Support Tip: ConfigMgr clients fail to register and generate 0x80040231 errors in CCMExec.log

Hi everyone, Arvind Kr. Rana here with another Configuration Manager support tip for you. I’ve run across this a couple times and thought it would be worth mentioning here in case you happen to run into the same issue.

What happens is that we try to install the Configuration Manager client using following command line where “SIGNCERT.cer” is the document signing certificate:

ccmsetup.exe /native:Fallback SMSSIGNCERT="c:\SIGNCERT.cer" SMSSLP=serverName.domain.com SMSSITECODE=<siteCode>

The client was getting installed, however there were failures with the registration process with the Management Point. Looking in CCMExec.log we found the following:

CCMHTTP] HTTP ERROR: URL=http://<Site Server Name>/ccm_system/request, Port=80, Protocol=http, SSLOptions=0, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CCMEXEC
Raising event:
instance of CCM_CcmHttp_Status
{
DateTime = "20121212220939.655000+000";
HostName = "<Site Server Name>";
HRESULT = "0x8004027e";
ProcessID = 4000;
StatusCode = 403;
ThreadID = 3024;
};
Successfully sent security settings refresh message.
HandleRemoteSyncSend failed (0x80040231).
CForwarder_Sync::Send failed (0x80040231).
CForwarder_Base::Send failed (0x80040231).

What we did to resolve the issue was create a new client certificate on the Certificate Authority (CA) and exported it along with the private key, then imported it on the client machine and placed it in the personal store. Once we did this the client installed successfully, but we now found that it was rejecting the policy download with following errors:

Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:A6CFDA97-D7FF-4620-B889-625C09CA8C17";
DateTime = "20121218161801.931000+000";
HostName = "<Site Server Name>";
HRESULT = "0x00000000";
ProcessID = 2636;
StatusCode = 0;
ThreadID = 3004;
};
The certificate chain processed correctly but terminated in a root certificate not trusted per ConfigMgr CTL
Rejected the new site signing certificate...
Name : The site code of this site server is <Site Code>
Sha1 Hash : 6FA85535F1D57B118451EB211776187BE53747F2
Valid From: 2012-05-31, 16:05
Valid To : 2014-05-31, 16:15
Raising event:
instance of CCM_LocationServices_SiteSigning_AuthFailure_Trust
{
ClientID = "GUID:A6CFDA97-D7FF-4620-B889-625C09CA8C17";
DateTime = "20121218161801.947000+000";
HRESULT = "0x800b0109";
ProcessID = 2636;
ThreadID = 3004;
};
Failed to set site signing certificate (0x800b0109).
Failed to update Signing Certificate over HTTP with error 0x800b0109.

We did some more investigating and found that the document signing certificate specified in the command line was issued from a decommissioned CA. We exported the working certificate from the site server, imported it on the client machine and corrected the command line. After doing so, we ran the command again and the client installed and registered as expected.

The takeaway here is that while there can be multiple causes that may prevent the client install registration process, we need to make sure that we have a valid client authentication certificate and document signing certificate present on the target machine in order to successfully install the client.

Special thanks to Prabhat Joshi and Ashish Kumar for their work on troubleshooting this issue.

Arvind Kumar Rana | Senior Engineer | System Center Team

Get the latest System Center news onFacebookandTwitter: