AMT VPRO Enrollment Point Certificate Issue

Similar Messages

• Intel vPro AMT integration with SCCM 2012R2 - Issues with SCCM finding the "ConfigMgr AMT Web Server Certificate"

  Good evening all,
  I'm attempting to get Intel SCS integrated with SCCM 2012 R2 and I have both sides working, doing what they do best, however, I have issues when I try to mate the two. I started with a single server for the site and then tackled the Intel side with success,
  then I added another site server to run the Out of Band service point and Enrollment point. Up until this point I've had no issues with certificate templates, or issuance of those certs. 
  I have re-read the TechNet documents a few times regarding the PKI setup, some Intel documentation and three step by step articles and non of them seem to differ so I can't understand why I'm unable to choose my "ConfigMgr AMT Web Server Certificate"
  when configuring the Out of Band Management Component Properties page.  The "AMT web server certificate template:" dialog shows my CA FQDN and CA name, but the certificate template list is always blank.  I've tried this from both the remote
  and local ConfigMgr consoles.  The site servers have rights on the CA to manage and issue certs, is there something I'm missing that isn't in the documentation or buried somewhere that I missed?  Is there a Application policy that should be on the
  cert that isn't mentioned anywhere?
  Thanks in advance!
  Tesfaye

  Hi Joyce,
  Thanks for responding.  I pretty much have this error repeating in the log file and not much else:
  [28, PID:13388][05/21/2014 15:17:15] :System.DirectoryServices.DirectoryServicesCOMException\r\nThere is no such object on the server.
     at System.DirectoryServices.DirectoryEntry.Bind()
     at System.DirectoryServices.DirectoryEntry.get_AdsObject()
     at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
     at System.DirectoryServices.DirectorySearcher.FindAll()
     at Microsoft.ConfigurationManagement.AdminConsole.Common.ADUtils.EnumEnterpriseCACertificateTemplates(String domainEntryName, String certAuthorityFqdn, Boolean isServerAuthen)\r\n
  I will look into this, but another hint would be greatly appreciated!
  Thanks,
  Tesfaye

• OOB Enrollment Point service error

  We're beginning to migrate our SCCM 2007 clients to our new SCCM 2012 site. We're also getting new replacement systems that have AMT 7x on them. We realize we won't be able to provision the new systems until SCCM 2012 SP1 and that's not a problem.
  Looking at the amtopmgr.log we're seeing some errors we'd like to sort out in the meantime.
  ERROR: [EnrollmentWrapper]: Communicate to Enrollment service error. The service URL is
  https://SCCMServer.domain.com:443/EnrollmentService/AmtEnrollmentService.svc. Please check: 1. The service URL is correct and accessible. 2. Windows Communication Foundation (WCF) Activation is installed on the OOB service point and Enrollment points. 3.
  The OOB service point and the Enrollment point are mutual trusted, means each Site System Identification certificate is swapped to other's trusted people store.
  I tried browsing to the url to see if I could run the web service but it's not showing anything. Is there another way to find out what might be causing this error?
  Orange County District Attorney

  Any joy with this, Sandy? I am having the same output in amtopmgr.log
  I'm using PKI certs from an internal CA and have a feeling it might be related to this as the log shows the following:
  [EnrollmentWrapper]: SCCMCertCredentials - finding self signed sms cert by thumbprint~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.626-60><thread=6336 (0x18C0)>
  [EnrollmentWrapper]: FindCertificate - finding in LocalMachine, store Sms, find type FindByThumbprint, validOnly = False~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.632-60><thread=6336 (0x18C0)>
  [EnrollmentWrapper]: FindCertificate - there are 7 certs in the specified store~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.633-60><thread=6336 (0x18C0)>
  [EnrollmentWrapper]: FindCertificate - Found certs via FindByThumbprint, count = 1~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.634-60><thread=6336 (0x18C0)>
  [EnrollmentWrapper]: FindCertificate - cert[0].FriendlyName = Site System Identification Certificate~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.634-60><thread=6336 (0x18C0)>
  [EnrollmentWrapper]: FindCertificate - cert[0].Subject = CN=Site System Identification~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.634-60><thread=6336 (0x18C0)>
  [EnrollmentWrapper]: FindCertificate - cert[0].Issuer = CN=Site System Identification~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:56.635-60><thread=6336 (0x18C0)>
  ERROR: [EnrollmentWrapper]: Communicate to Enrollment service error. The service URL is https://SCCMserver.domain.com:443/EnrollmentService/AmtEnrollmentService.svc. Please check: 1. The service URL is correct and accessible. 2. Windows Communication Foundation
  (WCF) Activation is installed on the OOB service point and Enrollment points. 3. The OOB service point and the Enrollment point are mutual trusted, means each Site System Identification certificate is swapped to other's trusted people store.~~  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012
  11:04:57.712-60><thread=6336 (0x18C0)>
  Error: Enroll AMT device failed  $$<SMS_AMT_OPERATION_MANAGER><08-16-2012 11:04:57.821-60><thread=6336 (0x18C0)>

