Wednesday, March 30, 2016

SCCM WSUS WCM.log - System.Net.WebException: The request failed with HTTP status 404

System.Net.WebException: The request failed with HTTP status 404: Not Found.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)


I was recently working with a customer who was receiving a HTTP 404 error in the WCM.log.

  • Confirmed the following ports are open (80,443,135,445,8530,8531)
  • WSUS sites are accessible via URL HTTP
  • Boundaries and Boundary groups for content and site assignment are configured correctly for DEV domain.
  • Distribution Point and Management Point roles are fully functionality
  • WSUS on manually synchronized from the Internet
  • Remote Registry and remote WMI tested with success.

Lab Environment Expected behaviour:

In my lab environment I have two forests/domains “Contoso.local” and “DEV20.local”; untrusted; Windows firewall ON with default values.

  • I have added the Site System server role (SUP) to Dev20.local  with a “WSUS Server Connection Account” (DEV20\LabAdmin).
  • In the WCM.log (Fig1) you can see the successful connection to the dev2 server. Once this connection is made the WSUS installation is configured as a downstream server and the site will synchronize.
  • Wireshark (Fig2) reveals the connection address, Src +Dst Ports, and the authentication negotiation between the domains and importantly a success connection.
  • I have not been able to recreate the “System.Net.WebException: The request failed with HTTP status 404: Not Found” error within my lab most likely due to the specific infrastructure setup at Client site  (Proxy, Firewall rules) 

Fig 1

Fig 2
Remove the Proxy configurations from both the Site Server and Site System. While the site may not Synchronize with Microsoft Update servers, it will still allow connectivity between the Site Server and the Site System. Restart the SMS_Executive Service and review the WCM.log

This proved that the issue at the client site was Proxy related. Sounds like the proxy bypass rules in IE don't seem to apply to the SCCM proxy configuration. dev.local lookups should bypass the proxy.
Client to check rules on the proxy that can intercept traffic bound for non port 80/443 ports and forward accordingly (external sites on random ports). Client to intercept the dev.local traffic on the Proxy server and forward from the DMZ back into dev.local

Wednesday, March 16, 2016

SCCM - Create Client Authentication Certificate for Workgroup machine

Content of ConfigMgrClientCertificateWorkgroup.inf

Subject = "CN=WorkgroupServerName"
MachineKeySet = True
Exportable = TRUE
KeyLength = 2048
CertificateTemplate = ConfigMgrClientCertificateWorkgroup

Certreq -new ConfigMgrClientCertificateWorkgroup.inf ConfigMgrClientCertificateWorkgroup.req

certreq -submit ConfigMgrClientCertificateWorkgroup.req ConfigMgrClientCertificateWorkgroup.cer
Select DomainControllerName

certreq -accept ConfigMgrClientCertificateWorkgroup.cer

Open MMC Certificates Machine and export Cert with private keys

Import New Cert into into Workgroup system certificate store
Import Trusted Root Cert - Local-CA

Install CCMSetup with following command line


Open LocationServices.log and look for the following entry

LSUpdateInternetManagementPoints: Successfully refreshed internet MPs from MP

SCCM Client Certificate (PKI) Value is None

SCCM Client Certificate (PKI) Value is None

Symptoms: Are you seeing the following errors logged?

ClientIDManagerStartup.log - Error: 0x87d00231
[RegTask] - Client is not registered. Sending registration request for GUID:12345678...98C1AE ...
RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup
RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup

Failed to send management point list Location Request Message to SiteServer.Domain.local
1 assigned MP errors in the last 10 minutes, threshold is 5.

