SCCM Plugin will Not install

bassic
New Contributor III

Hi Guys

Does anyone have any experience with the SCCM plugin?

We have followed the guides to install it in our environment, but the installer keeps failing. It seems to fail at downloading the CA certificate from our cloud based JSS instance-

Calling custom action Jamf.ProxyService.InstallUtilities!Jamf.ProxyService.InstallUtilities.CustomActions.InstallCaCertificate
JSP (c) (52:01) [13:10:09:188]: Downloading and installing the CA certificate from 'https://
.jamfcloud.com'
JSP (c) (52:01) [13:10:09:286]: There was an unexpected error downloading and installing the CA certificate.
JSP (c) (52:01) [13:10:09:290]: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
*

Thanks!

30 REPLIES 30

drhoten
Contributor II

Hello @bassic. were you able to get this error resolved? If not, have you tried installing it while also clearing the option "Download and trust the CA certificate" on the Jamf Pro Server Settings step of the installer?

This option enables the installer to download and install the Jamf Pro CA certificate into Certificates (Local Machine) > Trusted Root Certificate Authorities > Certificates and allows for trusted HTTPS communication between the proxy service and the Jamf Pro Customer API.

Clearing this checkbox will allow it to use untrusted HTTPS, but can be turned back on in the settings.xml after manually download the CA certificate and installing it the same location.

bassic
New Contributor III

Hi @drhoten

Thanks for your post- no I have not managed to get it resolved... I am kind of a man in the middle here between our Infrastructure team who manage the SCCM server and Jamf support, who have not been that responsive... but thanks for this advice, I'll give that a try and let you know!

drhoten
Contributor II

Thanks for the update @bassic, I just looked up your case and will comment directly on it to make sure the right folks get involved.

bassic
New Contributor III

Your suggestion worked @drhoten so it looks like we're in business! Thanks again for your help!

drhoten
Contributor II

Outstanding & great to hear @bassic!

Next you will want to re-enable HTTPS communication between the proxy service and Jamf Pro by following these steps:
1. Manually download the CA from your Jamf Pro. instance. Log in to your instance and go to Settings > Global Management > PKI Certificates. 2. Click on the "Download CA Certificate" button and copy that certificate to server where the proxy service is installed.
3. On the server where the proxy service is installed, open the Certificates console and import the CA certificate into Certificates (Local Machine) > Trusted Root Certificate Authorities > Certificates
4. In settings.xml change the value of <trust_ca_certificate> from false to true.
5. Stop the Windows service Jamf SCCM Proxy Service, and use the helper to test out the connection to Jamf Pro by retrieving the XML for a device or two

Let me know if there's anything else I can help out with.

Updated on 2019-04-25 to clarify the steps.

wsliao
New Contributor

Hi,

I followed your suggestion. It worked on the first part, unchecked the box. But the URL for the second part is not working.
Can you please verify that URL is working? Thank you.

drhoten
Contributor II

Hi @wsliao I just updated the steps to make it a bit clearer, let me know if that helps.

bassic
New Contributor III

Unfortunately we still have not managed to get this to work properly. We solved the certificate issue, and got it connected, but it is not passing the inventory over to SCCM. With debugging anabled, we are getting the following from the logs-

I noticed several occurrences of the following error message in the logs:

2019-04-29 10:01:20,192 [ 7] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - There was an unexpected error sending the device to SCCM.
System.InvalidOperationException: Invalid registration state: Error. Cannot continue. at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout) at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm() at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()

As well as these (which I’ve not seen previously):

2019-04-29 10:03:01,758 [ 9] ERROR Jamf.ProxyService.Plugins.API.REST.MobileDeviceGroups - There was an unexpected error requesting the URL 'JSSResource/computers/subset/basic'.
System.Security.Cryptography.CryptographicException: Object already exists.

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv) at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at Jamf.ProxyService.Plugins.API.REST.Utilities.Common.ReformatString(String stringToReormat) at Jamf.ProxyService.Plugins.API.REST.ComputerGroups.GetContent(String requestUrl)

2019-04-29 10:03:01,758 [ 9] ERROR Jamf.ProxyService.Plugins.SCCM.SccmAction - There was an unexpected error getting the computer group: 'Object already exists.
'
System.Security.Cryptography.CryptographicException: Object already exists.

at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr) at System.Security.Cryptography.Utils._CreateCSP(CspParameters param, Boolean randomKeyContainer, SafeProvHandle& hProv) at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize) at Jamf.ProxyService.Plugins.API.REST.Utilities.Common.ReformatString(String stringToReormat) at Jamf.ProxyService.Plugins.API.REST.ComputerGroups.GetContent(String requestUrl)

Any help would be gratefully received!

drhoten
Contributor II

Hello @bassic

It appears you have a couple of things going on, and the invalid registration state may be resolved by a new version we've been working on and testing with a few customers. Would you be interested in trying out a beta? If yes, I will arrange for someone to reach out with more details since we'll need to get you enrolled in our beta program.