• Reward certificate issue last year and never received

  I enrolled in the rewards program last year with a large purchase. This enrollment was in store at the time and I did not provide an email address. I logged in sometime after I enrolled and noticed that I had a $20 certificate issued a week or so after my purchase. I read that these are sent to the email address on file, but I did not have one enrolled. If it was mailed out I did not receive this either.
  A second part of this is, when I attempt to go to the email address section on my account it says, "We're sorry. Your email address is currently unavailable." 
  Is it possilbe to get the points back since I did not have an email address enrolled?
  Thanks!

  Hello kjeldoran2015,
  Welcome to the Best Buy forum!
  While an email should be sent out each time points are converted into a certificate, we cannot guarantee the delivery of any emails.  There are times where outside factors beyond our control may prevent an email from being delivered.  Either way, you would not have needed to receive an email in-order to redeem the $20 certificate because we can look up active certificates in any of our store registers and apply them to a purchase.
  As you may read on the forum, a certificate will expire 60 days after it was issued unless noted otherwise on the actual certificate.  The $20 certificate in-question cannot be reissued if it has officially expired, per the Program Terms.  I am going to send you a private message so that I can go over your account with you to ensure everything is up-to-date.  To check your private messages, you will want to login to the forum and click on the yellow envelope at the top.
  I hope you have a great day, and thank you for being a My Best Buy™ member.
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• Unable to enroll Computer certificates on Server 2008 R2 and older

  I've found a strange issue with our CA setup, and it didn't used to be a problem.  While renewing some internal certificates a couple of months ago I discovered that systems of the Windows 7/Server 2008 R2 and older families cannot enroll for a Computer
  certificate or for a custom template I built for web servers.  Systems of the Windows 8/Server 2012 and newer families can enroll using the exact same user and process without any trouble.  Direct IIS "domain certificate" enrollment still
  works.
  I'm enrolling with the Certificates MMC snap-in to allow use of the enhanced security template I built.  I open MMC, add the local computer certificates snap-in, and then attempt to request a certificate with Personal > Certificates > All Tasks
  > Request New Certificate.  I choose the Active Directory Enrollment Policy but then get the "Certificate types are not available" error message and a blank selection screen.  If I check the box to show all templates the certificates
  I want are listed with:
  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA doesn't' support this
  operation, or the CA is not trusted."
  I've checked Event Viewer on both the CA and the clients, along with the CA request logs, but there's nothing visibly wrong.  The error message seems to say it all but since Windows 8/2012 clients and newer work I know the CA is functional and that
  the Administrator account can request certificates.  I've searched the web but can't find anything like this specific issue.
  Any ideas?
  Thank you!

  Hi Amy.
  Domain Admins and Enterprise Admins have Read/Write/Enroll.  Authenticated Users have Read.
  I also created a copy of an existing certificate (Web Server) but am unable to see it when I go to New > Certificate Template to Issue.  Our domain has had plenty of time to replicate the copied template.
  I don't recall making any changes that would have affected a computer's ability to enroll.  There has been some Group Policy work done and a new certificate template was created and marked to issue, but this problem was picked up by accident when I
  went to generate internal certificates back in October.  All administrative work is done as the domain Administrator account.
  We didn't have issues with this CA when it was first built, so something did change.  We don't have a large PKI environment, just some internal web sites, so if it comes to it I may just start over with everything.  When we moved to Server 2012
  on this system it was an upgrade from a Server 2003 CA that was never properly used or maintained.  It may be better just to clean everything and get one consistent root certificate again.
  Alan

