In the case of no client certificate on a ConfigMgr client
Even when you run a ConfigMgr infrastructure in non-HTTPS mode each and every client still has a certificate that it uses when it talks to a Management Point. In the case of a HTTP environment the client will create a self-signed certificate if it doesn’t find a working one in the certificate store for the machine. If that doesn’t happen for any reason the agent will not be able to register with the ConfigMgr MP/Site.
This happened to one of my customers the other day and it took some time troubleshooting it. Here is what we did.
CM Client Components are Installed, not Enabled
CM Client Actions are missing
No Client Certificate listed in the CM Client Control Panel Applet
We could see that there were no Client certificate on the client, actions were missing and components were just installed and not enabled.
A typical log file to look in at this point, is the ClientIDManagerStartup.log file. We can see that the client could talk to the Site Server since it is listed on the General tab.
ClientIDManagerStartup.log is unable to get a certificate
At the same time we can see that the ClientAuth.log is unable to send messages to the Management Point but failes to do so since the client doesn’t have a certificate.
ClientAuth.log also shows us that it is unable to send messages to the Management Point
We can see that the problem really is related to the missing certificate. Lets take a dive into the CertificateMaintenance log file.
CertificateMaintenance.log is the first log that gives us any good info
Finally some good info.
Crypt acquire context failed with 0x8009000f
After “some” digging this is due to a security issue with a file that is used during the creation of the certificate.
The file that starts with 19c5cf9c7b5dc9de3e548adb70398402_ in C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys only has Local Service security permissions
The file is placed in C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys and its name starts with “19c5cf9c7b5dc9de3e548adb70398402_”. You need to actually change the permissions on the file. Simply removing it does not help you. In addition to Local Service that has permissions already, as you can see, you need to add System and Administrators to have full control of the file. Once that is done, simply restart the SMS Agent Host service and everything should work perfectly.
When I did this, I stopped the SMS Agent Host service first. Not sure if you need to do that.
/Tim
EDIT: Found a TechNet article about this, but it only applies to SMS 2003…
No Comments