Greg's Systems Management Blog

Watch out for that Service! CNG Key Isolation

April 3, 2014 1 Comment

Probably just about anyone who may be reading this blog has probably also reviewed Microsoft’s Prerequisites for Windows Client Deployment in Config uration Manager, and many of you may have learned the hard way for dependencies like BITs, Task Scheduler, and maybe even Remote Differential Compression (RDC). I have a new one for you that we learned about it over the weekend-the CNG Key Isolation Serv ice (KeyISO).

The CNG Key Isolation service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria.

The symptom: ConfigMgr client installed successfully (both client push, and manual client installation), but the client did not successfully register with its assigned site. Upon inspection, we noticed the following errors:

CertificateMaintenance.log

Creating Signing Certificate… CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

Failed to create certificate 80090020 CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

CCMDoCertificateMaintenance() failed (0x80090020). CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

Raising pending event:

instance of CCM_ServiceHost_CertificateOperationsFailure

{

DateTime = “20140329065655.902000+000”;

HRESULT = “0x80090020”;

ProcessID = 6036;

ThreadID = 5944;

};

CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

CCMDoCertificateMaintenance() raised CCM_ServiceHost_CertificateOperationsFailure status event. CertificateMaintenance 3/29/2014 12:56:55 AM 5944 (0x1738)

ClientIDManagerStartup.log

Client is set to use HTTPS when available. The current state is 224. ClientIDManagerStartup 3/29/2014 3:34:45 AM 5836 (0x16CC)

CCMCreateAuthHeadersEx failed (0x80004005). ClientIDManagerStartup 3/29/2014 3:34:46 AM 5836 (0x16CC)

PopulateRegistrationHint failed (0x80004005), expected upon first start of non-upgrade client. ClientIDManagerStartup 3/29/2014 3:34:46 AM 5836 (0x16CC)

[RegTask] – Executing registration task synchronously. ClientIDManagerStartup 3/29/2014 3:34:50 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

Read SMBIOS (encoded): 4800510050003100580051003100 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

Evaluated SMBIOS (encoded): 4800510050003100580051003100 ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

No SMBIOS Changed ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

SMBIOS unchanged ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

SID unchanged ClientIDManagerStartup 3/29/2014 3:34:51 AM 788 (0x0314)

HWID unchanged ClientIDManagerStartup 3/29/2014 3:34:53 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:55 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:34:57 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:01 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:05 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:11 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:17 AM 788 (0x0314)

RegTask: Failed to get certificate. Error: 0x80004005 ClientIDManagerStartup 3/29/2014 3:35:25 AM 788 (0x0314)

We also noticed that each time we cycled the “SMS Agent Host” (ccmexec) service, we received an error in the system event log The CNG Key Isolation service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.

You guessed it, that was it. On a group of servers, someone had configured this service to logon as a domain account, instead of as the local system account. When a client is configured to use HTTP (instead of HTTPs, fka ‘native’), it generates a self-signed certificate during the client install (or at least shortly thereafter), and that process depends on the CNG Key Isolation service, which needs to be configured to use the local system account (and the service not be ‘disabled’ – ‘manual’ service start is fine).

The solution: Don’t modify that service configuration! Leave the default (manual, run as local system). If you MUST, it appears that you can change it back to your custom config after the ConfigMgr client is healthy. But in the long run, that will just cause you more problems when you need to re-install or repair the client.

Greg

Filed under ConfigMgr 2012, Troubleshooting Tagged with certificates, client install

How To: Initiate the “Validate” Action on all DPs for a Package in ConfigMgr 2012

April 19, 2013 2 Comments

ConfigMgr 2012 has a feature that allows you to validate content of a distribution point on a schedule, which works great for normal business. However, if you encounter an issue on a package and need to validate content immediately for each DP, it does require a bit of effort, as you have to go to the object in question, view the properties, then on the Content Locations tab, select a DP and click “Validate” – rinse and repeat–you must do this for each DP to validate content, as described in the documentation. This post will describe how to enable a right-click option on any content in the Monitoring tab of the admin console.

You can download the .zip file and follow the directions in the included ‘info.txt’ file for a fast deployment to your admin console. You can review additional details below.

