Govt PKI Certificates

Are there any known issues of using portal with Govt generated PKI Certifcates. I get the following error when I try to access my homepage.
[31/08/2001 10:24:32:687 EDT] page/JNI: Exception when trying to connect in 0.
[31/08/2001 10:24:32:687 EDT] page/ContentFetcher Exception, name=content-fetcher2
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
When I access the portal with URLs that don't use /pls/portal30, they work just fine.
Thanks,
Robert Gann

Robert,
we had the same problem at our site. It turns out that the instructions provided by the certificate authority for the chain cetificate did not work for Apache and the certificate was not chained correctly.
To fix the problem we went back to the issuing authority's website and selected the option to display the entire chain certificate. We then copied the entire text including comments, and pasted into the certificate chain on our server.
Apparently, the method given in the authority's instructions was not including the original certificate in the chain.
This may be clear as mud since it has been awhile so let me know if you need further clarification and I will go back to the site and retrace my steps.
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by Robert Gann ([email protected]):
Are there any known issues of using portal with Govt generated PKI Certifcates. I get the following error when I try to access my homepage.
[31/08/2001 10:24:32:687 EDT] page/JNI: Exception when trying to connect in 0.
[31/08/2001 10:24:32:687 EDT] page/ContentFetcher Exception, name=content-fetcher2
javax.net.ssl.SSLException: SSL handshake failed: X509CertChainIncompleteErr
When I access the portal with URLs that don't use /pls/portal30, they work just fine.
Thanks,
Robert Gann<HR></BLOCKQUOTE>
null

Similar Messages

  • Accessing User Name in a JAVA application from a PKI certificate

    Our JAVA application needs to verify the username from a PKI certificate. Is there any way to access this information. We are developing using Oracle JDeveloper, Oracle App Server and db.
    Thanks,

    I don't know if it is possible to run the main method from another Java app by simply calling it...
    But you could just copy and paste the stuff from your main method into a new static method called something like runDBQuery and have all the execution run from there.
    How does that sound? Is it possible?
    What I'm suggeting is:
    Original
    public class DBQuery{
    public static void methodA(){
    public static void doQuery(){
    methodA();
    public static void main(String[] args){
    // Your method calls
    //Your initializing
    doQuery();
    }Revised:
    public class DBQuery{
    public static void methodA(){
    public static void doQuery(){
    methodA();
    public static void doMyQuery(){
    // Your method calls
    //Your initializing
    doQuery();
    // No main needed!!
    //public static void main(String[] args){
    // Your method calls
    //doQuery();
    //}

  • Using PKI Certificate Logon

    Currently our users need a valid PKI certicate to access our
    site, but we need to find a way to validate them and log them in
    based purely on their PKI certificate without using a login name
    and password? Does anyone know a way to identify a user in
    coldfusion with just his submitted certificate, or is there a 3rd
    party solution that would work?
    Thanks

    Hi I am also facing the same problem.
    If you get any feasable solution with only using Java .please provide here.
    Thanks,
    Msr.

  • HT1679 How do you add a PKI certificate to "My Certificates?"

    I read the Apple KB article about getting certain individual certificate-requiring websites connected with PKI certificates, but it assumes the necessary certificates are already visible in the "My Certificates" category of the Keychain Access app.  What if I have a certificate from my work computer that shows up in the "Certificates" category but not the "My Certificates" category?  Is there any way to get them transferred into the "My Certificates" category so that Safari will recognize them?
    Brian Green

    I think its the same process as adding an itunes card just go to redeem and type in the code.

  • PKI Certificates

    Hi, we are working to get PKI security with our web services and I am wondering where to look for information regarding what we're trying to do. We have gotten PKI to work in a general sense where we generate certificates based on a root certificate and share this with a partner app so they're able to send the proper certificate that we validate against the certificate in our Oracle Wallet. However, we would like to take this a step further and have a certificate be generated that is specifically assigned to a web service we're exposing so that when we share this with a partner application we can certify that they are sending a trusted certificate related to this specific web service.
    I've looked at examples at otn, but the one's I've seen are all at a general level, I haven't seen one that gets into more specific service security. Can someone point me in the right direction to research this?
    Thanks,
    Mark

    firie
    I dunno, but try it over SSL... I'm sure there's no X509 in plain HTTP.
    and you've got a typo:
    String userDN = "";
    userDn = certs[0].getSubjectDN().getName();

  • PKI Certificates on smart cards.