• Checklist for Exchange Certificate issues

  Checklist for Exchange Certificate issues
  1. 
  Why certificate is important for Exchange and What are Certificates used for
  Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
  securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
  Certificates are used for several things on Exchange Server. Most customers also use certificates
  on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
  IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
  POP/IMAP
  SMTP
   2. 
  Common symptoms for
  certificate issue
  Here we can see three different types of the certificate warning, mainly from the Outlook
  side.
  a.
  Certificate mismatch issue
  b.
  Certificate trust issue
  c.
  Certificate expiration issue
  3. 
  Checklists
  In this section, checklists will be provided according to the three different scenarios:
  Certificate Mismatch Issue
  [Analysis]:
  This issue mainly occurs because the URL of the web services Outlook tries
  to connect does not match the host name in the certificate.
  [Checklist]:
  Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
  Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
  In this scenario, you need to check the host name for the following services:
  Autodiscover
  EWS
  OAB
  ECP
  UM
  If any of the urls above does not match the one in the certificate, refer to the following article to change
  it via EMS:
  http://support.microsoft.com/kb/940726
   1.
  Do not forget to restart the IIS service after applying the changes above.
   2. Make sure a valid certificate is enabled on the IIS service.
  Certificate Trust Issue
  [Analysis]:
  For the self-signed and PKI-based (Enterprise)
  certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
  certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
  greatly simplifies deployment.
  [Checklist]:
  If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
  If it is a 3^rd-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
  client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
  Certificate Expiration Issue
  [Checklist]:
  When a certificate is about to expired, we just need to renew it by referring the following article:
  Renew an Exchange Certificate
  http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
  To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
  [How to set a reminder to alert the administrator when a certificate is about to expired]:
  It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
  certificate expiration. Or there can be a large user impacts.
  Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
  If it’s not quite visible, we can refer to the following solution:
  http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
  OWA certificate revoked issue
  [Analysis]:
  IE
  includes support for server certificate revocation which verifies that an issuing
  CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
  are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
  [Solution or workaround]:
  1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
  2. If not, check whether the certificate has a private key.
  3. Remove the old certificate and import the new one.
  Workaround:
  IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
  checkbox.
  4. 
  More References
  Digital Certificates and SSL
  http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
  More on Exchange 2007 and certificates - with real world scenario
  http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

  (Reported previous post with link to SIS package to moderator)
  This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
  Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
  But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
  At this point, try 2.7.0 which is out now:
  http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
  Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
  I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
  Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

• How to fetch certificates issued in past

  Hi,
  I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
  I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
  Thanks
  Neha Garg

