Common native mode client -> MP error messages and what to do about them


Often times, basic communication issues can happen between the client and MP and they can be hard to decipher from logging alone. The error class I'll concentrate on here are the "WINHTTP_STATUS_CALLBACK" errors that may appear in the ccmexec.log on the client. These errors are bubbled up from WinHTTP and the MSDN documentation can be found here. However, only a few of these are relevant to ConfigMgr, and I'll cover a few of these here.

 
WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED

This error happens when CRL checking is enabled on the client, but the CRL cannot be accessed. The CRL (certificate revocation list) is what the client downloads in order to verify that the certificate for the MP, DP, or other SSL-capable site role hasn't been revoked by the administrator. When this isn't accessible, the client is blocked from communicating until it can download this list (a better safe than sorry approach). The ways to fix this are: make CRLs available to the client (could be challenging for Internet clients); publish additional CRLs that the client can access (this will require publishing new certificates to SSL site roles since CRLs are stamped in the certificates themselves; turn off CRL checking on clients. This is an infrastructure error.

WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA

This error means that the root or intermediate certificate for the CA that issued the certificate for the MP, DP, or other SSL-capable site role isn't in the client's Local Computer Trusted x Certification Authorities store. The way to fix this is to import the root or intermediate certificate into the appropriate store for the local computer (not the user). This is a deployment error.

WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID

This means that the hostname the client is connecting to doesn't match the certificate's subject or subject alternate name. I.e., the client is connecting to https://myhost.contoso.com, but the certificate has https://myotherhost.contoso.com. The way to fix this is to change the FQDN the client uses in the ConfigMgr console or to create a new certificate with the correct subject name. This is a certificate error. 

 

These are by far the most common errors you'll see with SSL communication on a native mode client. I hope this has provided some insight into what those errors mean and how to fix them!

Update: A "friendly" way to validate the certificate on the MP is to do what I call the browser test. That's to point your browser to https://yourmp and see if any certificate errors are returned. If your browser returns errors, the client most certainly will as well, but the browser provides a somewhat friendlier (and quicker) way to troubleshoot those issues. 

 

Comments (0)

Skip to main content