    Hi techies,
    I am a Smart card operating system developer.
    I m working on a PKI OS project.
    and i m stuck while implementing the verify certificate command.
    Well currently the issue i m facing is how to store certificates on smart card.
    i mean which file to use, which format to use, (may be x.509), which document is relevent for implementation point of view.
    could anybody help me out.
    Regards,
    Rishabh Agarwal

    Hi Polat,
    thanks for reply as i thought i wont have any reply.
    well I am talking about a native card not a java card but i think it doesnt make any diffrence as at application level both are same. (diffrent at implementation level not application level)
    so here i got some clue after searching meterial and brainstorming... we need to read following documents
    1) PKCS#1 v2.1
    2) PKCS#15
    3) PKCS#7 (may be, as i havent gone through it yet)
    I am almost ready with my OS for native card and have tested some its features except related to certificate...
    Now i want to test it with some CSP application i dont know how will it go... i m trying to get some demo CSP code in which i can change and test my card by integrating it to some windows aplications.
    if you have any clue about abovementioned then pls let me know..
    and please ask if you need any help from my side
    Regards
    Rishabh Agarwal

  • Monitor pki certificate status via snmp

    I recently discovered that a number of our remote sites could not connect to each other via dmvpn due to various certificate problems.
    They could all connect to our hubs due to pre shared keys, so the problem was never discovered before a colleague discovered MM_KEY_EXCH states on some of the routers.
    I therefore want to monitor the state of the certificates, preferably via snmp.
    I found a nice looking mib,CISCO-PKI-PARTICIPATION-MIB, on http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.505
    but none of our routers seem to support it, and when you click on "view supporting images", it also specifies: "There is no supporting images available for
    CISCO-PKI-PARTICIPATION-MIB"
    Do you have any experience on how to monitor certificate status on your Cisco routers?

    No real solution. I found that they all needed to connect to one specific router, so I fire off "show crypto isakmp sa | inc MM_KEY_EXCH" on that specific router via our management platform, and receive a mail with the output on a daily basis.

  • SCUP 2011 for SCCM 2007 - SUP, WSUS plus MS PKI certificates (not self-signed ones)

    I am installing System Center Updates Publisher 2011 for our SCCM 2007 R2 system.
    Our SCCM 2007 R2 system runs in mixed mode. We have a dedicated server for SUP/WSUS and OSD/PXE functions.
    Shall I install SCUP 2011 on the dedicated server? I have installed it on my Windows 7 computer. What is the best practice configuration? SCUP should be equivalent WSUS role for Microsoft Partners software updates. Am I right? In this case, I should install
    SCUP on the SUP/WSUS server in my opinion.
    We have used the SUP/WSUS to apply Microsoft updates without any problems so far.
    When I am investigating the certificate requirement for SCUP 2011 code signing, I have found out that our SUP/WSUS server has some self-signed certificates for SMS and WSUS.
    All our SCCM 2007 servers except one have self-signed SMS Encryption Certificate and
    SMS Signing Certificate - those certificates are issued to
    SMS by SMS. The SUP/WSUS server also has an extra self-signed certificate
    WSUS Publishers Self-signed for code signing.
    We do have our own Microsoft Active Directory Certificate Services internal PKI service which has been trusted by our AD domain. Therefore, I would like to use an certificate from the PKI service for SCUP 2011 server such that all our SCCM 2007 clients will
    trust the certificate for non Microsoft software updates.
    What should I do re the self-signed SMS or WSUS certificates on the SUP/WSUS server?
    I just want to add SCUP to our SCCM 2007 system without causing problems to Microsoft updates deployment via SUP/WSUS.
    Thanks,
    SJJ123

    Personally I have used the self signed certificate and used the AD Group policy to distribute the certificate. I think it would be possible to import a certificate from your PKI into SCUP. Have you tried this?
    Louis

  • How does JRE handle PKI certificates?