The second issue around Object already exists may require a little manual clean up before reinstalling the existing version or upgrading to a new one, and can make sure those details are provided to you.

CFrian
New Contributor II

Hi, @drhoten.

We are also currently having the same issue of invalid registration state for the plug-in. We are already using the latest release of SCCM plug-in version 3.70.0. Do you have anything to provide for us to get through this error?

Thank you
de7ac44633734add954cd729295e4303

drhoten
Contributor II

Hello @CFrian

I see you already opened a support case, but the next steps would be to make sure both the SCCM Plug-in and SCCM are in debug mode before sending over a few test devices using the helper and collecting the various logs from both applications along with the Debug folder from the plug-in and the settings.xml.

The person helping you on this ticket will be able to guide you through this process and collect all the required information.

Once we have the info, we'll be able to take a closer look at what's going on and escalate it to the SCCM SDK team at Microsoft if necessary.

peterj
New Contributor II

Did anyone get a resolution for this issue? We've been trying to get this plugin working for months and keep running into the same error
ee38a0df30bc4e2a9acf5782d0249426

spalladino
New Contributor III

(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
2020-01-30 13:51:51,028 [ 9] INFO Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Preparing to lookup device 'Mac' GUID:9AEFE4AA-513C-59A6-B534-6219656CACC4 in 'test.local'.
2020-01-30 13:51:53,038 [ 9] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - There was an unexpected error sending the device to SCCM.
System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it [::1]:443 at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

Anyone have any ideas why this is happening?

RomanKruglov
New Contributor II

I think we are having the same issue, I have a support case opened, let's see where it goes

spalladino
New Contributor III

I have the same issue and been having it forever invalid registration state i was able to get sccm to pull the first one or 2 xml's in then everything past that get the error.... this is extremely frustrating...JAMF advised it was our cert i got our Cert guys to recreate it exactly as needed and same issue over and over again

2020-06-09 14:19:31,987 [ 9] ERROR Jamf.ProxyService.Plugins.SCCM.SccmReports - There was an unexpected error sending the device to SCCM.
System.InvalidOperationException: Invalid registration state: Error. Cannot continue. at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout) at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm() at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()
2020-06-09 14:19:31,988 [ 9] ERROR Jamf.ProxyService.Plugins.SCCM.SccmReports - Sending to SCCM failed!

drhoten
Contributor II

Hello @spalladino

Have you been able to get this resolved yet?

For the invalid registration state, we've often seen this caused by three different things.

1) Check to make sure you are using the correct cryptographic provider.

With the Jamf SCCM Proxy service in debug mode, stop the service and use the helper application to send over a device.

Check the jamf_proxy_service.log file for the following, you should see the following when signing and/or encrypting the messages

[Private Key]
  Key Store: Machine
  Provider Name: Microsoft Enhanced RSA and AES Cryptographic Provider
  Provider type: 24

While this is an older provider, one of the lead developers of the messaging SDK at Microsoft told us this is the only one they used when developing the SDK. Others could in theory work, but this is the only they tested.

2) Verify you are using the correct Signature Algorithm, particularly if your management point is using HTTPS or native mode.

Check the jamf_proxy_service.log file for the following

[Signature Algorithm]
  sha256RSA(1.2.840.113549.1.1.11)

3) Finally, verify the GUID assigned to the certificate you imported into SCCM is the same GUID used in the settings.xml of the proxy. The SDK uses a combination of both this GUID assigned to the certificate in SCCM with the certificate itself to sign all messages sent to SCCM. Whether it's used for signing or signing and encrypting depended on whether your management point is running in HTTP or HTTPS mode.

For additional troubleshooting, you can put SCCM into debug mode and then after trying to send a device over check the MP_Registration.log file for the GUID (or SMSID) of the device to see what part of the registration process failed.

I hope this helps, and be sure to check the steps required for your SCCM configuration outlined in https://www.jamf.com/jamf-nation/articles/371/configuring-the-certificates-for-the-jamf-sccm-plug-in....