Status Agent hasn't been initialized yet. Attempting to create pending event.
Successfully queued event on HTTP/HTTPS failure for server 'SiteServer.Domain.local'.
Post to https://SiteServer.Domain.local/ccm_system_windowsauth/request failed with 0x87d00231.
Failed to open to WMI namespace '\\.\root\ccm' (80041003)
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee2

Within the affected clients windows registry you find this key populated HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\DisableRenegoOnClient | DWORD=1

The issue explained:
SL / TLS renegotiation has been disabled. This was either the result of manual change or as a result of deploying the following Microsoft KB -

Within the KB you will find the following statement - Internet Information Services (IIS): In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected. Site-wide client certificate authentication will not be affected and will continue to function.

This causes the client to attempt a connection to the Management Point IIS virtual directory. The virtual directory requires a valid client certificate and attempts to respond to the client and perform a SSL/TLS renegotiation.

The client abandons the session immediately which is why you receive the HTTP 500 error (The I/O operation has been aborted) because the server can no longer find the abandoned session.

To Resolve: 

Change the registry key value (DisableRenegoOnClient) from 1 to 0 and restart the CCMExec service.

reg add "hklm\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" -v DisableRenegoOnClient /t REG_DWORD /d 0 /f

powershell -executionpolicy bypass -command restart-service ccmexec

PS. CCMCleaner.exe may go along way to clearing out an SCCM client installation issue.

SCCM Client Certificate (PKI) Value is None

SCCM Client Certificate (PKI) Value is None

Stopping WMI service
Stopping CCMExec

SC Delete any sccm services (ccmexec, smstsmgr, cmecservice, ccmsetup)
Delete C:\windows\ccm, C:\windows\ccmsetup, C:\windows\ccmcache, C:\Windows\SMSCFG.ini

Go into regedit and remove:


Then restart WMI, and reinstall the client. You shouldn't need a reboot to complete this.

Once this has been done the client will install and pick up the cert.

Tuesday, March 15, 2016

SCCM Task Sequence with automated AD Computer naming Web Services

Maik Koster created a wonderful Deployment Web Service which can help an admin automate many AD, SCCM, and MDT tasks within a Task Sequence.  This blog entry is specifically around producing a Computer Name in Active directory and passing this staged computer name into the OSDComputerName TS variable.

1 Download the DWS from here and extract to a directory on your webserver
2 Open IIS Manager and expand Sites.
3 Right click on Default Web Site and choose Add Application
4 Specify an Alias and point the physical path to the extracted directory.
5 Right Click the applications Pools and choose "Add Application Pool"
6 Provide an Application Pool Name
7 Click on Application Pools
8 Right click on your Application Pool and select Advanced Settings
9 In the Process Model area click into the Identity field and then click on the ... Button
10 Choose Custom account and click on Set...
11 Enter a valid Username and Password and click OK
12 Expand Default Web Site and select the new Application created in step 3
13 Right click and choose Manage Application - Advance settings
14 In the General Area > Application Pool field select the Application Pool name created in step 6
15 Expand Default Web Site, Click the Application added in step 4 
16 Click Application Settings on the right and specify the appropriate accounts. See "Configure Application Settings" section below.

CustomSettings.ini Example


Configure Application Settings:

On default, the webservice will use the configured application pool user for authentication. It requires only a couple Application Settings to be set:
RootServer - The SCCM Root Server
SLPServer - One SCCM Server with the SLP Role
RootSiteCode - The Root site code

For Access to the MDT Database you need to configure at least
MDTDBServer - The MDT Database server (with Instance if necessary)
MDTDBName - The MDT Database name
MDTDBIntegratedSecurity - Set to "True" if you want to use the application pool account for authentication. If set to "False" you need to supply the following two settings
MDTDBUser - Username to access the MDT Database
MDTDBPassword - Password to access the MDT Database

For Active Directory access, you can optionally configure the following Application Settings. This is only necessary, if the application pool user account does not have enough permissions to do execute the required functions, and/or if you need to access a different domain as the application pool User is member of:
ADDomain - Domain to query (use either "" or "DC=Domain,DC=COM" format)
ADUsername - Username for authentication
ADPassword - Password for authentication

Deployment Web service (v7.3)


Tuesday, March 1, 2016