Forum Discussion
Client on Management Point doesn't work after in place OS upgrade
Following the docs here https://docs.microsoft.com/en-us/mem/configmgr/core/servers/manage/upgrade-on-premises-infrastructure about in place OS upgrade for a CM 2010 install. The servers went from 2...
Anyone have any ideas? I am seeing other computers that aren't config manager servers also showing similar problems in the dataTransfer.log file. They aren't sending in hardware inventory to the management point or they are having issues downloading bits jobs from the management point.
This inplace server OS upgrade has not been a smooth process.
This inplace server OS upgrade has not been a smooth process.
I posted to Reddit as well and got some pointers saying you need to remove the MP role if you fully reinstall the client. No links to any specific docs, more just "I've heard" sort of thing.
I removed the MP role, but left the SUP role. This seemed to remove the client at the same time. At least it removed the Control Panel entry.
I then reinstalled the MP role and then installed the client. They both exited setup with error code 0, but the issue still remains.
I dug into the logs a bit more and it seems like it's something to do with the certs maybe.
Keep in mind this is all on the management point itself and we do require HTTPS via an internal ADCS PKI. If I look at one of the errors in the DataTransferService.log and grab the BITS job:
CDTSJob::HandleErrors: DTS Job '{F0AD54F5-7364-49BE-91C4-33BA0DED45DC}' BITS Job '{20FFFB81-7308-4187-832D-500312F8B7D6}' under user 'S-1-5-18' OldErrorCount 1397 NewErrorCount 1398 ErrorCode 0x80072EFE DataTransferService 8/25/2021 9:46:47 PM 1316 (0x0524)
Then checking the bits job, I can get the URL (https://SERVER-FQDN:443/SMS_MP/.sms_pol?%7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB)
=====================
bitsadmin /info '{20FFFB81-7308-4187-832D-500312F8B7D6}' /verbose
BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.
GUID: {20FFFB81-7308-4187-832D-500312F8B7D6} DISPLAY: 'CCMDTS Job'
TYPE: DOWNLOAD STATE: TRANSIENT_ERROR OWNER: NT AUTHORITY\SYSTEM
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / UNKNOWN
CREATION TIME: 8/20/2021 4:11:01 PM MODIFICATION TIME: 8/25/2021 9:30:13 PM
COMPLETION TIME: UNKNOWN ACL FLAGS:
NOTIFY INTERFACE: REGISTERED NOTIFICATION FLAGS: 11
RETRY DELAY: 60 NO PROGRESS TIMEOUT: 28800 ERROR COUNT: 1380
PROXY USAGE: NO_PROXY PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE: https://SERVER-FQDN:443/SMS_MP/.sms_pol?%7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB -> D:\SMS_CCM\Staging\{33B321B6-72BD-4827-95FF-623A04B7CE53}.3.00.tmp
ERROR CODE: 0x80072efe - The connection with the server was terminated abnormally
ERROR CONTEXT: 0x00000005 - The error occurred while the remote file was being processed.
DESCRIPTION:
JOB FILES:
0 / UNKNOWN WORKING https://SERVER-FQDN:443/SMS_MP/.sms_pol?%7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB -> D:\SMS_CCM\Staging\{33B321B6-72BD-4827-95FF-623A04B7CE53}.3.00.tmp
NOTIFICATION COMMAND LINE: none
owner MIC integrity level: SYSTEM
owner elevated ? true
This job is read-only to the current CMD window because the job's mandatory
integrity level of SYSTEM is higher than the window's level of HIGH.
Peercaching flags
Enable download from peers :true
Enable serving to peers :true
CUSTOM HEADERS: NULL
CLIENT CERTIFICATE INFORMATION:
Certificate Store Location : CERT_STORE_LOCATION_LOCAL_MACHINE
Certificate Store Name : MY
Certificate Hash : 41C2067A522B94550F626B1A136015C4C6FE46D9
Certificate Subject Name : NULL
HTTP security flags
Enable CRL Check :true
Ignore invalid common name in server certificate :false
Ignore invalid date in server certificate :false
Ignore invalid certificate authority in server certificate :false
Ignore invalid usage of certificate :false
URL redirection policy :Redirects will be automatically allowed.
Redirection from HTTPS to HTTP allowed :false
================
Finally if I look in the IIS Log for that URL I see a 403.7 error which from what I can tell indicates a mutual cert auth error.
============================
2021-08-26 01:46:47 10.10.28.120 HEAD /SMS_MP/.sms_pol %7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB 443 - 10.10.28.120 Microsoft+BITS/7.8 - 403 7 64 1
================
In order to rule out every issue with certs, I deleted all the certs except one that is configured for both client and server auth and is the one setup for IIS. I verified in the ClientIDManagerStartup.log that it had selected that cert for the CM client. Going to the IIS server from the client browser shows no issues and of course other machines can talk just fine to the MP.
Anyone have any other ideas or know how to get more detailed logging from BITS on IIS?
I removed the MP role, but left the SUP role. This seemed to remove the client at the same time. At least it removed the Control Panel entry.
I then reinstalled the MP role and then installed the client. They both exited setup with error code 0, but the issue still remains.
I dug into the logs a bit more and it seems like it's something to do with the certs maybe.
Keep in mind this is all on the management point itself and we do require HTTPS via an internal ADCS PKI. If I look at one of the errors in the DataTransferService.log and grab the BITS job:
CDTSJob::HandleErrors: DTS Job '{F0AD54F5-7364-49BE-91C4-33BA0DED45DC}' BITS Job '{20FFFB81-7308-4187-832D-500312F8B7D6}' under user 'S-1-5-18' OldErrorCount 1397 NewErrorCount 1398 ErrorCode 0x80072EFE DataTransferService 8/25/2021 9:46:47 PM 1316 (0x0524)
Then checking the bits job, I can get the URL (https://SERVER-FQDN:443/SMS_MP/.sms_pol?%7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB)
=====================
bitsadmin /info '{20FFFB81-7308-4187-832D-500312F8B7D6}' /verbose
BITSADMIN version 3.0
BITS administration utility.
(C) Copyright Microsoft Corp.
GUID: {20FFFB81-7308-4187-832D-500312F8B7D6} DISPLAY: 'CCMDTS Job'
TYPE: DOWNLOAD STATE: TRANSIENT_ERROR OWNER: NT AUTHORITY\SYSTEM
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / UNKNOWN
CREATION TIME: 8/20/2021 4:11:01 PM MODIFICATION TIME: 8/25/2021 9:30:13 PM
COMPLETION TIME: UNKNOWN ACL FLAGS:
NOTIFY INTERFACE: REGISTERED NOTIFICATION FLAGS: 11
RETRY DELAY: 60 NO PROGRESS TIMEOUT: 28800 ERROR COUNT: 1380
PROXY USAGE: NO_PROXY PROXY LIST: NULL PROXY BYPASS LIST: NULL
ERROR FILE: https://SERVER-FQDN:443/SMS_MP/.sms_pol?%7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB -> D:\SMS_CCM\Staging\{33B321B6-72BD-4827-95FF-623A04B7CE53}.3.00.tmp
ERROR CODE: 0x80072efe - The connection with the server was terminated abnormally
ERROR CONTEXT: 0x00000005 - The error occurred while the remote file was being processed.
DESCRIPTION:
JOB FILES:
0 / UNKNOWN WORKING https://SERVER-FQDN:443/SMS_MP/.sms_pol?%7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB -> D:\SMS_CCM\Staging\{33B321B6-72BD-4827-95FF-623A04B7CE53}.3.00.tmp
NOTIFICATION COMMAND LINE: none
owner MIC integrity level: SYSTEM
owner elevated ? true
This job is read-only to the current CMD window because the job's mandatory
integrity level of SYSTEM is higher than the window's level of HIGH.
Peercaching flags
Enable download from peers :true
Enable serving to peers :true
CUSTOM HEADERS: NULL
CLIENT CERTIFICATE INFORMATION:
Certificate Store Location : CERT_STORE_LOCATION_LOCAL_MACHINE
Certificate Store Name : MY
Certificate Hash : 41C2067A522B94550F626B1A136015C4C6FE46D9
Certificate Subject Name : NULL
HTTP security flags
Enable CRL Check :true
Ignore invalid common name in server certificate :false
Ignore invalid date in server certificate :false
Ignore invalid certificate authority in server certificate :false
Ignore invalid usage of certificate :false
URL redirection policy :Redirects will be automatically allowed.
Redirection from HTTPS to HTTP allowed :false
================
Finally if I look in the IIS Log for that URL I see a 403.7 error which from what I can tell indicates a mutual cert auth error.
============================
2021-08-26 01:46:47 10.10.28.120 HEAD /SMS_MP/.sms_pol %7B33B321B6-72BD-4827-95FF-623A04B7CE53%7D.SHA256:52BC11A0A11362FDE7CF392B055993FE9E2BB81CF5A8BF4F69A19C5CE9D7E2DB 443 - 10.10.28.120 Microsoft+BITS/7.8 - 403 7 64 1
================
In order to rule out every issue with certs, I deleted all the certs except one that is configured for both client and server auth and is the one setup for IIS. I verified in the ClientIDManagerStartup.log that it had selected that cert for the CM client. Going to the IIS server from the client browser shows no issues and of course other machines can talk just fine to the MP.
Anyone have any other ideas or know how to get more detailed logging from BITS on IIS?