System Center Configuration Manager Advanced Client Installation – Multiple SSL Certificates

I ran into an issue today on our Exchange client access servers while trying to install the System Center Configuration Manager client via command line.  My original command syntax that I’ve used on every other server looks like the following: \\SMBServer1\TechShare\Systems\SCCM_R2\SMSSETUP\CLIENT\ccmsetup.exe /native /mp:SCCMSERVER.MYDOMAIN.LOCAL SMSSITECODE=AUTO  As you can see, I’m calling the ccmsetup.exe program from a UNC path, not locally.  After running the command, I would see two entries in the system event log:

Log Name:      System
Source:        Service Control Manager
Date:          4/1/2010 3:36:26 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
Computer:      EXCHANGECAS1.MYDOMAIN.LOCAL
Description:
The ccmsetup service entered the running state.

followed by…

Log Name:      System
Source:        Service Control Manager
Date:          4/1/2010 3:36:26 PM
Event ID:      7036
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      EXCHANGECAS1.MYDOMAIN.LOCAL
Description:
The ccmsetup service entered the stopped state.

I’ve learned through several previous installations that it’s common to see an event log entry indicating an NT Service Pack has been installed and several other entries before the “The ccmsetup service entered the stopped state”.  I immediately started digging through the installation log (C:\Windows\ccmsetup\ccmsetup.log) which left me with little helpful information.  The following lines are the last of the log file before the installer quits:

<!–OG[Waiting for existing instances of ccmsetup to exit.]LOG]!>
<!–OG[All other instances of ccmsetup have completed.]LOG]!>
<![LOG[BITS version check will not be run on Vista.]LOG]!><time=”15:21:57.463+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”1″ thread=”2728″ file=”ccmsetup.cpp:6699″>
<![LOG[The ‘Certificate Store’ is empty in the registry, using default store name ‘MY’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”1″ thread=”2728″ file=”ccmcert.cpp:204″>
<![LOG[The ‘Certificate Selection Criteria’ was not specified, counting number of certificates  present in ‘MY’ store of ‘Local Computer’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:3480″>
<![LOG[2 certificate(s) found in the ‘MY’ certificate store.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:3509″>
<![LOG[The ‘MY’ of ‘Local Computer’ store has 2 certificate(s).
Using custom selection criteria based on the machine name.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:3548″>
<![LOG[Machine name is ‘server1.mydomain.local’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1919″>
<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1748″>
<!–OG[Performing search that includes SAN2 extensions…]LOG]!>
<![LOG[Found a certificate with subject name as ‘mypubliccert.mypublicdomain.com’, but will continue to look for the certificate with subject name as ‘ ‘server1.mydomain.local’’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1284″>
<![LOG[Found a certificate with subject name as ‘mypubliccert.mypublicdomain.com’, but will continue to look for the certificate with subject name as ‘ server1.mydomain.local’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1284″>
<![LOG[Found a certificate with subject name as ‘ server2.mydomain.local’, but will continue to look for the certificate with subject name as ‘ ‘server1.mydomain.local’’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1284″>
<![LOG[Found a certificate with subject name as ‘ ‘server3.mydomain.local’’, but will continue to look for the certificate with subject name as ‘ ‘server1.mydomain.local’.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1284″>
<!–OG[Checking if certificate issued to 'server1.mydomain.local' is valid for ConfigMgr usage.]LOG]!>
<![LOG[SSL Registry key Software\Microsoft\CCM not found, assuming Client SSL is disabled.]LOG]!><time=”15:21:57.479+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”2″ thread=”2728″ file=”ccmutillib.cpp:134″>
<![LOG[The certificate issued to ‘mypubliccert.mypublicdomain.com’ has ‘Client Authentication’ capability.]LOG]!><time=”15:21:57.541+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:432″>
<!–OG[Checking if certificate issued to 'server1.mydomain.local' is valid for ConfigMgr usage.]LOG]!>
<![LOG[The certificate issued to  ‘server1.mydomain.local’ has ‘Client Authentication’ capability.]LOG]!><time=”15:21:57.541+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:432″>
<!–OG[More than one certificate found that is valid for ConfigMgr usage.]LOG]!>
<![LOG[Using custom selection criteria based on the machine NetBIOS name.]LOG]!><time=”15:21:57.541+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:3568″>
<!–OG[Machine name is 'SERVER1‘.]LOG–>
<![LOG[There are no certificate(s) that meet the criteria.]LOG]!><time=”15:21:57.541+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”0″ thread=”2728″ file=”ccmcert.cpp:1748″>
<![LOG[A Fallback Status Point has not been specified.  Message with STATEID=’315’ will not be sent.]LOG]!><time=”15:21:57.541+240″ date=”04-05-2010″ component=”ccmsetup” context=”” type=”1″ thread=”2728″ file=”ccmsetup.cpp:9169″>

I spent days trying different combinations of the manual installation command without success.  I finally found the secret combination of things that made this work:

  1. Upgrade the site to Service Pack 2.  This resolves an issue where the CCMFIRSTCERT=1 command did not pick the certificate with the longest validity period.
  2. Modify the client certificate template on the Issuing CA to surpass the expiration of the other certificates on the host.   I reissued the cert with the new expiration.
  3. Configure the site settings to “Select any certificate that matches” when multiple certificates matching criteria are found.  You can do this by opening the console, right-clicking the site name under Site Management, and choosing properties.

4. From the site properties, click the “Site Mode” tab and change the last option on the screen.

5. After the SP2 upgrade, the new client version needs to be deployed from the Software Update Point.  You can do this by drilling down from Site Management, “Site Name”, Site Settings, Client Installation Methods.  Double-click the “Software Update Point Client Installation” and you will be prompted to update the client version being published. 

6. The last piece of the puzzle was the manual installation command format.  I needed to use the new ccmsetup.exe from the SP2 installation media in conjunction with the CCMFIRSTCERT=1 option.  The command goes as follows: \\mysmbserver.mydomain.local\TechShare\Systems\SCCM_2007SP2\SMSSETUP\CLIENT\ccmsetup.exe /native /mp:mysccmserver.mydomain.local SMSSITECODE=AUTO CCMFIRSTCERT=1

Upon reboot, the client authenticated using the correct SSL certificate and everything started working properly!  What a relief after days of futzing around with this client…  As a side note, I came across this great script to determine the SSL certificate being used by Configuration Manager: http://blogs.msdn.com/gabeb/archive/2009/12/14/getting-sccm-client-certificate-hash.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s