  Hi Paul,
  I am getting the output like this :
  C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
  311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
  Schema:
    Column Name                   Localized Name                Type    MaxLength
    Request.RequestID             Request ID                    Long    4 -- Index
  ed
    Request.RawRequest            Binary Request                Binary  65536
    Request.RawArchivedKey        Archived Key                  Binary  65536
    Request.KeyRecoveryHashes     Key Recovery Agent Hashes     String  8192
    Request.RawOldCertificate     Old Certificate               Binary  16384
    Request.RequestAttributes     Request Attributes            String  32768
    Request.RequestType           Request Type                  Long    4
    Request.RequestFlags          Request Flags                 Long    4
    Request.StatusCode            Request Status Code           Long    4
    Request.Disposition           Request Disposition           Long    4 -- Index
  ed
    Request.DispositionMessage    Request Disposition Message   String  8192
    Request.SubmittedWhen         Request Submission Date       Date    8 -- Index
  ed
    Request.ResolvedWhen          Request Resolution Date       Date    8 -- Index
  ed
    Request.RevokedWhen           Revocation Date               Date    8
    Request.RevokedEffectiveWhen  Effective Revocation Date     Date    8 -- Index
  ed
    Request.RevokedReason         Revocation Reason             Long    4
    Request.RequesterName         Requester Name                String  2048 -- In
  dexed
    Request.CallerName            Caller Name                   String  2048 -- In
  dexed
    Request.SignerPolicies        Signer Policies               String  8192
    Request.SignerApplicationPolicies  Signer Application Policies   String  8192
    Request.Officer               Officer                       Long   
  4
    Request.DistinguishedName     Request Distinguished Name    String  8192
    Request.RawName               Request Binary Name           Binary  4096
    Request.Country               Request Country/Region        String  8192
    Request.Organization          Request Organization          String  8192
    Request.OrgUnit               Request Organization Unit     String  8192
    Request.CommonName            Request Common Name           String  8192
    Request.Locality              Request City                  String  8192
    Request.State                 Request State                 String  8192
    Request.Title                 Request Title                 String  8192
    Request.GivenName             Request First Name            String  8192
    Request.Initials              Request Initials              String  8192
    Request.SurName               Request Last Name             String  8192
    Request.DomainComponent       Request Domain Component      String  8192
    Request.EMail                 Request Email Address         String  8192
    Request.StreetAddress         Request Street Address        String  8192
    Request.UnstructuredName      Request Unstructured Name     String  8192
    Request.UnstructuredAddress   Request Unstructured Address  String  8192
    Request.DeviceSerialNumber    Request Device Serial Number  String  8192
    RequestID                     Issued Request ID             Long    4 -- Index
  ed
    RawCertificate                Binary Certificate            Binary  16384
    CertificateHash               Certificate Hash              String  128 -- Ind
  exed
    CertificateTemplate           Certificate Template          String  254 -- Ind
  exed
    EnrollmentFlags               Template Enrollment Flags     Long    4
    GeneralFlags                  Template General Flags        Long    4
    PrivatekeyFlags               Template Private Key Flags    Long    4
    SerialNumber                  Serial Number                 String  128 -- Ind
  exed
    IssuerNameID                  Issuer Name ID                Long    4
    NotBefore                     Certificate Effective Date    Date    8
    NotAfter                      Certificate Expiration Date   Date    8 -- Index
  ed
    SubjectKeyIdentifier          Issued Subject Key Identifier  String  128 -- In
  dexed
    RawPublicKey                  Binary Public Key             Binary  4096
    PublicKeyLength               Public Key Length             Long    4
    PublicKeyAlgorithm            Public Key Algorithm          String  254
    RawPublicKeyAlgorithmParameters  Public Key Algorithm Parameters  Binary  4096
    PublishExpiredCertInCRL       Publish Expired Certificate in CRL  Long    4
    UPN                           User Principal Name           String 
  2048 -- In
  dexed
    DistinguishedName             Issued Distinguished Name     String  8192
    RawName                       Issued Binary Name            Binary  4096
    Country                       Issued Country/Region         String  8192
    Organization                  Issued Organization           String  8192
    OrgUnit                       Issued Organization Unit      String  8192
    CommonName                    Issued Common Name            String  8192 -- In
  dexed
    Locality                      Issued City                  
  String  8192
    State                         Issued State                 
  String  8192
    Title                         Issued Title                 
  String  8192
    GivenName                     Issued First Name             String  8192
    Initials                      Issued Initials               String  8192
    SurName                       Issued Last Name              String  8192
    DomainComponent               Issued Domain Component       String  8192
    EMail                         Issued Email Address          String  8192
    StreetAddress                 Issued Street Address         String  8192
    UnstructuredName              Issued Unstructured Name      String  8192
    UnstructuredAddress           Issued Unstructured Address   String  8192
    DeviceSerialNumber            Issued Device Serial Number   String  8192
  Maximum Row Index: 0
  0 Rows
     0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
     0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
  CertUtil: -view command completed successfully.
  but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
  Please let me know if I need to make any changes in command.
  Thanks
  Neha Garg

• Configure Windows Server Essentials (2012R2) "Identified problem": "Certificate Issuer is installed on this server" stops the configuration