    I've got a bunch of Macs, all running OS X 10.10.2 and JRE 8u31  Most, no problems.  But I've got two on which Java complains about the certificates of at least one web site.  In the browser, the cert is just fine.  Trusted, etc.  Java doesn't think it's trusted.  I didn't have to do anything with keystores or truststores on any of them... install java and it "just works".  So I have no idea what or how Java is handling certs differently than the OS.

    ANOKNUSA wrote:
    Leonid.I wrote:OK, I got it. The problem is indeed related to uninstalling: /media disappeared after removal of hal <snip>
    Several folk had the same problem after upgrading to KDE 4.6; no one seemed sure precisely what the culprit is.  I'm gonna try and reproduce this and check for/file a bug report.  You may have maimed two birds with one stone, Leonid.I
    If you mean hal, then at some point, it creates a data file /media/.hal-mtab, which on old installations (that went through a lot of ext media mounts), saves the dir, even if hal is removed. Of course, a separate question is why does hal contain /media. But otherwise, Allan is right: there is no natural good way of fixing this pacman behavior.
    Last edited by Leonid.I (2011-03-01 19:04:43)

  • CGI.Client_Cert_Encoded Variable Problem / PKI Certificates

    Hello,
    I have a developer on my team who has been tasked with
    upgrading our ColdFusion Server from 5.0 to 7.0. The problem we are
    having is that the client_cert_encoded cgi variable is not showing
    up or getting set even though we have a valid client certificate.
    The cert_issuer and cert_subject variables are being set and I can
    display them fine.
    Does anyone have any ideas or solutions to this problem?
    Sincerely,
    Robert Eberhart

    It appears Adobe has dropped support for that variable.
    Take a look at the comments at the bottom:
    http://livedocs.adobe.com/coldfusion/6/CFML_Reference/Expressions5.htm

  • PKI Certificate validation API

    Hi,
    I'm looking at the different methods that verify the validity of a digital certificate (chert chain...).
    I would like to know where I can read about the *"best practice"* of the above, meaning, which parameters (CN, Subject, etc) do I have to check in order to be confident that the dig cert is valid.
    THANKS.

    800414 wrote:
    Another question,
    can't the subject\CN be from a different entity? a situation I would like deal with.The subject's certificate can be for anyone, whether they are from inside the company you work in, or not. However, the trust you have in the subject's certificate is derived, NOT from the subject's certificate itself, but from the Root Certification Authority (CA) to which the subject's certificate is chained. The JVM has chosen to establish trust in a number of third-party CA's for you. But this doesn't mean that you should automatically trust every certificate issued by every one of those CAs.
    I would begin studying these topics with this "Introduction to Public Key Cryptography" (http://docs.sun.com/source/816-6154-10/index.html) and go onto "Secure Electronic Commerce" by Warwick Ford and Michael S. Baum (PTR). The book covers many technical and legal issues associated with using certificates and establishing trust for e-commerce.
    Arshad Noor
    StrongAuth, Inc.

  • I have a working sample of UIX using PKI certificate for Authentication

    If you are interested please email me at [email protected] The working version uses the X509 certificate and the dynamic JDBC authentication in JDeveloper 9.0.5.2.
    I'm planning to post a zip file to a blog where it can be downloaded. Since I don't have a blog of my own (nor do I have the time to maintain one), I'm looking for someone to host it for me.
    See ya,
    Connie Adams

    Hi,
    Long shot, but...
    Open Audio Midi Setup in Applications>Utilities, see the input & output options & KHz setting there, some things will change it for their own use, then not set it back.

  • PKI, certificate and keychain.app experts needed!