Doug

spalladino
New Contributor III

hello @drhoten

Still fighting i have a ticket with MS here is the logs showing the error from the MP

<![LOG[Processing Registration request from Client 'GUID:CFBC4105-3CD1-5027-A0DD-F71D6F2DA021']LOG]!><time="14:34:39.620+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="1" thread="51392" file="regtask.cpp:1098">

<![LOG[MP Reg: Successfully created context from the raw signing certificate.]LOG]!><time="14:34:39.620+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="0" thread="51392" file="regtask.cpp:1193">

<![LOG[Begin validation of Certificate [Thumbprint B1B907ABDA2E306A13429E34B118812C101DD2C8] issued to 'sccmjamfproxyv2']LOG]!><time="14:34:39.620+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="1" thread="51392" file="CcmCert.cpp:1769">

<![LOG[Completed validation of Certificate [Thumbprint B1B907ABDA2E306A13429E34B118812C101DD2C8] issued to 'sccmjamfproxyv2']LOG]!><time="14:34:39.667+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="1" thread="51392" file="CcmCert.cpp:1946">

<![LOG[MP Reg: Encryption certificate was not supplied.]LOG]!><time="14:34:39.667+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="0" thread="51392" file="regtask.cpp:1296">

<![LOG[VerifyRegistrationXML(), HRESULT=80004005 (regtask.cpp,1855)]LOG]!><time="14:34:39.668+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="0" thread="51392" file="regtask.cpp:1855">

<![LOG[MP Reg: Registration failed.]LOG]!><time="14:34:39.668+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="2" thread="51392" file="regtask.cpp:168">

So the TL;DR is that it did get the GUID for the Mac in question and it did get and use the right type 24 ISV, but if failed with HRESULT=80004005 in MP_Reg and then stoped dead in its tracks. Any idea what HRESULT=80004005 is?

I am dead in my tracks until MS can get somone that can tell me why the MP is doing this... the crazy thing is it let the first 2 systems through into SCCM and then stops and everything from that point forward is a fail...

Thank you

MTFIDjamf
Contributor II

For us, we saw multiple issues with the plugin. Various messages in logs, no clear reason why.
What ended up fixing it was to completely delete the user that we had created in jamf for the plugin access (it had the rights as described in their guide) and recreate the same user with full jamf rights, everything checked.
Once we started using the full rights user in the plugin on the SCCM server, all issues went away. Devices began populating in SCCM within 24 hours.
Our jamf instance is on-prem.

drhoten
Contributor II

Hello @spalladino

Looking at your log, here's the line that jumps out at me.

<![LOG[MP Reg: Encryption certificate was not supplied.]LOG]!><time="14:34:39.667+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="0" thread="51392" file="regtask.cpp:1296">

This error message implies your management point is running in HTTPS mode and is expecting an encryption certificate in addition to the signing certificate, but your SCCM proxy service is running in HTTP mode which is only using the ISV certificate to sign the messages.

On the server where the proxy service is installed, check the settings.xml file in the application directory to ensure the mp_uses_https is set to true.

<mp_uses_https>true</mp_uses_https>

HTTPS mode requires the messages to be signed and encrypted by the ISV certificate.

spalladino
New Contributor III

@drhoten
Fails either way HTTP or HTTPS

below is with it set to true

2020-07-17 13:12:31,648 [ 4] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Sending the lookup request to SCCM.
2020-07-17 13:12:31,715 [ 4] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Saving the 'ConfigMgrRegistrationRequest' inventory report to 'C:Program Files (x86)JamfJamf SCCM Plug-inDebug est-mac-2020-07-17-131231714-ConfigMgrRegistrationRequest.xml'.
2020-07-17 13:12:31,766 [ 4] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Saving the 'RawData' inventory report to 'C:Program Files (x86)JamfJamf SCCM Plug-inDebug est-Mac-2020-07-17-131231765-RawData.txt'.
2020-07-17 13:12:31,791 [ 4] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - There was an unexpected error sending the device to SCCM.
System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async)
2020-07-17 13:12:31,797 [ 4] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Sending to SCCM failed!

With it set to False

2020-07-17 13:31:18,451 [ 5] INFO Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Validating message.
2020-07-17 13:31:18,452 [ 5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Registering device 'PA1-N5KHTD5-Mac' GUID:2ACBEE9B-FB1D-5C80-BDA2-2F27519F8D91 with test.com with 'test.com'.
2020-07-17 13:31:18,465 [ 5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Saving the 'ConfigMgrRegistrationRequest' inventory report to 'C:Program Files (x86)JamfJamf SCCM Plug-inDebugPA1-N5KHTD5-Mac-2020-07-17-133118465-ConfigMgrRegistrationRequest.xml'.
2020-07-17 13:31:18,469 [ 5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Saving the 'RawData' inventory report to 'C:Program Files (x86)JamfJamf SCCM Plug-inDebugPA1-N5KHTD5-Mac-2020-07-17-133118469-RawData.txt'.
2020-07-17 13:31:18,539 [ 5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Received response from 'nc2pwcm101.us.ad.lfg.com'.
2020-07-17 13:31:18,539 [ 5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Parsing the response received from 'test.com'.
2020-07-17 13:31:18,539 [ 5] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Raw ConfigMgrRegistrationReply '<ClientRegistrationResponse ResponseType="Registration" TimeStamp="2020-07-17T17:31:18Z" Status="3" ApprovalStatus="-1"/> '.
2020-07-17 13:31:18,545 [ 5] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - There was an unexpected error sending the device to SCCM.
System.InvalidOperationException: Invalid registration state: Error. Cannot continue. at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout) at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm() at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()
2020-07-17 13:31:18,551 [ 5] ERROR Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates - Sending to SCCM failed!

drhoten
Contributor II

Hi @spalladino

The error you receive when mp_uses_https is set to true when your management point is using HTTP is what I would expect to see.

An existing connection was forcibly closed by the remote host.

When mp_uses_https is set to false, then you'll need to review the log files on your management point - which is exactly what you showed in your earlier post.

I am not familiar with the exception 80004005, and it appears to be related to unspecified errors.

Digging around this morning, I found a number of posts suggesting it might be related to the server time being out of sync, and others the permissions needed to read certificates. Have you tried searching the other log files on your management point for that error number? Specifically, I'd be interested in seeing if there are any corresponding log entries in ClientAuth.log or other log files when you have SCCM running in debug mode.

Finally what version of Configuration Manager are you running?

Late yesterday I reached out to some folks in support, and we're working on getting them in touch with you about this.

spalladino
New Contributor III

Hello @drhoten

I am happy to send over any logs for review i did update the engineers with what they asked for on friday evening

We are on version 1906 we will soon be moving to 2002 early august

I am happy to set up a webex meeting with JAMF and our Microsoft engineers as well to try and get this figured out its been months, once we got the cert to type 24 I thought that would be the final fix.... no such luck

The strangest thing is every-time i got our cert guys to build me a new cert it always allows the first 2 systems i try manually to go through no errors and then fails on the third and everyone going forward.

completely lost on this one....

Thank you

Thank you

spalladino
New Contributor III

Hello @drhoten

Ran through the process just now and same result removed the isv cert from sccm added the isv cert back into sccm made sure guid matched in the settings log first 2 systems i tried worked no issues went right up to sccm 3rd system failed and 4th failed and now any system i try fails i sent the jamf log with the successes and failures over just now to jamf and MS

thank you

drhoten
Contributor II

Hi @spalladino

Thanks for the update and I was able to get the logs from support and took a look at them first thing this morning.

In these examples, I left the timestamp the same but changed the other data in order to post it here.

I found the first device registered ok. Note the GUID sent to SCCM is the same one it returns as the SmsClientId which indicates the device was not found in SCCM and was successfully registered as a device using the requested GUID.

2020-06-10 16:39:31,809 [  4] INFO  Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - Successfully registered the device 'Mac-1' GUID:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA with 'company.com' and the SmsClientId is 'GUID:AAAAAAAA-AAAA-AAAA-AAAA-AAAAAAAAAAAA'

And then the next device has something I've never seen before. The SmsClientId returned is the GUID of your ISV certificate.

2020-06-10 16:40:11,024 [  5] INFO  Jamf.ProxyService.Plugins.SCCM.SccmReports                   - Successfully registered the device 'Mac-2' GUID:BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB with 'company.com' and the SmsClientId is 'GUID:ZZZZZZZZ-ZZZZ-ZZZZ-ZZZZ-ZZZZZZZZZZZZ'
2020-06-22 14:34:39,411 [  9] DEBUG Jamf.ProxyService.Plugins.SCCM.Utilities.Certificates        - ISV : zzzzzzzz-zzzz-zzzz-zzzz-zzzzzzzzzzzz

The next few devicess the plug-in sent over to SCCM did not appear in MP_RegistrationManager.log so I jumped to the end of the proxy log file, and the last few devices sent are failing in the proxy log with invalid registration state and on the SCCM side with

<![LOG[MP Reg: Encryption certificate was not supplied.]LOG]!><time="14:34:39.667+240" date="06-22-2020" component="MP_RegistrationManager" context="Registration" type="0" thread="51392" file="regtask.cpp:1296">

This is an error I'd expect to see if the MP was running in HTTPS mode and you were trying to send over devices with the plug-in configured for HTTP but am not convinced this is what is going on in your case.

