Support Tip: ConfigMgr 2012 MP fails to complete health check and logs 0x80092023 error in MPcontrol.log

~ Jagat Singh Kathiar

ToolsHi folks, Jagat Singh Kathiar here from the Configuration Manager team with another support tip for you. I came across this issue a while ago where a System Center 2012 Configuration Manager (ConfigMgr 2012) Management Point was configured for HTTPS and it was failing to do its health check. When we look in MPcontrol.log we found the following:

Failed in CertStrToName(…) API: 0x80092023      SMS_MP_CONTROL_MANAGER              8/29/2014 10:07:29 AM  20132 (0x4EA4)

Failed in GetCertificate(…): 0x80092023 SMS_MP_CONTROL_MANAGER              8/29/2014 10:07:29 AM  20132 (0x4EA4)
Failed in GetCertificateBySelectionCriteria(…): 0x80092023          SMS_MP_CONTROL_MANAGER              8/29/2014 10:07:29 AM       20132 (0x4EA4)
Failed to retrieve client certificate. Error -2146885597      SMS_MP_CONTROL_MANAGER              8/29/2014 10:07:29 AM         20132 (0x4EA4)
Call to HttpSendRequestSync failed for port 443 with -2146885597 error code.    SMS_MP_CONTROL_MANAGER                8/29/2014 10:07:29 AM  20132 (0x4EA4)
 
Failed to retrieve client certificate. Error -2147467259      SMS_MP_CONTROL_MANAGER              8/29/2014 10:09:59 AM         20132 (0x4EA4)
Call to HttpSendRequestSync failed for port 443 with -2147467259 error code.    SMS_MP_CONTROL_MANAGER                8/29/2014 10:09:59 AM  20132 (0x4EA4
 
>>> Selected Certificate [Thumbprint 03a02d8e1a391b163ff5ce07cfe5990b296ecf5f] issued to ‘SCCM.contoso.com’ for HTTPS Client Authentication               SMS_MP_CONTROL_MANAGER              8/29/2014 10:41:42 AM       2884 (0x0B44)
Call to HttpSendRequestSync failed for port 443 with status code 500, text: Internal Server Error                SMS_MP_CONTROL_MANAGER              8/29/2014 10:41:42 AM  2884 (0x0B44)
Sent summary record of SMS Management Point on ["Display=\\Server.contoso.com\"]MSWNET:["SMS_SITE=Site1"]\\Server.contoso.local\ to \\ Server.contoso.local \SMS_PRI\inboxes\sitestat.box\file1.SUM, Availability 1, 142978044 KB total disk space , 98413112 KB free disk space, installation state 0. SMS_MP_CONTROL_MANAGER              8/29/2014 10:41:42 AM         2884 (0x0B44)
Http test request failed, status code is 500, 'Internal Server Error'.            SMS_MP_CONTROL_MANAGER                8/29/2014 10:41:42 AM  2884 (0x0B44)
STATMSG: ID=5436 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=Server.contoso.com SITE=PRI PID=12820 TID=2884 GMTDATE=Fri Aug 29 14:41:42.456 2014 ISTR0="500" ISTR1="Internal Server Error" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0   SMS_MP_CONTROL_MANAGER              8/29/2014 10:41:42 AM  2884 (0x0B44)
StateTable::CState::Handle – (5436:3 2014-08-29 14:41:42.456+00:00) >> (5460:1 2014-08-29 14:14:51.802+00:00)                SMS_MP_CONTROL_MANAGER              8/29/2014 10:41:42 AM  2884 (0x0B44)

The Error 500 stated above is pretty generic but if you look closely it is clearly stating that it is failing in GetCertificateBySelectingCriteria. This means we probably have an issue with our certificate so here’s how you can verify that:

Connect to the ConfigMgr console and go to Administration –> Site configuration –> Site properties and select the Client Computer Communication tab, then click on Modify and check the Clients Certificate Selection Settings. In this case, we found that the certificate selection criteria was set to use a certificate with a certain Subject name and SAN field although there were no matching certificates present in the personal computer store.

To resolve the problem, we set the client certificate selection criteria to the default which is Client authentication capability and chose the radio button for Select the certificate with the longest validity period as shown below.

clip_image001

Default settings are shown above

IMPORTANT Changing these settings will apply them to every single client assigned to your site which may result in unintended consequences. Please ensure that you are fully aware of how this change may impact your environment before implementing this solution. 

Jagat Singh Kathiar | Sr. Technical Lead | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/