    Hi all!
    I have the following problem. To verify e-mails signed (qualified in the sense of german signature-laws) the highest german CA-certificate is needed. So I imported this CA-Root-Cerificate into the x.509 keychain in keychain.app. There it is 1) not recognized as a CA-Root-Certificate and 2) it can't be verified.
    Some research discovered that the main difference between this cert and all the other pre-intsalled certs is that it uses the RIPEMD-160 hash-algorithm and not SHA1.
    My question is: Can anybody confirm that RIPEMD-160 is not supported in Mac OS X or does anbody have an idea what is going wrong.
    If anybody needs the german root-ca-cert I can e-mail it!
    Thanks for any help in advance!
    Tom
      Mac OS X (10.4.8)  

    The following are up to date and seem to be connected to the keyboard buffer in some way:  (I had airdisplay, but that is no longer on the drive - I think ML kicked it off the disk when I installed ML).
    TextExpander
    Keyboard Maestro
    Clipboard History
    I've closed them down.  The problem continues.
    I also use Path Finder in which the sticky problem occurs.  If I force quit it once the problem begins, that fixes it, but if I then try dragging in just Finder, the problem returns.  So it's both in Finder and Path Finder that the issue occurs.  I've even relaunched Finder, but that doesn't fix the problem when it has begun.  I also discovered that any kind of drag causes the problem now - every time.  For example, in some app that displayed a table, if I try widening a column by draging the column heading left or right, then the widening/shrinking continues when I let go of the left mouse hold and then just move the mouse, even if it's off the app's window.

  • Certificate [Thumbprint SOME THUMBPRINT] issued to 'CLientMachineName' doesn't have private key or caller doesn't have access to private key.

    Hi,    We are trying to get a client to communicate with the primary Config Manager Site System(MP/DP).
    We have a Config Manager Client Template that was setup using this guide. 
    http://technet.microsoft.com/en-us/library/gg682023.aspx
    We have a Client Cert on the primary site system server (primary config manager server)  based on this template and it meets the requirements specified in this document
    http://technet.microsoft.com/en-us/library/gg699362.aspx
             Enhanced Key Usage value must contain
    Client Authentication (1.3.6.1.5.5.7.3.2).   
             Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.
             SHA-1and SHA-2 hash algorithms are supported.
             Maximum supported key length is 2048 bits.
    The Cert that we generated for the client meets the same requirements and shows the exact same template id but has a different subject name and alternate name (which is the clients machine name).
    With this setup, we still get the following error
    Certificate [Thumbprint  SOME THUMBPRINT] issued to 'CLientMachineName' doesn't have private key or caller doesn't have access to private key.
    Both the site system and client have the same trusted root cert installed.
    What are we missing or what can we check?    Does the cert check process only need the client certs on both the site system and the client to be from the same template?
    Here is a snippet of the clientidmanagerstartup.log
    <![LOG[HTTPS is enforced for Client. The current state is 63.]LOG]!><time="15:02:32.057+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="ccmutillib.cpp:395">
    <![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time="15:02:32.058+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716"
    file="ccmcert.cpp:3833">
    <![LOG[Certificate Issuer 1 [CN=THE_NAME_OFTHE_CA; DC=DOMAIN; DC=LOCAL]]LOG]!><time="15:02:32.058+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716"
    file="ccmcert.cpp:3849">
    <![LOG[Based on Certificate Issuer 'THE_NAME_OFTHE_CA' found Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.082+300" date="03-12-2014" component="ClientIDManagerStartup"
    context="" type="1" thread="716" file="ccmcert.cpp:3931">
    <![LOG[Begin validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.082+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
    thread="716" file="ccmcert.cpp:1245">
    <![LOG[Completed validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
    thread="716" file="ccmcert.cpp:1386">
    <![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716"
    file="ccmcert.cpp:3992">
    <![LOG[Begin to select client certificate]LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="ccmcert.cpp:4073">
    <![LOG[Begin validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.085+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
    thread="716" file="ccmcert.cpp:1245">
    <![LOG[Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME' doesn't have private key or caller doesn't have access to private key.]LOG]!><time="15:02:32.086+300" date="03-12-2014" component="ClientIDManagerStartup"
    context="" type="2" thread="716" file="ccmcert.cpp:1372">
    <![LOG[Completed validation of Certificate [Thumbprint SOMETHUMBPRINT_1] issued to 'CLIENTMACHINENAME']LOG]!><time="15:02:32.086+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1"
    thread="716" file="ccmcert.cpp:1386">
    <![LOG[Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
        ClientID = "GUID:GUID";
        DateTime = "20140312200232.090000+000";
        HRESULT = "0x87d00283";
        ProcessID = 6380;
        ThreadID = 716;
    ]LOG]!><time="15:02:32.090+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="event.cpp:706">
    <![LOG[Failed to submit event to the Status Agent. Attempting to create pending event.]LOG]!><time="15:02:32.092+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="2" thread="716"
    file="event.cpp:728">
    <![LOG[Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
        ClientID = "GUID:GUID";
        DateTime = "20140312200232.090000+000";
        HRESULT = "0x87d00283";
        ProcessID = 6380;
        ThreadID = 716;
    ]LOG]!><time="15:02:32.092+300" date="03-12-2014" component="ClientIDManagerStartup" context="" type="1" thread="716" file="event.cpp:761">
    <![LOG[Unable to find PKI Certificate matching SCCM certificate selection criteria. 0x87d00283]
    Thanks Lance