  On a server 2012R2 Essentials when trying to install the essentials experience the first install works ok but the configuration allways stops with the message "Certificate Issuer is installed on this server" and no way to continue the configuration.
  Windows/Logs/CBS/
  2014-07-24 21:10:04, Info                  CBS    TI: --- Initializing Trusted Installer ---
  2014-07-24 21:10:04, Info                  CBS    TI: Last boot time: 2014-07-24 18:36:03.489
  2014-07-24 21:10:04, Info                  CBS    Starting TrustedInstaller initialization.
  2014-07-24 21:10:04, Info                  CBS    Ending TrustedInstaller initialization.
  2014-07-24 21:10:04, Info                  CBS    Starting the TrustedInstaller main loop.
  2014-07-24 21:10:04, Info                  CBS    TrustedInstaller service starts successfully.
  2014-07-24 21:10:04, Info                  CBS    No startup processing required, TrustedInstaller service was not set as autostart
  2014-07-24 21:10:04, Info                  CBS    Startup processing thread terminated normally
  2014-07-24 21:10:04, Info                  CBS    Starting TiWorker initialization.
  2014-07-24 21:10:04, Info                  CBS    Ending TiWorker initialization.
  2014-07-24 21:10:04, Info                  CBS    Starting the TiWorker main loop.
  2014-07-24 21:10:04, Info                  CBS    TiWorker starts successfully.
  2014-07-24 21:10:04, Info                  CBS    Universal Time is: 2014-07-24 19:10:04.379
  2014-07-24 21:10:04, Info                  CBS    Loaded Servicing Stack v6.3.9600.17200 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17200_none_fa7026dd9b04586e\cbscore.dll
  2014-07-24 21:10:04, Info                  CSI    00000001@2014/7/24:19:10:04.379 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7ffd2cb360e5 @0x7ffd2de92e53 @0x7ffd2de924ac @0x7ff60b37d2df @0x7ff60b37d9e4
  @0x7ffd588d2385)
  2014-07-24 21:10:04, Info                  CBS    Could not load SrClient DLL from path: SrClient.dll.  Continuing without system restore points.
  2014-07-24 21:10:04, Info                  CBS    SQM: Initializing online with Windows opt-in: True
  2014-07-24 21:10:04, Info                  CBS    SQM: Cleaning up report files older than 10 days.
  2014-07-24 21:10:04, Info                  CBS    SQM: Requesting upload of all unsent reports.
  2014-07-24 21:10:04, Info                  CBS    SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2
  2014-07-24 21:10:04, Info                  CBS    SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
  2014-07-24 21:10:04, Info                  CBS    NonStart: Set pending store consistency check.
  2014-07-24 21:10:04, Info                  CBS    Session: 30386034_3758808251 initialized by client WinMgmt.
  2014-07-24 21:10:04, Info                  CBS    Enumerating Foundation package: Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, this could be slow
  2014-07-24 21:10:05, Info                  CSI    00000002 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x172dbed940
  2014-07-24 21:10:05, Info                  CSI    00000003 Creating NT transaction (seq 1), objectname [6]"(null)"
  2014-07-24 21:10:05, Info                  CSI    00000004 Created NT transaction (seq 1) result 0x00000000, handle @0x25c
  2014-07-24 21:10:08, Info                  CSI    00000005 Poqexec successfully registered in [ml:26{13},l:24{12}]"SetupExecute"
  2014-07-24 21:10:08, Info                  CSI    00000006@2014/7/24:19:10:08.151 Beginning NT transaction commit...
  2014-07-24 21:10:08, Info                  CSI    00000007@2014/7/24:19:10:08.182 CSI perf trace:
  CSIPERF:TXCOMMIT;32854
  2014-07-24 21:10:08, Info                  CSI    00000008 CSI Store 99552754976 (0x000000172dce7d20) initialized
  2014-07-24 21:10:08, Info                  CSI    00000009@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002
  and client id [26]"TI5.30386034_3758808251:1/"
  2014-07-24 21:10:08, Info                  CSI    0000000a@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 destroyed
  2014-07-24 21:10:19, Info                  CBS    Session: 30386012_3156824848 initialized by client DISM Package Manager Provider.
  2014-07-24 21:12:19, Info                  CBS    Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
  2014-07-24 21:12:19, Info                  CBS    TiWorker signaled for shutdown, going to exit.
  2014-07-24 21:12:19, Info                  CBS    Ending the TiWorker main loop.
  2014-07-24 21:12:19, Info                  CBS    Starting TiWorker finalization.
  2014-07-24 21:12:19, Info                  CBS    Ending the TrustedInstaller main loop.
  2014-07-24 21:12:19, Info                  CBS    Starting TrustedInstaller finalization.
  2014-07-24 21:12:19, Info                  CBS    Ending TrustedInstaller finalization.
  2014-07-24 21:12:20, Info                  CBS    Ending TiWorker finalization.
  Any ideas?
  //Christer

