none
Failed to retrieve AMP for site code

    שאלה

  • My Internet Based Client Management is not working.

    I tested this on a laptop on the DMZ, which was already added to the domain with the following install switches:

    ccmsetup.exe /native CCMALWAYS=1 CCMALWAYSINF=1 CCMHOSTNAME="domain.com" SMSSITECODE=PSC SMSSLP="domain.com"

    This worked fine, and correctly registered with the SCCM.


    I then did this on a Workgroup PC on the Perimeter network with the same install switches. It installed fine, and I added the Certificate with the san:upn=client$@domain.com attribute as desribed here:

    http://technet.microsoft.com/en-us/library/cc707697.aspx

    I get nothing... nada... ziltch.

    The logs give no useful information that I can see. The CcmExec ends with:

    <![LOG[Error registering hosted class '{E67DBF56-96CA-4e11-83A5-5DEC8BD02EA8}'. Code 0x80040154]LOG]!><time="18:22:30.334+000" date="01-15-2009" component="CCMEXEC" context="" type="3" thread="1732" file="wmisettings.cpp:84">
    <![LOG[Allowing activation requests on class objects.]LOG]!><time="18:22:30.349+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="1732" file="init.cpp:1001">
    <![LOG[Registering endpoint notifications.]LOG]!><time="18:22:30.365+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="1732" file="init.cpp:1010">
    <![LOG[Registering for Logon/Logoff notifications.]LOG]!><time="18:22:30.584+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="1732" file="init.cpp:1013">
    <![LOG[Cached user 'S-1-5-21-1416671254-3956371416-1825718665-500' is logged on to session 2 during RegisterForLogon.]LOG]!><time="18:22:30.630+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="1732" file="senslog.cpp:1569">
    <![LOG[Invoking task to monitor cached logged on user every 600 seconds.]LOG]!><time="18:22:30.630+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="1732" file="senslog.cpp:1626">
    <![LOG[Starting system task processor.]LOG]!><time="18:22:30.630+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="1732" file="init.cpp:1018">
    <![LOG[BEGIN ExecuteSystemTasks('PreStartup')]LOG]!><time="18:22:30.630+000" date="01-15-2009" component="CcmExec" context="" type="1" thread="3336" file="systemtask.cpp:556">
    <![LOG[Invoking system task 'StatusAgentInitialization' via ICcmSystemTask2 interface.]LOG]!><time="18:22:30.646+000" date="01-15-2009" component="CcmExec" context="" type="1" thread="2772" file="systemtask.cpp:157">
    <![LOG[Invoking system task 'ClientRegistrationStartup' via ICcmSystemTask2 interface.]LOG]!><time="18:22:30.927+000" date="01-15-2009" component="CcmExec" context="" type="1" thread="2772" file="systemtask.cpp:157">
    <![LOG[Notifying endpoint 'SrcUpdateMgr' of __InstanceModificationEvent settings change on object SMS_LocalMP=@ for user 'S-1-5-18'.]LOG]!><time="18:22:31.021+000" date="01-15-2009" component="CCMEXEC" context="" type="1" thread="2672" file="wmisettings.cpp:204">


    This seems to just end, without any information. The only log that seems to have some information is LocationServices:



    <![LOG[LSGetManagementPointForSite: Client is always on Internet - skipping AD look up.]LOG]!><time="18:22:30.959+000" date="01-15-2009" component="LocationServices" context="" type="1" thread="2772" file="lsad.cpp:2531">
    <![LOG[Failed to retrieve AMP for site code 'PSC' with error (0x80004005). Nulling existing entry in WMI]LOG]!><time="18:22:30.959+000" date="01-15-2009" component="LocationServices" context="" type="1" thread="2772" file="lsad.cpp:3855">
    <![LOG[Persisted Default Management Point Location locally]LOG]!><time="18:22:30.959+000" date="01-15-2009" component="LocationServices" context="" type="1" thread="2772" file="lsad.cpp:3863">
    <![LOG[No security settings update detected.]LOG]!><time="18:22:30.974+000" date="01-15-2009" component="LocationServices" context="" type="1" thread="2772" file="lssecurity.cpp:4350">



    I cant find any documentation on this error anywhere.


    Anyone care to shed some light? Am I missing something? Have I set this thing up completely wrong?