    Hi,
    It seems that there are something wrong with you PKI system.
    Here are some steps for your reference.
    SCCM 2012: Part II – Certificate Configuration
    http://gabrielbeaver.me/2012/08/sccm-2012-part-ii-certificate-configuration/
    Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • PKI Client starts to intialize, then 7 minutes later client agents go back to disabled for upwards of an hour

    Starting a new thread on this as I have done much digging and no longer believe its a conflicting record issue.
    I am SCCM 2012 SP1 on Server 2008 R2/SQL 2012 CU2.  My "Lan" based management point is HTTP and I also have an Internet Management point that is HTTPS.  All scenerios discussed in this thread are installing the 2012 SP1 client while connected
    to the Lan.  We have a fully functional PKI infrastructure with auto enrol enabled.
    The issue at hand:
    Wether I install the client during OSD, or manually install the client I get the same result.  This is that the client agent upon successful install begins communicating with the HTTP management point and starts retrieving policy.  If I open the
    ConfigMgr applet in Control Panel I see the client shows "Client Certificate: PKI", "Connection Type: Currently Intranet".  If I view actions I see all actions with the exception of Discovery Data Collection Cycle and Hardware Inventory
    Cycle.
    I have watched the client logs the only thing that seems to stick out is in the CcmNotificationAgent.log which shows the bgb client agent actions.  it repeats the following aprox every 5 minutes:
    bgb client agent is starting...
    bgb client agent is disabled
    TCP Listener is disabled
    bgbController main thread us started with settings: [bgb enable = 0], {tcp enable = 0} and {http enable = 0}.
    Wait 3600 seconds for even notification
    The ClientIDManagerStartup.log files shows:
    PopulateRegistrationHint: Using the Certificate selected by the current version of SCCM to set the hint. ClientIDManagerStartup 1/23/2013 5:00:51 PM 2100 (0x0834)
    CCMCreateAuthHeadersEx failed (0x80004005). ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    PopulateRegistrationHint failed (0x80004005), expected upon first start of non-upgrade client. ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Certificate Issuer 1 [CN=myrootca; DC=mydomain; DC=com] ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Finding certificate by issuer chain returned error 80092004 ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Unable to find any Certificate based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230052.204000+000";
     HRESULT = "0x87d00215";
     ProcessID = 2352;
     ThreadID = 2100;
     ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Failed to submit event to the Status Agent. Attempting to create pending event. ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230052.204000+000";
     HRESULT = "0x87d00215";
     ProcessID = 2352;
     ThreadID = 2100;
     ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    PKI Client Certificate matching SCCM certificate selection criteria is not available. ClientIDManagerStartup 1/23/2013 5:00:52 PM 2100 (0x0834)
    Generated a new Signing certificate ClientIDManagerStartup 1/23/2013 5:00:54 PM 2100 (0x0834)
    Generated a new Encryption certificate ClientIDManagerStartup 1/23/2013 5:00:54 PM 2100 (0x0834)
    Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    Succesfully intialized registration renewal. ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    [RegTask] - Executing registration task synchronously. ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    Read SMBIOS (encoded): 32003100350039002D0039003900320037002D0032003500360036002D0038003300320035002D0037003500340032002D0035003200370031002D0033003900 ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    Evaluated SMBIOS (encoded): 32003100350039002D0039003900320037002D0032003500360036002D0038003300320035002D0037003500340032002D0035003200370031002D0033003900 ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    No SMBIOS Changed ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    SMBIOS unchanged ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    SID unchanged ClientIDManagerStartup 1/23/2013 5:00:56 PM 2348 (0x092C)
    HWID unchanged ClientIDManagerStartup 1/23/2013 5:00:57 PM 2348 (0x092C)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 1/23/2013 5:00:59 PM 2348 (0x092C)
    GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=FALSE ClientIDManagerStartup 1/23/2013 5:00:59 PM 2348 (0x092C)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 1/23/2013 5:00:59 PM 2348 (0x092C)