  Hi Justin!
  nltest /server:"servername" /sc_reset:"domaninname" returns: "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN" 
  Dcdiag /q returns : An error occurred. EventID: 0xC0001B77
  The text log was not small enough to post here..
  Regards.
  Christer
  Can not find anything directly related in windows-logs but here is the latest log from CBS folder.. 
  2014-07-28 11:04:25, Info                  CSI    00000888 [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\041D" is not owned but specifies
  SDDL in component Microsoft-Windows-WWFCoreComp.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"sv-se", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:25, Info                  CSI    00000889 [DIRSD OWNER WARNING] Directory [ml:128{64},l:126{63}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en" is not owned but specifies
  SDDL in component Microsoft.Dtc.PowerShell.Non_msil.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:28, Info                  CSI    0000088a [DIRSD OWNER WARNING] Directory [ml:134{67},l:132{66}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US" is not owned but specifies
  SDDL in component Microsoft.Dtc.PowerShell.Scripts.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:28, Info                  CSI    0000088b [DIRSD OWNER WARNING] Directory [ml:520{260},l:134{67}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework" is not owned but specifies
  SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:28, Info                  CSI    0000088c [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\0000" is not owned but specifies
  SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:28, Info                  CSI    0000088d [DIRSD OWNER WARNING] Directory [ml:520{260},l:114{57}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft" is not owned but specifies SDDL
  in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:28, Info                  CSI    0000088e [DIRSD OWNER WARNING] Directory [ml:520{260},l:144{72}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0" is not owned
  but specifies SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:28, Info                  CSI    0000088f [DIRSD OWNER WARNING] Directory [ml:520{260},l:94{47}]"\??\C:\Program Files (x86)\Reference Assemblies" is not owned but specifies SDDL in component
  Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:30, Info                  CSI    00000890 Ignoring duplicate ownership for directory [l:72{36}]"\??\C:\Windows\microsoft.net\authman" in component Microsoft.Interop.Security.AzRoles, Version
  = 6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:31, Info                  CSI    00000891 [SR] Verify complete
  2014-07-28 11:04:31, Info                  CSI    00000892 [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:04:31, Info                  CSI    00000893 [SR] Beginning Verify and Repair transaction
  2014-07-28 11:04:36, Info                  CSI    00000894 [SR] Verify complete
  2014-07-28 11:04:36, Info                  CSI    00000895 [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:04:36, Info                  CSI    00000896 [SR] Beginning Verify and Repair transaction
  2014-07-28 11:04:40, Info                  CSI    00000897 [DIRSD OWNER WARNING] Directory [ml:520{260},l:120{60}]"\??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList" is not owned but specifies
  SDDL in component NetFx-ASSEMBLYLIST_XML, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:04:42, Info                  CSI    00000898 [SR] Verify complete
  2014-07-28 11:04:42, Info                  CSI    00000899 [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:04:42, Info                  CSI    0000089a [SR] Beginning Verify and Repair transaction
  2014-07-28 11:04:46, Info                  CSI    0000089b [SR] Verify complete
  2014-07-28 11:04:46, Info                  CSI    0000089c [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:04:46, Info                  CSI    0000089d [SR] Beginning Verify and Repair transaction
  2014-07-28 11:04:52, Info                  CSI    0000089e [SR] Verify complete
  2014-07-28 11:04:52, Info                  CSI    0000089f [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:04:52, Info                  CSI    000008a0 [SR] Beginning Verify and Repair transaction
  2014-07-28 11:04:58, Info                  CSI    000008a1 [SR] Verify complete
  2014-07-28 11:04:58, Info                  CSI    000008a2 [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:04:58, Info                  CSI    000008a3 [SR] Beginning Verify and Repair transaction
  2014-07-28 11:05:02, Info                  CSI    000008a4 [SR] Verify complete
  2014-07-28 11:05:02, Info                  CSI    000008a5 [SR] Verifying 100 (0x0000000000000064) components
  2014-07-28 11:05:02, Info                  CSI    000008a6 [SR] Beginning Verify and Repair transaction
  2014-07-28 11:05:08, Info                  CSI    000008a7 [SR] Verify complete
  2014-07-28 11:05:08, Info                  CSI    000008a8 [SR] Verifying 52 (0x0000000000000034) components
  2014-07-28 11:05:08, Info                  CSI    000008a9 [SR] Beginning Verify and Repair transaction
  2014-07-28 11:05:09, Info                  CSI    000008aa [DIRSD OWNER WARNING] Directory [ml:520{260},l:56{28}]"\??\C:\Windows\system\Speech" is not owned but specifies SDDL in component Windows-Media-SpeechSynthesis-WinRT,
  pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:05:09, Info                  CSI    000008ab Ignoring duplicate ownership for directory [l:56{28}]"\??\C:\Windows\system\Speech" in component Windows-Media-SpeechSynthesis-WinRT, Version =
  6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
  2014-07-28 11:05:09, Info                  CSI    000008ac [SR] Verify complete
  2014-07-28 11:05:09, Info                  CSI    000008ad [SR] Repairing 1 components
  2014-07-28 11:05:09, Info                  CSI    000008ae [SR] Beginning Verify and Repair transaction
  2014-07-28 11:05:09, Info                  CSI    000008af Hashes for file member \??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess\Web.config do not match actual file [l:20{10}]"Web.config"
    Found: {l:32 b:jiP+IRWGZxsG0nX6il5MCZofFThiSfytb8Ih27r5EPk=} Expected: {l:32 b:KR7DbPqdCKMwdiZI2XDSr42o4ujtpZlzfX9ud+ODKRM=}
  2014-07-28 11:05:09, Info                  CSI    000008b0 [SR] Repairing corrupted file [ml:520{260},l:120{60}]"\??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess"\[l:20{10}]"Web.config" from
  store
  2014-07-28 11:05:09, Info                  CSI    000008b1 [SR] Repair complete
  2014-07-28 11:05:09, Info                  CSI    000008b2 [SR] Committing transaction
  2014-07-28 11:05:09, Info                  CSI    000008b3 Creating NT transaction (seq 2), objectname [6]"(null)"
  2014-07-28 11:05:09, Info                  CSI    000008b4 Created NT transaction (seq 2) result 0x00000000, handle @0xba4
  2014-07-28 11:05:11, Info                  CSI    000008b5@2014/7/28:09:05:11.308 Beginning NT transaction commit...
  2014-07-28 11:05:11, Info                  CSI    000008b6@2014/7/28:09:05:11.470 CSI perf trace:
  CSIPERF:TXCOMMIT;163479
  2014-07-28 11:05:11, Info                  CSI    000008b7 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction  have been successfully repaired
  2014-07-28 11:07:13, Info                  CBS    Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
  2014-07-28 11:07:13, Info                  CBS    TiWorker signaled for shutdown, going to exit.
  2014-07-28 11:07:13, Info                  CBS    Ending the TiWorker main loop.
  2014-07-28 11:07:13, Info                  CBS    Starting TiWorker finalization.
  2014-07-28 11:07:13, Info                  CBS    Ending the TrustedInstaller main loop.
  2014-07-28 11:07:13, Info                  CBS    Starting TrustedInstaller finalization.
  2014-07-28 11:07:13, Info                  CBS    Ending TrustedInstaller finalization.
  2014-07-28 11:07:13, Info                  CBS    Ending TiWorker finalization.
  Regards. Christer

