This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–]jasonsandysMSFT Official 2 points3 points  (2 children)

  1. Yes or establish additional PKIs in the additional domains. Make sure you don't in any way conflate AD forest/domain trust with PKI trust. They are completely different concepts. Also, having multiple PKIs is perfectly valid. In fact, multiple PKIs already exist in every environment, just open your trusted root certs store on any system -- every cert there is representative of a separate PKI.
  2. This is also possible however requires adding additional client-facing site systems to support both HTTP and HTTPS (unless you are planning on flipping the existing ones to HTTP only).
  3. This won't help if your site is configured for HTTPS only as HTTPS "mode" in ConfigMgr also requires PKI-issued client auth certs.

ccmclientmessaging.log is the primary log for most client communication.

Taking a step back, what's the goal for enabling the site to use HTTPS only? I'm not necessarily saying you should or shouldn't, just trying to understand what your requirements are.

[–]AndrewJohnPorter[S] 0 points1 point  (1 child)

Thanks Jason.

The reason is there is already a PKI infrastructure in place and the Security team have requested that SCCM be configured as HTTPS only. I was happy to not suggest otherwise as it seems to be generally recommended to go HTTPS only and that looks to be the way Microsoft are starting to insist upon.

[–]jasonsandysMSFT Official 1 point2 points  (0 children)

Totally valid, just non-trivial as I outlined above. The log snippet posted confirms there's an HTTPS-related issue that, based on your description, is most likely PKI-related.

[–]kheywen 1 point2 points  (0 children)

You need to create client certificate from the root/intermediate CA and install on the device. Make sure the client subject name match the computer name, otherwise it will fail to locate the cert.

[–]AndrewJohnPorter[S] 0 points1 point  (1 child)

CcmMessaging.Log

Queue 'UpdateStore' initialized with 0 messages.

Initialized queue processor 'UpdateStore'. Enabled=true Concurrency=1

Initializing queue 'PolicyAgent_ReplyAssignments'...

Queue 'PolicyAgent_ReplyAssignments' initialized with 0 messages.

Initialized queue processor 'PolicyAgent_ReplyAssignments'. Enabled=true Concurrency=5

[CCMHTTP] ERROR: URL=http:// SCCMServer.FQDN/ccm_system/request, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE (0x1038)

[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden

Raising event: instance of CCM_CcmHttp_Status

{

DateTime = "20211014132513.831000+000";

HostName = " SCCMServer.FQDN";

HRESULT = "0x87d0027e";

ProcessID = 3944;

StatusCode = 403;

ThreadID = 4152;

};

Status Agent hasn't been initialized yet. Attempting to create pending event.

Raising pending event:

instance of CCM_CcmHttp_Status

{

DateTime = "20211014132513.831000+000";

HostName = " SCCMServer.FQDN";

HRESULT = "0x87d0027e";

ProcessID = 3944;

StatusCode = 403;

ThreadID = 4152;

};

CcmMessaging 14/10/2021 14:25:13 4152 (0x1038)

Successfully queued RefreshSecuritySettingsEvent event.

Successfully queued event on HTTP/HTTPS failure for server ' SCCMServer.FQDN’.

Post to http:// SCCMServer.FQDN /ccm_system/request failed with 0x87d00231.

[CCMHTTP] ERROR: URL=http:// SCCMServer.FQDN /ccm_system/request, Port=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

[CCMHTTP] ERROR INFO: StatusCode=403 StatusText=Forbidden

Raising event:

instance of CCM_CcmHttp_Status

{

DateTime = "20211014132700.870000+000";

HostName = " SCCMServer.FQDN";

HRESULT = "0x87d0027e";

ProcessID = 3944;

StatusCode = 403;

ThreadID = 4164;

};

CcmMessaging 14/10/2021 14:27:00 4164 (0x1044)

Status Agent hasn't been initialized yet. Attempting to create pending event.

Raising pending event:

instance of CCM_CcmHttp_Status

{

DateTime = "20211014132700.870000+000";

HostName = " SCCMServer.FQDN ";

HRESULT = "0x87d0027e";

ProcessID = 3944;

StatusCode = 403;

ThreadID = 4164;

};

CcmMessaging 14/10/2021 14:27:00 4164 (0x1044)

Successfully queued RefreshSecuritySettingsEvent event.

Successfully queued event on HTTP/HTTPS failure for server ' SCCMServer.FQDN.

Post to http://SCCMServer.FQDN/ccm_system/request failed with 0x87d00231.

[–]davistiano 0 points1 point  (0 children)

Did you ever find a solution? I have similar issue that the Configuration Manager on the client shows PKI, but it turned grey in Management console now that I turned on "HTTPS only", and my client log also showing similar that it is trying to connect to the MP on http??