First you must create the proper r-click context menu. Copy the following .xml, save it as “ValidateContent.xml”, and copy it to C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\XmlStorage\Extensions\Actions\14214306-59f0-46cf-b453-a649f2a249e1\ValidateContent.xml. (Adjust the path as appropriate to your ConfigMgr Admin Console installation path).

<ActionDescription DisplayName="Validate Content on All DPs" MnemonicDisplayName="Validate Content on All DPs" Description = "Validate Content on All DPs" RibbonDisplayType="TextAndSmallImage">
<ShowOn>
<string>ContextMenu</string>
<string>DefaultHomeTab</string>
</ShowOn>
<Executable>
<FilePath>PowerShell.exe</FilePath>
-ExecutionPolicy RemoteSigned -File C:\PowerShell\CM12RClickTools\ValidatePackage.ps1 "##SUB:__Server##" "##SUB:__Namespace##" "##SUB:PackageID##"
</Executable>
</ActionDescription>

Notice in the .xml we specify the -ExeuctionPolicy RemoteSigned parameter. Best practice would be to sign your scripts, but if that’s not something you can manage easily, you can use the parameter as shown to modify the execution policy for the specific instance you’re launching, instead of changing the execution policy for all script execution. Next, copy the PowerShell code below, and save it to C:\PowerShell\CM12RClickTools\ValidatePackage.ps1 (although it’s named ValidatePackage, it does work for all content–Application, OS Image, Package, etc).

#capturing arguments:
$SiteServer = $args[0]
$SiteNamespace = $args[1]
$SiteCode = ($args[1]).Substring(14)
$PackageID = $args[2]

"{0} {1} {2} {3}" -f $SiteServer, $SiteNamespace, $SiteCode, $PackageID

$myFilter = "PackageID='$PackageID'"

$dps = gwmi sms_distributionpoint -namespace $SiteNamespace -ComputerName $SiteServer -filter $myFilter

if (($dps | measure-object).Count -ge 1) {
$dps | % {
"Initiating 'Validate Content' on {0}..." -f $_.ServerNALPath
if ($env:Computername -eq $SiteServer) {  #if running directly on the site server, omit the -computername argument

invoke-cimmethod -ClassName sms_distributionPoint -namespace $SiteNamespace -methodname "VerifyPackage" -arguments @{ PackageID=$_.PackageID; Nalpath=$_.ServerNALPath}
}
else {
invoke-cimmethod -ClassName sms_distributionPoint -namespace $SiteNamespace -ComputerName $SiteServer -methodname "VerifyPackage" -arguments @{ PackageID=$_.PackageID; Nalpath=$_.ServerNALPath}
}
}
"Validation initiated - Review Content Status for more information."
Write-Host "Press any key to continue ..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

}
else {
"0 DPs found with this package. Content must be distributed in order to validate."
Write-Host "Press any key to continue ..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

}

Now re-launch your ConfigMgr Admin console to use the new r-click->Validate Content on All DPs feature. As you can see from the code, this scritpt uses WMI, as SP1 does not contain cmdlets to perform this action. We use the Get-WMIobject (gwmi) cmdlet for the SMS_DistributionPoint class, filtered to only receive DPs for the desired PackageID. We then execute the VerifyPackage method for each DP.

**Important note: As of ConfigMgr 2012 SP1, only content in the content library (single instance store) will be validated. There is currently no ability to verify content on a package share (e.g. \\mydp\smspkgd$\CAS00023\).

For more information about Content Validation:

My MVP colleague Kaido created a handy function Invoke-PackageVerification
Configuration Manager 2012: Content Monitoring and Validation
Operations and Maintenance for Content Management in Configuration Manager

Happy Scripting!

Greg
ramseyg@hotmail.com

Filed under ConfigMgr 2012, PowerShell Tagged with mms, validate content

← Older posts

Newer posts →

Greg's Systems Management Blog

Watch out for that Service! CNG Key Isolation

How To: Initiate the “Validate” Action on all DPs for a Package in ConfigMgr 2012

Follow Blog via Email

Follow me on Twitter

Search This Blog

Choose a Tag

Recent Posts

Meta

Blog Stats

Top Posts & Pages

Follow me on Twitter

Twitter Updates