SCCM Plugin pulling from Jamf failing to send to SCCM

RachelS
New Contributor

I've gone through the guides and troubleshooting information for setting up Jamf SCCM plug-in version 3.6 and all seems to be going well until it reaches the send to SCCM part. I can see it pull from jss. I can also verify that the data in the XML file is correct. When using the helper tool, I receive a successful Sent to SCCM message.

According to the logs, during the send to SCCM, there seems to be a check that fails everytime. The error on the log is as follows: 2018-03-15 13:48:52,678 [ 7] INFO Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - The registration status of the device 'Computername' SMSID: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in XXXX.XXXX.XXX' is 'Error', 2018-03-15 13:48:52,678 [ 7] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - There was an error looking up the device Computername' SMSID: XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in XXXX.XXXX.XXX' because either the client certificate is blocked or the registration message was incorrect.

The cert isn't blocked and followed the certificate creation/import instructions to the letter.

Has anyone dealt with this, or a similar error? Maybe something that can push me in the right direction?

9 REPLIES 9

bvrooman
Valued Contributor

What version of SCCM are you using, and is your ISV proxy cert SHA-1 or SHA-2? We had trouble with SCCM 1602 and SHA-2 certificates, and Microsoft ended up admitting that it wasn't yet supported. We haven't tried again since then.

Slawford
New Contributor III

Have been on and off trying to get this working for the past couple of months , SCCM is 1802 and our isv cert is SHA 1 for this . Jamf support has been helping trouble shoot but not getting far . Be keen to hear if anyone has successfully got this working

vlkm
New Contributor

I have the same problem, Is there a solution? SCCM version 1802. Thanks

CFrian
New Contributor II

Like wise folks. We also have SCCM current branch 1802 and this is the error I'm always getting:

2018-08-30 10:05:24,681 [  5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Raw ConfigMgrRegistrationReply '<ClientRegistrationResponse ResponseType="Registration" TimeStamp="2018-08-30T08:05:23Z" Status="3" ApprovalStatus="-1"/> '.
2018-08-30 10:05:24,682 [  5] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - There was an unexpected error sending the device to SCCM.
System.InvalidOperationException: Invalid registration state: Error. Cannot continue.
   at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout)
   at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout)
   at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender)
   at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm()
   at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()
2018-08-30 10:05:24,684 [  5] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Sending to SCCM failed!

Is it the same with you too?

drhoten
Contributor II

Hi @RachelS, I was able replicate your error message this morning after using a Management Point configured for HTTP, but then set mp_uses_https = true in settings.xml. I was using version 1802 (site version 5.0.8634.1000).

2018-09-15 10:41:01,517 [ 13] INFO  Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - The registration status of the device 'Computer-Name' SMSID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in fqdn.of.configmanger.mp is 'Error',
2018-09-15 10:41:01,517 [ 13] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - There was an error looking up the device 'Computer-Name' SMSID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX in 'fqdn.of.configmanger.mp' because either the client certificate is blocked or the registration message was incorrect.
2018-09-15 10:41:01,517 [ 13] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Exiting SccmDevice.Send()
2018-09-15 10:41:01,532 [ 13] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - The file was sent to SCCM.

Blocking the certificate in AdministrationOverviewSecurityCertificates in ConfigManager on the other hand, resulted in the same error @CFrian is seeing.

2018-09-15 12:11:45,705 [ 14] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Registering device 'Computer-Name' SMSID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX with fqdn.of.configmanger.mp with 'fqdn.of.configmanger.mp'.
2018-09-15 12:11:45,737 [ 14] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Saving the 'ConfigMgrRegistrationRequest' inventory report to 'C:Projectssccm2012ProxyServicesrcSCCMProxyService	argetDebugComputer-Name-2018-09-15-121145-ConfigMgrRegistrationRequest.xml'.
2018-09-15 12:11:45,799 [ 14] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Received response from 'fqdn.of.configmanger.mp'.
2018-09-15 12:11:45,799 [ 14] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Parsing the response received from 'fqdn.of.configmanger.mp'.
2018-09-15 12:11:45,799 [ 14] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Raw ConfigMgrRegistrationReply '<ClientRegistrationResponse ResponseType="Registration" TimeStamp="2018-09-15T17:11:45Z" Status="3" ApprovalStatus="-1"/> '.
2018-09-15 12:11:45,830 [ 14] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - There was an unexpected error sending the device to SCCM.

The ClientRegistrationResponse.Status of 3 indicates an error and the ClientRegistrationApprovalStatus is 'Unknown'. While not documented in the KB, the values for the ApprovalStatus are: Unknown = -1, Pending = 0, Approved = 1 and NotApplicable = 2.

@CFrian is the lookup message also failing? In the proxy log file search for 'ClientRegistrationResponse ResponseType="Confirmation"' (without the single quotes).

Have you also worked with support after turning on debug mode in SCCM? There are some additional log files such as MP_CliReg.log and MP_RegistrationManager.log that would be helpful to look at while ConfigManager is in debug mode since they may include messages similar to "VALIDATING CLIENT CERTIFICATE". If you need the steps let me know, and I can post them here.

dlin0002
New Contributor

Has anyone gotten this resolved? I've been working with someone from JAMF on this error for severals weeks now and we haven't been able to figure it out.

2019-04-09 10:29:14,864 [ 7] INFO Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Preparing to lookup device ... 2019-04-09 10:29:14,896 [ 7] INFO Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - The registration status of the device ... is 'Pending', 2019-04-09 10:29:14,896 [ 7] INFO Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Validating message. 2019-04-09 10:30:15,324 [ 7] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - There was an unexpected error sending the device to SCCM. System.TimeoutException: Client did not register with management point before timeout period expired. Timeout: 00:01:00 at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout) at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm() at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()

Currently, we have SCCM version 1802 and using SHA-2.
JAMF SCCM Plug-in version 3.60

drhoten
Contributor II

Hello @dlin0002, your message seems to indicate a different issue where the proxy service cannot communicate with the Management Point (MP) endpoint.

You could try increasing the value of registration_request_timeout in settings.xml, but I am not aware of any customers who have needed to use that before.

Assuming your proxy service is installed on a different server than where the SCCM MP is installed, you should also verify there are no network rules or firewalls blocking traffic between the proxy and the MP endpoint. Since SCCM hosts the endpoint in IIS, you could also check the IIS logs to see if the calls are even making it that far. If they are, then you'll need to review the SCCM log files MP_CliReg.log and MP_RegistrationManager.log. But I suspect if you are getting the timeout, then there is something outside of SCCM that is preventing the call from being completed.

spalladino
New Contributor III

I have the same issue and been having it forever invalid registration state i was able to get sccm to pull the first one or 2 xml's in then everything past that get the error.... this is extremely frustrating...JAMF advised it was our cert i got our Cert guys to recreate it exactly as needed and same issue over and over again

2020-06-09 14:19:31,987 [ 9] ERROR Jamf.ProxyService.Plugins.SCCM.SccmReports - There was an unexpected error sending the device to SCCM.
System.InvalidOperationException: Invalid registration state: Error. Cannot continue. at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout) at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm() at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()
2020-06-09 14:19:31,988 [ 9] ERROR Jamf.ProxyService.Plugins.SCCM.SccmReports - Sending to SCCM failed!

BLEU-C
New Contributor

Had this same issue, ended up being a problem of the plug-in helper inserting an additional HTTPS:// on top of the one we were already typing into the Sccm server address field. Left that to true in the settings.xml file and then removed the extra prefix from the address text field. Now everything is syncing well once more!