Failed To Enumerate Sccm Certificate Keys In Registry Error 2
on March 18, 2013 by Rob P While troubleshooting some inactive SCCM clients I found that they had bad SMS Certs. Symptoms of this were found in the locationServices.log Failed to verify Certificate with error 0x80070057 was the error that pointed me to take a look at the SMS Cert. Upon review I found that the certs were from a previous install of SCCM in my lab. These need to be deleted so the new install of SCCM can issue certs to the clients and establish a trust relationship. My long term plan is to build a runbook to fix broken SCCM agents and this is a good place to start Here is the quick script I put together $Computers = Get-content C:\list.csv foreach ($computer in $Computers) { $session = New-PSSession -ComputerName $computer Invoke-Command -Session $session -ScriptBlock{Remove-Item -Path ‘HKLM:\SOFTWARE\Microsoft\SystemCertificates\SMS\Certificates\*' -force; restart-service ccmexec } } Inside the scriptblock is the meat of the script, I delete the Certificates via the registry and then restart the SCCM agent service, the client will connect to the site server and request new certificates to be issued. If this is the only problem on the machine it's status should become active in SCCM. This script is provided as is and should not be used in a production environment against all computers in your domain. Share this:TwitterFacebookLike this:Like Loading... Related This entry was posted in Powershell, SCCM and tagged Powershell, SCCM. Bookmark the permalink. ← SCOM 2012 SP1 Web Console PrerequisitesPowershell How to Monitor SCOM Services withOrchestrator → Leave a Reply Cancel reply Enter your comment here... Fill in your details below or click an icon to log in: Email (required) (Address never made public) Name (required) Website You are commenting using your WordPress.com account. (LogOut/Change) You are commenting using your Twitter account. (LogOut/Change) You are commenting using your Facebook account. (LogOut/Change) You are commenting using your Google+ account. (LogOut/Change) Cancel Connecting to %s Notify me of new comments via email. Search for: RSS - PostsRSS - Comments Archives February 2015(1)
2012 SP1: Mastering the Fundamentals Microsoft MVP Speaking Community Resources MAM enabled apps in the App Stores Community Tools Top ConfigMgrBlog Blogs My top 10 Books Technical movies Microsoft Intune Versions Blogroll About me Menu:Publications- Articles- Books- - Microsoft Enterprise Mobility Suite: Planning and Implementation- - Mastering System Center 2012 Configuration Manager- - Mastering System Center 2012 R2 Configuration Manager- - ConfigMgr 2012 Mastering the fundamentals- - ConfigMgr 2012 SP1: Mastering the FundamentalsMicrosoft MVPSpeakingCommunity Resources- MAM enabled apps in the App Stores- Community Tools- Top ConfigMgrBlog Blogs- My top 10 Books- Technical movies- Microsoft Intune VersionsBlogrollAbout me ConfigMgr 2012 R2 Internet facing MP on Windows Server 2012 https://msscadmin.wordpress.com/2013/03/18/sccm-client-certificate-removal/ R2, note to myself. ConfigMgr 2012 R2 Internet facing MP on Windows Server 2012 R2, note to myself. 23/02/2014 Categories: ConfigMgr by Peter Daalmans A couple of weeks ago I have been troubleshooting some SSL related issues on an Internet Facing Management Point on a Windows Server 2012 R2 server, this blog is as a note/reminder for myself ;). The Internet connected client was refused to connect with the http://configmgrblog.com/2014/02/23/configmgr-2012-r2-internet-facing-mp-windows-server-2012-r2-note/ certificate with errors like 403.13 and 403.16 in the IIS log files. The IIS error 403.13 stands for Client Certificate Revoked, but since the CRL of the subordinate Certificate Authority was reachable and the certificate was just enrolled it shouldn’t be reported as revoked. Error 403.16 refers to issues that the client certificate is untrusted or invalid which is related to the fact IIS cannot process a complete certificate chain. Also the MPControl.log on the Internet Facing Management Point was reporting the following error, “Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden”. Seeing this error means that the Management Point is not able to authenticate itself to check the availability against local computer (the local Management Point). After some digging it seems that there are some issues with client certificate authentication and IIS 8.x in Windows Server 2012 (R2). 403.16 Forbidden: Client Certificate Untrusted or Invalid It seems that IIS 8.X is not using the Certificate Trust List by default, without this list client authentication via certificates will fail with the 403.16 error and the certificate is considered untrusted. To work around this issue we need to configure the Windows Server 2012 operating system not t
Server Web App Gallery Microsoft Azure Tools Visual Studio Expression Studio Windows Internet Explorer WebMatrix Web Platform Installer Get Help: Ask a Question in our Forums More Help Resources Blogs Forums HomeLearnTroubleshootChapter 2. Security IssuesTroubleshooting SSL related issues (Server Certificate) https://www.iis.net/learn/troubleshoot/security-issues/troubleshooting-ssl-related-issues-server-certificate Troubleshooting SSL related issues (Server Certificate) By Kaushal Kumar PandayApril 9, 2012Tools Used in this Troubleshooter: SSLDiag Network Monitor 3.4/Wireshark This material is provided for informational purposes only. Microsoft makes no warranties, express or implied. Overview This document will help you in troubleshooting SSL issues related to IIS only. Client Certificates troubleshooting will not be covered in this document. Server Certificates are meant for Server Authentication and we will failed to be dealing only with Server Certificates in this document. If the Client certificates section is set to “Require” and then you run into issues, then please don’t refer this document. This is meant for troubleshooting SSL Server certificates issue only. It is important to know that every certificate comprises of a public key (used for encryption) and a private key (used for decryption). The private key is known only to failed to enumerate the server. The default port for https is 443. I am under the assumption the reader is well-versed in SSL Handshake and the Server Authentication process during the SSL handshake. Description of the Secure Sockets Layer (SSL) Handshake: http://support.microsoft.com/kb/257591 Description of the Server Authentication Process during the SSL Handshake: http://support.microsoft.com/kb/257587 Scenarios The following error message is seen while browsing the website over https: The first thing that has to be checked is whether the website is accessible over http. If yes, then we proceed with our troubleshooting. If not, then you need to have the website working on http first and that's a seperate issue (not covered in this troubleshooter). Now let’s assume the website is accessible over http and we get the above error when trying to browse over https. The problem is seen because the SSL handshake failed and hence the error message was seen. There could be many reasons. We will follow a step-by-step approach to solve this problem. Scenario 1 Check if the server certificate has the private key corresponding to it. Refer the below picture: If private key is missing, then you need to get a certificate containing the private key, which is essentially a .PFX file. There is a c