• Points / Certificate question

  I preordered Destiny and used (what I thought) was a combination of available certificates and gift cards. I have been unable to access my points history, but it is saying that I have $5 in certificates to use. I have two questions,
  1) Looking at the order history, I see the gift cards were used, but the points do not seem to be. Can this be confirmed for me?
  2) Can the existing certificate be applied to an existing order? I am concerned with cancelling and replacing the same order as it is for a high demand product and I do not want to lose my ability to get the item.
  3) Since the points history has not been accessible for me, as it seems to be the case with others, will Best Buy make an exception to the policy of reissuing rewards certificates based on this issue?
  4) I have my rewards certificates set to issue at $20. Is there a way to see when I changed this versus when the last two certificates were issued?
  I understand the policy of reissuing, so if that is the final answer, you do not need to send me to the fine print link. I am just hoping the interest of customer service some sort of resolution can be found. If not, I'll chalk it up as lost money to a confusing and broken system.
  Also, if this is Derek answering, you have helped me multiple times with other issues. This is not intended to criticize any individuals. Thanks!

  Good morning ToxicLogics,
  I am more than happy to see if I can help answer your questions!
  Based on your pre-order, it does not appear that any My Best Buy certificates were redeemed.
  If you want to apply any active My Best Buy certificates to your pre-order, then you would need to cancel the existing pre-order and place a new pre-order.
  Are you trying to view your points history by logging into BestBuy.com?  If you want to view the details of your account and access your points/certificates , then you are going to wan to login to MyBestBuy.com.  Your My Best Buy and BestBuy.com accounts appear to be linked.
  I am unable to see when you changed your certificate preference
  I would like to go over your My Best Buy account with you to ensure it is up-to-date and that your certificate preference is correct, so I will be sending you a private message.  You can check your private messages by logging into the forum and clicking on the little yellow envelope at the top of the page.
  Thank you for posting to the forum!
  Derek|Social Media Specialist | Best Buy® Corporate
   Private Message

• Deploy iPads AC 1.5 + PM 3 enrollment profile install-issues

  I'm having a hard time in deploying iPads the OTA-way using Profile Manager 3 and Apple Configurator 1.5.
  Under Profile Manager (OS X Mavericks) I have a valid trust certificate and a created enrollment profile (for the iPads).
  Under Apple Configurator 1.5 I prepare an iPad using Supervised mode and added the trust certificate and a WiFi-setting. In the Supervise-tab I add the enrollment profile (created in Profile Manager). Everything works nice until the enrollment profile needs to be installed. Every time I get an error stating the profile could not be installed... AC 1.5 has a new feature on the Prepare-tab: anchor profiles. Is it possible this has something to do with the error I get? I can't find any info on that new feature...
  Extra info: I'm using the same Profile Manger to deploy iMacs and this works without problems. So the trust certificate is valid.
  I've been watching so many video's demonstrating the deployment-process of iPads using AC and PM. Those installments all work. Very frustrating... I can't get it to work... I've to state that all those video's use AC 1.4.x and the iPads have versions prior to iOS7.1.
  I even have tried to enroll the iPads on a manual basis but I always end up with the same error.
  Can anyone help me or give some tips in order to get my iPads enrolled?