    Regards,
    יום חמישי 15 ינואר 2009 18:31

תשובות

  • I managed to fix the problem.

    For those with similar issues, it was caused by a combination of 2 things:

    1. I was using the wrong certificate template for the Client Authentication certificates. I re-created the template on the Enterprise CA as described in http://technet.microsoft.com/en-us/library/cc707697.aspx under the section Deploying an Internet-based Client Certificate with a UPS SAN by using an Enterprise CA.

    My request used the following values as normal:

    Name: COMPUTERNAME   (no need for workgroup name on workgroup PCs. Untrusted domain PCs must use FQDN)
    Attributes: san:ups=[computername]$@[domainname]


    2. I didn't have the Root and Subordinate certificates installed in Trusted store! Doh. We are using an internal Root CA, as we do not yet have an externally signed certificate. The laptop which was already part of the domain already had these certificates installed automatically, so it had no problem.

    You can tell this is the case by seeing the following error when viewing the Client Authentication certificate (created above):

    'Windows does not have enough information to verify this certificate'


    Thanks for the help.
    • סומן כתשובה על-ידי James Winterburn יום שישי 16 ינואר 2009 12:17
    יום שישי 16 ינואר 2009 12:17

כל התגובות

  • ccmsetup.exe /native CCMALWAYS=1 CCMALWAYSINF=1 CCMHOSTNAME="domain.com" SMSSITECODE=PSC SMSSLP="domain.com"

    The first thing I'ld do is clean up the installation so you can eliminate this as a potential cause:

    • Delete the CCMALWAYS=1 because this is just a typo and the correct property is CCMALWAYSINF=1.  I know the log says it's Internet-only but my experience is that CCMSetup isn't always very smart at handling incorrect properties and the results might be inconsistent.
    • I'm assuming that by "domain.com" for CCMHOSTNAME you're specify the Internet FQDN of the Internet-based management point, and not just the domain name?
    • Delete the SMSSLP= because it's not used when the client is Internet-only.  This shouldn't stop anything from working, but this property was not designed to be used with CCMALWAYSINF.
    • Try adding CCMFIRSTCERT=1 in case the client has more than 1 valid certificate.

    If still a problem, have you run the Native Mode Readiness tool on the client to check the certificate if you think this is what's different from your working client?

    - Carol

    This posting is provided “AS IS” with no warranties and confers no rights.




    יום שישי 16 ינואר 2009 00:37
  • Thanks for the reply.

    As suggested, I have removed the SMSSLP and CCMALWAYS properties, and added CCMFIRSTCERT, and I seem to be getting additional errors that seem to make a bit more sense at least!

    My apologies, by "domain.com", I did mean the Internet FQDN.

    I think this is a problem with the certificate because, although the Readiness tool is now show as "Ready", I am getting some certificate errors in the other logs. See below:


    SCCMNativeModeReadiness.log

    <![LOG[Initializing ModeReadiness tool.]LOG]!><time="10:11:29.771+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="modereadiness.cpp:389">
    <![LOG[Setting default logging component for process.]LOG]!><time="10:11:29.771+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="modereadiness.cpp:43">
    <![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="10:11:29.771+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="ccmcert.cpp:204">
    <![LOG[Failed to load default certificate selection criteria. (0x80004005)]LOG]!><time="10:11:29.771+000" date="01-16-2009" component="ModeReadiness" context="" type="2" thread="3780" file="modereadiness.cpp:84">
    <![LOG[ModeReadiness initializiation succeeded.]LOG]!><time="10:11:29.771+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="modereadiness.cpp:401">
    <![LOG[Client SSL is enabled. The current state is 0x31.]LOG]!><time="10:11:29.771+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="ccmutillib.cpp:171">
    <![LOG[Client is ready for native mode.]LOG]!><time="10:11:29.802+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="modereadiness.cpp:341">
    <![LOG[Certificate subject name is: SERVERNAME]LOG]!><time="10:11:29.802+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="modereadiness.cpp:348">
    <![LOG[Sending state message.]LOG]!><time="10:11:29.802+000" date="01-16-2009" component="ModeReadiness" context="" type="1" thread="3780" file="modereadiness.cpp:351">


