~ Jagat Singh Kathiar
Image may be NSFW.
Clik here to view.
Hi folks, Jagat Singh Kathiar here from the Configuration Manager team with another support tip for you. I came across this issue a while ago where a System Center 2012 Configuration Manager (ConfigMgr 2012) Management Point was configured for HTTPS and it was failing to do its health check. When we look in MPcontrol.log we found the following:
Failed in CertStrToName(...) API: 0x80092023 SMS_MP_CONTROL_MANAGER 8/29/2014 10:07:29 AM 20132 (0x4EA4)
The Error 500 stated above is pretty generic but if you look closely it is clearly stating that it is failing in GetCertificateBySelectingCriteria. This means we probably have an issue with our certificate so here’s how you can verify that:
Connect to the ConfigMgr console and go to Administration –> Site configuration –> Site properties and select the Client Computer Communication tab, then click on Modify and check the Clients Certificate Selection Settings. In this case, we found that the certificate selection criteria was set to use a certificate with a certain Subject name and SAN field although there were no matching certificates present in the personal computer store.
To resolve the problem, we set the client certificate selection criteria to the default which is Client authentication capability and chose the radio button for Select the certificate with the longest validity period as shown below.
Image may be NSFW.
Clik here to view.
Default settings are shown above
IMPORTANT Changing these settings will apply them to every single client assigned to your site which may result in unintended consequences. Please ensure that you are fully aware of how this change may impact your environment before implementing this solution.
Jagat Singh Kathiar| Sr. Technical Lead | Microsoft
Get the latest System Center news onFacebookandTwitter:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Clik here to view.