PXE Boot Fails In System Center 2012 Configuration Manager If The MP Is In HTTPS Mode But The DP Is In HTTP Mode


Symptoms

In System Center 2012 Configuration Manager RTM, if the Management Point is in HTTPS mode but the Distribution Point hosting the PXE server is in HTTP mode, the PXE boot may fail. Examining the SMSPXE.log may reveal the following errors:

ProcessMessage: Context:0015B270  dTime:0 SMSPXE
!sTempString.empty(), HRESULT=80070057 (e:\nts_sccm_release\sms\framework\core\ccmcore\string.cpp,1023) SMSPXE
MAC=<MAC_Address> SMBIOS GUID=<SMBIOS_GUID> > DHCP Discover received. SMSPXE
Set enterpirse certificate in transport SMSPXE
Set media certificate in transport SMSPXE
Set authenticator in transport SMSPXE
CLibSMSMessageWinHttpTransport::Send: URL: <ConfigMgr_MP_Server>:443  GET /SMS_MP_AltAuth/.sms_aut?MPKEYINFORMATION SMSPXE
In SSL, but with no client cert SMSPXE
Request was succesful. SMSPXE
Set authenticator in transport SMSPXE
Setting message signatures. SMSPXE
Setting the authenticator. SMSPXE
CLibSMSMessageWinHttpTransport::Send: URL: <ConfigMgr_MP_Server>:443  CCM_POST /ccm_system_AltAuth/request SMSPXE
In SSL, but with no client cert SMSPXE
Request was succesful. SMSPXE
pNext != NULL, HRESULT=80004005 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,1967) SMSPXE
reply has no message header marker SMSPXE
DoRequest (sReply, true), HRESULT=80004005 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,6202) SMSPXE
SMSClientLookup.RequestLookup(smbiosGUID, macAddress, dwItemKey, bUnknown), HRESULT=80004005 (e:\nts_sccm_release\sms\server\pxe\smspxe\database.cpp,221) SMSPXE
PXE::DB_LookupDevice failed; 0x80004005 SMSPXE
Set enterpirse certificate in transport SMSPXE
Set media certificate in transport SMSPXE
Set authenticator in transport SMSPXE
CLibSMSMessageWinHttpTransport::Send: URL: <ConfigMgr_MP_Server>:443  GET /SMS_MP_AltAuth/.sms_aut?MPKEYINFORMATION SMSPXE
In SSL, but with no client cert SMSPXE
Request was succesful. SMSPXE
Set authenticator in transport SMSPXE
Sending StatusMessage SMSPXE
Setting message signatures. SMSPXE
Setting the authenticator. SMSPXE
CLibSMSMessageWinHttpTransport::Send: URL: <ConfigMgr_MP_Server>:443  CCM_POST /ccm_system_AltAuth/request SMSPXE
In SSL, but with no client cert SMSPXE
Request was succesful. SMSPXE
pNext != NULL, HRESULT=80004005 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,1967) SMSPXE
reply has no message header marker SMSPXE
DoRequest (sReply, false), HRESULT=80004005 (e:\nts_sccm_release\sms\framework\osdmessaging\libsmsmessaging.cpp,4045) SMSPXE
Failed to send status message (80004005) SMSPXE
smStatusMessage.Send(), HRESULT=80004005 (e:\nts_sccm_release\sms\server\pxe\smspxe\database.cpp,444) SMSPXE
Failed to send the status message SMSPXE
PXE::DB_ReportStatus failed; 0x80004005 SMSPXE
GetOrCreateDeviceFromPacket(pRequest, deviceInfo, 1, 1), HRESULT=80004005 (e:\nts_sccm_release\sms\server\pxe\smspxe\pxehandler.cpp,1475) SMSPXE
PXE Provider failed to process message.
Unspecified error (Error: 80004005; Source: Windows) SMSPXE
Rejecting PXE request SMSPXE

 

Cause

This problem is caused if a self-signed certificate is specified in the properties of the Distribution Point.

During a PXE boot, clients will use the certificate specified in the "Distribution Point Properties" window to talk to both the MP and to the DP. If the MP is in HTTPS mode, the client needs a PKI certificate to talk to the MP. However if a self-signed certificate has been specified in the "Distribution Point Properties" window, it will use a self-signed certificate instead of a PKI certificate to try and talk to the MP, causing it to fail.

A PKI certificate can be used for the Distribution Point in HTTP mode.

Please note that this issue was only an issue in the RTM version of ConfigMgr 2012 RTM. This issue has been fixed in subsequent versions of ConfigMgr 2012.

 

Resolution

To resolve the problem, in the properties of the Distribution Point, specify to use a PKI certificate instead of a self-signed certificate. For more information about creating a PKI certificate for use in the Distribution Point, see the section "Boot images for deploying operating systems" under "PKI Certificates for Clients" at the below link:

PKI Certificate Requirements for Configuration Manager
http://technet.microsoft.com/en-us/library/gg699362.aspx

Frank Rojas
Senior Support Escalation Engineer


Comments (10)

  1. Anonymous says:

    This was one of the most useful articles on this Topic. Thank you very much!

  2. Henrik_Dahl says:

    Thanks, great information!

  3. Anonymous says:

    What else could be the problem? The PKI certificate is listed in the properties of the DP, all roles work on HTTPS

  4. Anonymous says:

    These are the top Microsoft Support solutions to the most common issues experienced using System Center

  5. Anonymous says:

    These are the top Microsoft Support solutions for the most common issues experienced when using System

  6. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  7. Anonymous says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  8. anonymouscommenter says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  9. anonymouscommenter says:

    Top Microsoft Support solutions for the most common issues experienced when you use System Center 2012

  10. Russ DiMartino says:

    Great Post! This turned out to be the exact reason why clients at the site where our Primary server was could not get the PXE point to respond. We had the DP at my site setup with the PKI certificate before I started working here so PXE was working great. When they wanted me to enable it on the remote DP I could not figure out why there was no response until I saw this article. Thanks so much!

Skip to main content