    Computed HardwareID=2:9C8C08C4B3E16249A2F1457998D16528B656DE30
     Win32_SystemEnclosure.SerialNumber=2159-9927-2566-8325-7542-5271-39
     Win32_SystemEnclosure.SMBIOSAssetTag=9344-3677-7824-5579-3797-0729-37
     Win32_BaseBoard.SerialNumber=2159-9927-2566-8325-7542-5271-39
     Win32_BIOS.SerialNumber=2159-9927-2566-8325-7542-5271-39
     Win32_NetworkAdapterConfiguration.MACAddress=00:15:5D:0B:78:20 ClientIDManagerStartup 1/23/2013 5:00:59 PM 2348 (0x092C)
    [RegTask] - Client is not registered. Sending registration request for GUID:b4aacc70-6de3-4829-88e0-498777c49379 ... ClientIDManagerStartup 1/23/2013 5:00:59 PM 2348 (0x092C)
    [RegTask] - Client registration is pending. Server assigned ClientID is GUID:b4aacc70-6de3-4829-88e0-498777c49379 ClientIDManagerStartup 1/23/2013 5:01:00 PM 2348 (0x092C)
    [RegTask] - Sleeping for 60 seconds ... ClientIDManagerStartup 1/23/2013 5:01:00 PM 2348 (0x092C)
    RenewalTask: Executing renewal task. ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Certificate Issuer 1 [CN=myrootca; DC=mydomain; DC=com] ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Based on Certificate Issuer 'MyrootCA' found Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Begin validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Completed validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Begin to select client certificate ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Begin validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Completed validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    >>> Client selected the PKI Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230143.106000+000";
     HRESULT = "0x00000000";
     ProcessID = 2352;
     ThreadID = 2620;
     ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Client PKI cert is available. ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    RenewalTask: Certificate has changed, initiating a renewal. ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Aborting any pending registration. ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    Re-registration/renewal initiated. Restarting the service. ClientIDManagerStartup 1/23/2013 5:01:43 PM 2620 (0x0A3C)
    [----- SHUTDOWN -----] ClientIDManagerStartup 1/23/2013 5:01:44 PM 2100 (0x0834)
    [----- STARTUP -----] ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Machine: W21599927256 ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    OS Version: 6.1 Service Pack 1 ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    SCCM Client Version: 5.00.7804.1000 ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Client is set to use HTTPS when available. The current state is 448. ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Certificate Issuer 1 [CN=myrootca; DC=mydomain; DC=com] ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Based on Certificate Issuer 'MyrootCA' found Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Completed validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin to select client certificate ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Completed validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    >>> Client selected the PKI Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230145.722000+000";
     HRESULT = "0x00000000";
     ProcessID = 3612;
     ThreadID = 3888;
     ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Failed to submit event to the Status Agent. Attempting to create pending event. ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230145.722000+000";
     HRESULT = "0x00000000";
     ProcessID = 3612;
     ThreadID = 3888;
     ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    'RDV' Identity store does not support backup. ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    CCM Identity is in sync with Identity stores ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Certificate Issuer 1 [CN=myrootca; DC=mydomain; DC=com] ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Based on Certificate Issuer 'MyrootCA' found Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Completed validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin to select client certificate ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Begin validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Completed validation of Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    >>> Client selected the PKI Certificate [Thumbprint 52BFCF407B7071512CE65F8868D66578244ABDD9] issued to 'myclient.mydomain.com' ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Raising event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230145.752000+000";
