Server since it is listed on the General tab.
At the same time we can see that the ClientAuth.log is unable to send messages to the Management Point but failes to do so since the client doesn’t have a certificate.
We can see that the problem really is related to the missing certificate. Lets take a dive into the CertificateMaintenance log file.
Finally some good info.
Crypt acquire context failed with 0x8009000f
After “some” digging this is due to a security issue with a file that is used during the creation of the certificate.
The file is placed in C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys and its name starts with “19c5cf9c7b5dc9de3e548adb70398402_”. You need to actually change the permissions on the file. Simply removing it does not help you. In addition to Local Service that has permissions already, as you can see, you need to add System and Administrators to have full control of the file. Once that is done, simply restart the SMS Agent Host service and everything should work perfectly.
When I did this, I stopped the SMS Agent Host service first. Not sure if you need to do that.
/Tim
EDIT: Found a TechNet article about this, but it only applies to SMS 2003…
No Comments