ConfigMgr 2007: Clients fail to connect to a Management Point after moving from Mixed to Native mode

  • Article

Here's another issue hot off the presses.  If you start seeing client problems after moving from Mixed to Native mode this may be when you're running into:

========

Problem:  After migrating a site from mixed mode to native mode, clients may not trust the management point (MP) causing policy download failure (either policy fails to download or downloads but is rejected) and registration failures.  Clients will successfully assign and their communication mode will successfully switch to native mode (if clients can access site information from Active Directory Domain Services), but in the Configuration Manager console clients will display Yes in the Assigned column with the correct site code, but display No in the Client column.

Errors similar to the following may be logged in  CertificateMaintenance.log:

CCM::LocationServices::CcmVerifyMessage(pStreamData, szSenderMachine, szSignature, szMPSiteCode, bLocalSiteOK), HRESULT=80040309 (e:\nts_sms_fre\sms\framework\security\msgauth\ccmauthmessagehook\ccmcertutil.cpp,251)
CCMVerify(pPayloadSrc, sSignature, false, sMPSiteCode, saTokens[2]), HRESULT=80040309 (e:\nts_sms_fre\sms\framework\security\msgauth\ccmauthmessagehook\hookimpl.cpp,334)
Failed to verify signature for assigned MP.

You may also see the following errors in the LocationServices.log:

Failed to refresh trusted key info with error '0x80040304'.
Failed to validate the certificate <hexadecimal form of cert> from management point 'computerName.domain.com'
Raising event:instance of CCM_LocationServices_ManagementPointCertificate_CrossVerificationFailure

…and after some time:

Failed to validate thumbprint with error 0x80070057.

Cause: Several registry key values for HKLM\Software\Microsoft\SMS\MP may have missing certificate-related data after migrating the site to native mode.  Note that one that's almost always missing is the signing certificate’s signature (SiteSigningCertificate).  This occurs when the mode switch redeploys the management point but for as of yet unidentified reasons fails to fully populate one or more certificate related values. It might also occur when installing the site in native mode (but less likely).

Resolution:  Restart SMS_SITE_COMPONENT_MANAGER to re-populate the MP registry keys.  This should resolve the issue but we've seen cases where it may not.  If this does not resolve the issue for you then the best recourse is to uninstall and reinstall the management point.  Once you do this the clients will automatically recover but it may take between 60 minutes and 25 hours.  If you'd rather not wait you can reinstall the clients via client push or Group Policy.

We're investigating this issue and will post further information as it becomes available.

J.C. Hornbeck | Manageability Knowledge Engineer