Category Archives: Client Enrollment

IIS 8.5 – Certificate Rebind

Heya! It has been a while, but the sun is out so I thought I’d share a gem of a find!

One of the longest running logistical headaches with certificates has been renewing them, and subsequently binding them in IIS. Client certificates aren’t a problem; a wee sprinkle of Group Policy, and all your certificates just automagically renew. However, when you throw server authentication couple with Subject Alternative Names into the mix, you lose the truly luxurious option of automatic renewal.

Continue reading

Missing Certificates and Config Manager Client Woe!

I do occasionally take the time to monitor the FSP logs, specifically for client deployment failures. I came across this little beauty of a problem:

FSP goodness.

FSP goodness.

Of course the error “Client deployment is waiting for client installation content from distributions points.” is erroneous. It’s a symptom of the problem, and can be ignored. I dug deeper, and looked at the ccmsetup.log.  It was a sea of red, as per below:

Follow the White Rabbit.

Follow the White Rabbit.

…but now we’re starting to get somewhere. It’s not a “Distribution Points” issue at all; the client  is complaining about certificate problems. Specifically: “Finding certificate by issuer chain returned error 80092004”, and if you read further down:

“There are no certificates in the ‘MY’ store”

Bingo! I checked the Personal Store on the affected PC, and it was empty. So now this isn’t a Config Manager issue per se, the machine isn’t even automatically enrolling. I tried to do this manually, and it too failed with the error:

Helpful. Thanks for that.

Helpful. Thanks for that.

I checked the enrollment properties and found:

On the trail!

On the trail!

No policy ID! So the PC isn’t even talking to the enrollment point.  I checked logs, nothing.

So I am a bit stuck. I suppose these things do happen! I have posted on TechNet and I’ll come back to this post later(tm)!