     HRESULT = "0x00000000";
     ProcessID = 3612;
     ThreadID = 3888;
     ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Failed to submit event to the Status Agent. Attempting to create pending event. ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Raising pending event:
    instance of CCM_ServiceHost_CertRetrieval_Status
     ClientID = "GUID:b4aacc70-6de3-4829-88e0-498777c49379";
     DateTime = "20130123230145.752000+000";
     HRESULT = "0x00000000";
     ProcessID = 3612;
     ThreadID = 3888;
     ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Client PKI cert is available. ClientIDManagerStartup 1/23/2013 5:01:45 PM 3888 (0x0F30)
    Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    Succesfully intialized registration renewal. ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    [RegTask] - Executing registration task synchronously. ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    Read SMBIOS (encoded): 32003100350039002D0039003900320037002D0032003500360036002D0038003300320035002D0037003500340032002D0035003200370031002D0033003900 ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    Evaluated SMBIOS (encoded): 32003100350039002D0039003900320037002D0032003500360036002D0038003300320035002D0037003500340032002D0035003200370031002D0033003900 ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    No SMBIOS Changed ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    SMBIOS unchanged ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    SID unchanged ClientIDManagerStartup 1/23/2013 5:01:48 PM 3928 (0x0F58)
    HWID unchanged ClientIDManagerStartup 1/23/2013 5:01:49 PM 3928 (0x0F58)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 1/23/2013 5:01:53 PM 3928 (0x0F58)
    GetSystemEnclosureChassisInfo: IsFixed=TRUE, IsLaptop=FALSE ClientIDManagerStartup 1/23/2013 5:01:53 PM 3928 (0x0F58)
    Windows To Go requires a minimum operating system of Windows 8 ClientIDManagerStartup 1/23/2013 5:01:53 PM 3928 (0x0F58)
    Computed HardwareID=2:9C8C08C4B3E16249A2F1457998D16528B656DE30
     Win32_SystemEnclosure.SerialNumber=2159-9927-2566-8325-7542-5271-39
     Win32_SystemEnclosure.SMBIOSAssetTag=9344-3677-7824-5579-3797-0729-37
     Win32_BaseBoard.SerialNumber=2159-9927-2566-8325-7542-5271-39
     Win32_BIOS.SerialNumber=2159-9927-2566-8325-7542-5271-39
     Win32_NetworkAdapterConfiguration.MACAddress=00:15:5D:0B:78:20 ClientIDManagerStartup 1/23/2013 5:01:53 PM 3928 (0x0F58)
    [RegTask] - Client is not registered. Sending registration request for GUID:b4aacc70-6de3-4829-88e0-498777c49379 ... ClientIDManagerStartup 1/23/2013 5:01:53 PM 3928 (0x0F58)
    [RegTask] - Client registration is pending. Server assigned ClientID is GUID:b4aacc70-6de3-4829-88e0-498777c49379 ClientIDManagerStartup 1/23/2013 5:01:54 PM 3928 (0x0F58)
    [RegTask] - Sleeping for 60 seconds ... ClientIDManagerStartup 1/23/2013 5:01:54 PM 3928 (0x0F58)
    [RegTask] - Client registration is pending. Sending confirmation request for GUID:b4aacc70-6de3-4829-88e0-498777c49379 ... ClientIDManagerStartup 1/23/2013 5:02:54 PM 3928 (0x0F58)
    [RegTask] - Client is registered. Server assigned ClientID is GUID:b4aacc70-6de3-4829-88e0-498777c49379. Approval status 2 ClientIDManagerStartup 1/23/2013 5:02:54 PM 3928 (0x0F58)
    After almost 7 minutes exactly, the all the client agent actions besides Machine Policy Retrieval and UserPolicy Retrieval disappear (as if client policy was Reset)
    If I let the client sit for 45-minutes to an hour, everything starts working again and works fine from there on out. (cycling the SMS Agent service nor rebooting the machine makes it recover until the 45-min to an hour pass)
    My command line I am using to install the client is:
    ccmsetup.exe /mp:MYLANBASEDMP /UsePKICert /NOCRLCheck CCMHOSTNAME="myinternetmp.mydomain.com" SMSSITECODE=P10 SMSCACHESIZE=7000 FSP=MYLANBASEDMP CCMLOGMAXSIZE=1000000
    If I take out the /usePKICert, /NOCRLCheck and CCMHOSTNAME Entries, the client install and continues to function without issue.
    Anyone have any others ideas on where to troubleshoot this issue?  It would make more sense if the client NEVER worked after install.  Tearing my hair out trying to figure out why it starts to intialize, then reverts, then comes back online and
    works fine.  This happens at both my primary site MP as well as my secondary site/mp.  It happens on my standard Win7 image as well as Windows 8 test machines so I dont believe its a client OS issue.