I am going to need to give this some more thought and will sync up with the folks in support to determine our next steps and we'll be back in touch with you.

spalladino
New Contributor III

Hello

I wanted to post the fix we found for this to help anyone in the future as this definitely put us through the ringer 🙂

When the ISV cert is placed into the SCCM database it must go in with a Agent type of 4 for some reason we still are not sure ours would go in with a agent type of 8 and would only allow 2 systems into sccm and then fail on all subsequent systems.

to check your SCCM DB use select * from clientkeydata where SMSID = 'GUID:xxxxxxxxx-xxxx-xxx-xxx-xxxxxxx'

if you need to do the update from 8 to 4 use update clientkeydata set agenttype=4 where recordid='xxxxxxxxxxxxxxxxxx'
Select * from clientkeydata

I hope this saves someone time in the future

Thank you

drhoten
Contributor II

Thanks so much for the update @spalladino, great to hear you finally were able to get it resolved!

So the AgentType field of the record representing the ISV certificate in ClientKeyData needs to be set to a '4', while the AgentType of devices will be set to an '8' or ISV Client since this is a value controlled by the SCCM messaging SDK.

spalladino
New Contributor III

@drhoten Hello

just started to now have a issue where the plugin wont let some systems update but everything that has updated seems to be ok I am looking at the cert in the DB again it still shows agent type 4 so that looks ok but whats should the key type be it now looks to be set at 1 should it be 2? below is what i see on certain systems but on systems that are already in sccm they continue to work...

2020-08-17 12:43:51,749 [ 7] DEBUG Jamf.ProxyService.Plugins.SCCM.SccmReports - Raw ConfigMgrRegistrationReply '<ClientRegistrationResponse ResponseType="Registration" TimeStamp="2020-08-17T16:43:51Z" Status="3" ApprovalStatus="-1"/> '.
2020-08-17 12:43:51,749 [ 7] ERROR Jamf.ProxyService.Plugins.SCCM.SccmReports - There was an unexpected error sending the device to SCCM.
System.InvalidOperationException: Invalid registration state: Error. Cannot continue. at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(ConfigMgrRegistrationRequestBase baseRequestMessage, IMessageSender sender, TimeSpan timeout) at Microsoft.ConfigurationManagement.Messaging.Messages.ConfigMgrRegistrationRequestBase.RegisterClient(IMessageSender sender, TimeSpan timeout) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.RegisterDevice(MessageCertificateX509 certificate, HttpSender sender) at Jamf.ProxyService.Plugins.SCCM.SccmDevice.SendToSccm() at Jamf.ProxyService.Plugins.SCCM.SccmDevice.Send()
2020-08-17 12:43:51,751 [ 7] ERROR Jamf.ProxyService.Plugins.SCCM.SccmReports - Sending to SCCM failed!

drhoten
Contributor II

Hi @spalladino

Have you been able to capture both plug-in and SCCM logs for any of the devices that are not updating? It would be great to see what's happening on the SCCM side too.

For the KeyType based on information we received directly from the developer at Microsoft working on the Messaging SDK, 1 is for Self-Signed certificates and 2 is for a PKI certificate (one issued from a certificate authority). From what I recall, you are using PKI so it should be a 2.

Let me know if you want us to re-open your previous case so we can help you dig into this some more.

spalladino
New Contributor III

@drhoten Hello

Might as well reopen the ticket not sure why all of a sudden certain systems wont update this is the error i see in the mp registration log.... to me it kind of seems the cert changed possibly... happy to do a webex with someone to look at it further
7d0706058049487e93e3a48cb2a69877

drhoten
Contributor II

Morning @spalladino

I'll let the folks in support know, and you can also reply to any email from that case and it will automatically re-open it.

Thinking about your case a bit more yesterday afternoon, assuming your configuration has not changed then other things I wonder about are:
1. Are there any Group Policy Object (GPO) that could be modifying certificates on the server where the proxy service is installed?
2. Have there been any Windows, SQL, or SCCM updates and/or hotfixes applied to either the SCCM server or proxy server? How soon after patch Tuesday did this behavior start up again?
3. Could there be any SCCM maintenance tasks that ran and triggered this behavior?