    ClientIDManagerStartup.log

    <![LOG[Initializing native mode registration renewal.]LOG]!><time="10:07:57.896+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="regtask.cpp:475">
    <![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="10:07:57.896+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="ccmcert.cpp:204">
    <![LOG[Succesfully intialized registration renewal.]LOG]!><time="10:07:57.896+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="regtask.cpp:518">
    <![LOG[RegTask - Executing registration task synchronously.]LOG]!><time="10:07:57.896+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="regtask.cpp:779">
    <![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="10:07:57.896+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="ccmcert.cpp:204">
    <![LOG[Certificate issued to 'SERVERNAME' doesn't have private key.]LOG]!><time="10:07:57.896+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="3" thread="3520" file="ccmcert.cpp:1045">
    <![LOG[Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
     DateTime = "20090116100757.912000+000";
     HRESULT = "0x80040283";
     ProcessID = 628;
     ThreadID = 3520;
    };
    ]LOG]!><time="10:07:57.912+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="event.cpp:525">
    <![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="10:07:57.959+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="ccmcert.cpp:204">
    <![LOG[Certificate issued to 'SERVERNAME' doesn't have private key.]LOG]!><time="10:07:57.959+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="3" thread="3520" file="ccmcert.cpp:1045">
    <![LOG[Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
     DateTime = "20090116100757.959000+000";
     HRESULT = "0x80040283";
     ProcessID = 628;
     ThreadID = 3520;
    };
    ]LOG]!><time="10:07:57.959+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="event.cpp:525">
    <![LOG[RegTask: Failed to get certificate. Error: 0x80040283]LOG]!><time="10:07:57.959+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="3" thread="3520" file="regtask.cpp:326">
    <![LOG[RegTask: Initial backoff interval: 1 minutes]LOG]!><time="10:07:58.974+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="regtask.cpp:1830">
    <![LOG[RegTask: Reset backoff interval: 257 minutes]LOG]!><time="10:07:58.974+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="regtask.cpp:1831">
    <![LOG[The 'Certificate Store' is empty in the registry, using default store name 'MY'.]LOG]!><time="10:07:58.974+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="ccmcert.cpp:204">
    <![LOG[Certificate issued to 'SERVERNAME' doesn't have private key.]LOG]!><time="10:07:58.974+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="3" thread="3520" file="ccmcert.cpp:1045">
    <![LOG[Raising event:

    instance of CCM_ServiceHost_CertRetrieval_Status
    {
     DateTime = "20090116100758.974000+000";
     HRESULT = "0x80040283";
     ProcessID = 628;
     ThreadID = 3520;
    };
    ]LOG]!><time="10:07:58.974+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="event.cpp:525">
    <![LOG[Already refreshed within the last 10 minutes, Sleeping for the next 9 minutes before reattempt.]LOG]!><time="10:07:58.974+000" date="01-16-2009" component="ClientIDManagerStartup" context="" type="1" thread="3520" file="regtask.cpp:146">




    Note that LocationServices.log still shows the Failed to retrieve AMP for site code error, but I am assuming that the errors in the ClientIDManagerStartup.log are related.

    Any ideas?

     

     

    P.S This is a Workgroup computer, does the AD have to be published in WINS? or is there a way to get around this?

    יום שישי 16 ינואר 2009 10:17
  • I managed to fix the problem.

    For those with similar issues, it was caused by a combination of 2 things:

    1. I was using the wrong certificate template for the Client Authentication certificates. I re-created the template on the Enterprise CA as described in http://technet.microsoft.com/en-us/library/cc707697.aspx under the section Deploying an Internet-based Client Certificate with a UPS SAN by using an Enterprise CA.

    My request used the following values as normal:

    Name: COMPUTERNAME   (no need for workgroup name on workgroup PCs. Untrusted domain PCs must use FQDN)
    Attributes: san:ups=[computername]$@[domainname]


    2. I didn't have the Root and Subordinate certificates installed in Trusted store! Doh. We are using an internal Root CA, as we do not yet have an externally signed certificate. The laptop which was already part of the domain already had these certificates installed automatically, so it had no problem.

    You can tell this is the case by seeing the following error when viewing the Client Authentication certificate (created above):

    'Windows does not have enough information to verify this certificate'


    Thanks for the help.
    • סומן כתשובה על-ידי James Winterburn יום שישי 16 ינואר 2009 12:17
    יום שישי 16 ינואר 2009 12:17
  • Pleased to see you've got it working!

    - Carol
    יום שישי 16 ינואר 2009 14:47