    Good news! (and potentially bad news)
    Good news, I received and email from the new support tech stating that indeed this issue was NOT fixed in CU3, however there is a workaround:
    At present we have a workaround for the issue by setting  the following registry
    HKLM\Software\Microsoft\CCM\UserPolicyReRequestDelay (REG_DWORD) value: 6,000,000 (decimal).
    Please add a step in your Task Sequence to add this registry value.
    If you are also facing the issue while trying to install the client manually then please follow these steps
    1. Install the client manually
    2. Immediately disable and stop the CCMExec service (SMS Agent Host)
    3. Set the following registry HKLM\Software\Microsoft\CCM\UserPolicyReRequestDelay (REG_DWORD) value: 6,000,000 (decimal)
    4. Enable and set the CCMExec service to automatic
    5. Start the CCMExec service
    I have tested when doing a manual client install and it works perfectly..IF you make sure to stop CCMEXEC directly after the client finishes installing as denoted in step 2 above.  I have every reason to believe that will will also work during a Task
    Sequence base don these results.  I'll be testing that soon.
    The bad news: If you are using Client Push, this workaround would not work since there isn't a way to wrap a script around the installer to perform the steps above.  Maybe you could add this value to all machines prior to client push using GPP's or a
    startup script?
    I don't currently use Client Push so its not a huge issue for me, I will just need to adjust my machine startup script to perform the steps but can see how this will still be an issue for others.
    Either way, its a step in the right direction.  Certainly tells me they have identified the issue and will hopefully be including a true fix in an upcoming hotfix or update.

Maybe you are looking for

  • 2 instance of iTunes?  Good idea, or bad?

    I used two iTunes instances to sync calendar at work and music/applications at home. After doing this for the first time yesterday, my iPhone 3Gs did not function properly. Applications didn't load (the would just pop up a splash scren and then go ba

  • How do I get rid of an unnecessary scroll bar? IE10

    Hi, I'm using RH 9.0.2.271, Webhelp, Zoom Search Among the many gifts IE10 has given me, I have acquired an extra scrollbar when displaying the documentation in IE10. This vertical scrollbar appears to the outside right of my content page. When the c

  • How to set output of a jsp page in a textarea??

    hi i am working on a mail application and i wish to set the output of a jsp page into the textarea. working is similar as we forward a mail the mail get appended in the textarea of the compose page. how to achieve this plz. help... i got stuck at thi

  • Need help with Shared Services Role

    Hello, I am trying to create a Native Directory group which will allow the users extract all the Application Elements, but restrict them from loading anything to the system. This group should only have the ability to view the objects and not edit the

  • Photoshop does not accept my serial number

    I had Photoshop CS6 and Acrobat Pro X on my old Mac laptop. However, I now have a new laptop running Yosemite and neither program accepts my serial nos.