Configuration Manager Client fails to assign to site

Posted: September 1, 2013 in Configuration Manager, Solved, System Center, TMG2010
Tags: , , , , , ,

Installing Configuration Manager 2012 clients on all my servers was fairly easy and straight forward. With one exception – My TMG2010 server running Server 2008R2.
For some reason, the client would install, but would never assign itself to my site, or download policies. The firewall rules allowed it to talk to the ConfigMgr server, and monitoring the traffic showed nothing was being blocked at all.
Much digging in TechNet etc and I found various mentions relating to certificates. This put me on the right track and got me 80% of the way there, but not quite.

There was not a lot of indication of what was going wrong. Most of the logs just weren’t reporting anything, let alone an error. The one log that was showing something is the “ClientIDManagerStartuplog” with repeating entries of

RegTask: Failed to get certificate. Error: 0x80004005

This was the only place I could find an indication of what was wrong.

Various articles say to delete all the files in the MachineKeys certificates folder. That is VERY BAD, DO NOT DO THAT!

While they are misguided, they do point to the correct resolution. Some suggest deleting one specific file which is the SMS certificate. At first, permissions blocked me doing this, but even after deleting it, the problem would repeat.

SOLUTION

It turns out that for some reason the permissions being applied to the certificate are wrong. Deleting and recreating just put the wrong permissions on again.

On a working machine, this is what you see:

good_client

But on the machine that doesn’t work, it looks like this:

bad_client

For some reason, the Network Service is being given permissions. The SMS Agent service runs using the Local System account, so that explains why it works on the Good machine. Perhaps this is due due to some “hardening” permissions that TMG has applied to the certificates folder.

  1. Browse to the directory with the certificate files – C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys
  2. Right click the file name starting with “19c5cf9c7b5dc9….” and open properties
  3. Click the Security Tab
  4. Click Edit
  5. Click “Locations” and change to the local computer
  6. Add – SYSTEM – Full Control
  7. Add – Administrators – Leave the default “Read” permissions
  8. Click OK, and OK again to close the file properties
  9. Open Services and restart the “SMS Agent” Service
  10. Watch the C:\Windows\CCM\Logs\ClientIDManagerStartup.log” file
  11. You should also see the client assignment working in the “ClientLocation.log” file

fixed_client

Give it a few minutes, and it should all appear in the ConfigMgr console.

Comments
  1. Joe says:

    Thank you for this! Was definitely an annoying issue and this did the trick.

  2. Basel says:

    Thank you so much!

  3. suresh says:

    thanks for your excellent analysis and it saved my time lot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s