  Same issues here.
  Buggy as ****..
  Also after some time, the Profile Manager PAne doesn't even fill in Server.app.....stays at Loading...
  Nevertheless, the service itself works with the bug you outlined, plus enroll is impossible for me (check my post here: Can't enroll devices with Profile Manager - invalid key  )
  I hope all these get fixed in 10.7.1   !!!

• How do i deal with 'security certificate' issues on my iPad2? I'm unable to answer the security questions that pop up when Im trying to download an app because the pop up does not load properly...

  Basically my Ipad2 stopped allowing me to go to sites such as Tumblr a little while ago. It wouldn't display the page properly because of 'security certificate' issues. This in itself would not have been such a problem, but when I went to the App store to try and download the Tumblr App, a pop up appeared asking me to answer some security questions before I could successfully install the App. However, the pop up would not display correctly because of 'security certificate' issues and as a result I can't download any apps from the App Store. Can anyone help with this??

  Well, I maged to delete some stuff, download the update...
  My Mac mail is still not ok. Still only displays today, yesterday and everything is the 16th of the month previous to this?
  All a bit strange to say the least any suggestons on how to resolve this.
  I now have a second issue in all my emails at the very top of each it describes in detail the full information of
            Delivered-To:  
            Received:  
            Received:  
            Received:  
            Received:  
            X-Received:  
            Return-Path:  
            Received-Spf:
            Authentication-Results:
            Content-Type:  
            Mime-Version:  
            X-Mailer:  
            X-Cloudmark-Analysis:  
  Surely this should not be displayed rather insecure I would think. Any suggestions on how to amend

• Certificates issued by communications server for client authentication

  Hi,
  we ran into problem with those certificates, that are being issued by the lync server itself.  In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice).
  However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to
  use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?
  Thanks!

  Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw
  is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT
  the Lync (server).
  Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication???
  Not the first though, SCCM and OSD is another example....
  However, are you saying that Lync communication can’t be used without certificate authentication,
  without the user being spammed with credential prompts?
  Trying to get clarification on this…

• CF7 and JDK 1.4.2 - EV SSL Certificate Issue

  Let me start off by telling the group that we do not use CF for any of our applications.  We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use.  We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API.  About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy.  I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck.  Here are the details:
  EV Certificate issued by DigiCert (4096-bit).
  Customer is on CF7 and JDK 1.4.2.
  When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application.  He is using cfhttp to post his requests.  We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates.  Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
  Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
  Thanks in advance to those gurus that reply.  I have attached a sample post from our customers logs with non-essential data removed.
  I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
  - Dave

  Dave,
  I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
  I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
  so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
  to either CF 8 or CF 9 to get the issue quickly resolved.
  I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
  if I do find a solution, I'll definitely post it there for you.
  Cheers

• Clean Access Agent 4.0.5 certificate issue

  Dear all,
  I ran into an issue that I hope you could help me resolve.
  We have NAC 4.0.5 and windows active directory domain.... the clients log on to the client to access the network with their domain credentials and they used to get the "Certificate is issued from an untrusted...." until I installed the www.perfigo.com certificate to the local certificate store...
  But as I'm a newbie... I seem to have done something on the NAC manager that messed up something, cause now the client considers the certificate issued from a trusted source, BUT a warning stating that the name on the certificate does not match the name (image attached)..
  What would be the possible solution to this??

  Hi,
  This can happen if you change IP address or hostname of the issued certificate...
  Have you done any of these?
  As side note, please beaware that 4.0.5 is End of Life since March 16th 2009... so you may want to consider upgrading your setup.
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/end_of_life_notice_c51-524732.html.
  HTH,
  Tiago

• When accessing Intranet sites that use SSL Certificates issued by our internal PKI, FF for Windows give an error of "improperly formatted DER-encoded message"

  When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
  Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.

  Hi Guigs2,
  From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
  registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
  The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix?