Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. System Center Configuration Manager 2007 clients may be unable to retrieve policy from a Management Point in Native Mode after installing KB977377

System Center Configuration Manager 2007 clients may be unable to retrieve policy from a Management Point in Native Mode after installing KB977377

Symptoms

After installing KB977377, none of the System Center Configuration Manager 2007 clients may be able to download policies from a Management Point in Native Mode. All of the affected machines in the collection will also show the client status as “No”.

You may also see some or all of the following log entries:

MP Control Manager:

Error Milestone CRP <date - time>  SMS_MP_CONTROL_MANAGER 5438 MP Control Manager detected MP is not responding to HTTP requests. The http error is 12152.
Possible cause: MP service is not started or not responding.
Solution: Manually restart the SMS Agent Host service on the MP. Possible cause: IIS service is not responding.
Solution: Manually restart the W3SVC service on the MP. For more information, refer to Microsoft Knowledge Base article 838891.
 
IIS Logs:

2010-03-29 14:26:27 W3SVC1 <addr> CCM_POST /ccm_system/request - 443 - 192.168.32.161 ccmhttp 403 7 64
2010-03-29 14:26:27 W3SVC1 <addr> CCM_POST /ccm_system/request - 443 - 10.1.91.100 ccmhttp 403 7 64
2010-03-29 14:26:29 W3SVC1 <addr> CCM_POST /ccm_system/request - 443 - 10.1.91.11 ccmhttp 403 7 64
2010-03-29 14:26:29 W3SVC1 <addr> CCM_POST /ccm_system/request - 443 - 10.1.91.35 ccmhttp 403 7 64
2010-03-29 14:26:30 W3SVC1 <addr> CCM_POST /ccm_system/request - 443 - 10.1.91.1 ccmhttp 403 7 64

Mpcontrol.log:

Machine name is <name>. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
Certificate has "SSL Client Authentication" capability. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
CryptVerifyCertificateSignatureEx returned error 0x80090006. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
Certificate doesn't have "SSL Client Authentication" capabilities. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
Skipping certificate that is not valid for ConfigMgr usage. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
Call to HttpSendRequestSync failed for port 443 with an error code. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
Http test request failed, error code is 12152. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)
Successfully performed Management Point availability check against local computer. SMS_MP_CONTROL_MANAGER <date - time> 4952 (0x1358)

↑ Back to the top

Cause

This can occur after the installation of the following Knowledge Base article:

977377 - Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing

This update deploys a workaround that disables Transport Layer Security (TLS) and Secure Sockets Layer (SSL) renegotiation support on affected systems to help protect clients that connect to such servers from exploitation by using this vulnerability. In certain configurations, IIS using certificate client authentication, including certificate mapping scenarios, will be affected.

↑ Back to the top

Resolution

To resolve this issue, follow the steps mentioned in the same article (KB977377) on setting the DisableRenegoOnClient and the DisableRenegoOnServer registry entries to a value of 0 on the affected Management Point:

Important:  This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 - How to back up and restore the registry in Windows

Note: The instructions below describe disabling the previously mentioned security workaround.  Be sure you've read and fully understand the following security bulletin before proceeding:

 Microsoft Security Advisory (977377) - Vulnerability in TLS/SSL Could Allow Spoofing : http://www.microsoft.com/technet/security/advisory/977377.mspx

To configure the DisableRenegoOnClient and DisableRenegoOnServer registry entries, follow these steps:

1.  Click Start , type regedit in the Start Search box, and then click regedit.exe in the Programs list.   If you are prompted for an administrator password or confirmation, type your password or click Continue.

2.  Click Start , click Run , type regedit in the Open box, and then click OK.

3.  Locate and then click the following subkey in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

4.  Right-click DisableRenegoOnClient, and then click Modify.

5.  In the Value data box, type 0 , and then click OK.

6. Right-click DisableRenegoOnServer, and then click Modify.

7.  In the Value data box, type 0 , and then click OK.

8.  Exit Registry Editor, and then restart the computer.

↑ Back to the top

Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2022502
Revision : 1
Created on : 1/8/2017
Published on : 11/29/2010
Exists online : False
Views : 163