Thursday, February 14, 2008

SCCM Client Certificate Problems

Do you have a client that refuses to finish the install of the SCCM client because the certificate doesn't have a private key?

There are 2 different solutions. The easiest is to check the cert store under personnal and see if there are any invalid certs. Delete and restart. The other is a more dangerous solution but will correct the problem

I only recommend this solution if you see all the of the following problems:
CCM Setup Log:
Client sucessfully installed
Applicationn Event Log:

Automatic certificate enrollment for local system failed to enroll for one Computer
certificate (0x80090016). Keyset does not exist

ClientIDManagerStartup:
Certificate issued to 'computer.domain.com' doesn't have private key.
RegTask: Failed to get certificate. Error: 0x80040280
RegTask: Failed to get certificate. Error: 0x80040281
Error initializing client registration (0x80040222).


Solution:
Stop the Crypto Service
Rename the folders under the Crypto Folder
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto

Restart the machine and watch the ClientIDManagerStartup log

See this other post on Certification issues
http://sms-hints-tricks.blogspot.com/2009/03/native-machine-will-not-pull-down.html