Category Archives: Uncategorized

[Tutorial] Gathering trace/event logs in ADFS v2.0 and v3.0

Problem:

Gathering trace/event logs in ADFS is not a trivial task.  The following article will show you how to gather these logs to further help investigate relying party trust issues or issues with end users authenticating to the service.  This tutorial will be leveraging ADFS v3.0 on Server 2012 R2.  The same steps should apply for v2.0 on Server 2008 R2.  This process does change slighting in ADFS on Server 2016 as the logging engine was rewritten.  Depending on demand, a second article will be released for ADFS on Server 2016.

Caviets:

Before beginning, as a side note, debugging in ADFS v2-3 is honestly a total PITA (pain in the… butt).  The problem with ADFS logging is logs are stored on the machines serving the requests, not centrally.  In this case, you will likely have to enable tracing on each ADFS server, or configure your load balancer/host file to temporarly route requests to a specific machine so you know which server to hunt down for the logs.  Likewise, as you will find at the end of the tutorial, the logs gathered from ADFS are very verbose.  Take some time to familiarize yourself with the logs of a working request vs a failure to get used to what logs are actually meaningful.

Tutorial:

Enable list of events/audits to be logged

  1. Login to one of your ADFS servers that you believe will be authenticating the end users
  2. Open Server Manager

  3. In Server Manager, select Tools -> AD FS Management
  4. In AD FS Management, select AD FS in the top left and select Edit Federation Service Properties…
  5. Click on the Events tab and check all the items you wish to log and click OK

Enable tracing

  1. Open Server Manager
  2. Select Tools -> Event Viewer
  3. In Event Viewer, select View in the top menu, and select Show Analytic and Debug Logs
  4. Expand Applications and Services Logs, expand AD FS Tracing, and select Debug
    1. Note: In ADFS v2, the AD FS Tracing folder will be called AD FS 2.0 Tracing
  5. When you are ready to begin collecting logs, right click on Debug and select Enable Log
  6. Click OK when prompted to write over the existing event logs
    1. Note: Each time you enable/disable AD FS Tracing, Event Viewer will purge your last results.  I highly recommend you export your logs if you need them for comparison at a later time.
  7. At this point, recreate the issue, error, or login to the relying party you want to debug.
  8. Once you have recreated the error or logged in, go back to Event Viewer, right click on Debug and select Disable Log
  9. At this point, you should have some events captured to further analyse 🙂
  10. Optional Step: Right click on Debug and select Save All Events As…  This will export to a evtx file, in which this can be sent to another team for analysis or you can reference the logs at a later time.
    1. Note: If you are sending the events over to another team for analysis, zip the logs as it will greatly decrease the file size 🙂

Common error when enabling Debug logging

One error I typically see is the following:

AD FS Debug – The requested operation cannot be performed over an enabled direct channel.  The channel must first be disabled before performing the requested operation

This error is caused by a misconfiguration on the logging properties of the Debug log.  Please verify that you have not manually enabled the debug log nor have the maximum log file size set to Overwrite events as needed.

To fix, right click on Debug and select Properties

Typically, the screenshot below is an example of the incorrect settings used; make sure that Enable Logging is unchecked and is Do not overwrite events ( Clear logs manually ) is checked

Here is a picture of the correct settings for the AD FS Tracing Debug Logs; at which point, once the settings are applied, you should no longer receive this error when conducting your debug/trace logging.

[Tutorial] Using Fiddler to debug SAML tokens on Mobile Devices (Android)

Use Case:

This guide will go over configuring Fiddler to intercept traffic from mobile devices for debugging purposes.  This scenario can be beneficial in tracing/debugging SAML tokens issued from your IdP for a mobile application to consume.  We will be able to validate all traffic flowing in/from the Android device.

Configuring/Setting up Fiddler:

  1. Grab the latest copy of Fiddler from their website for Windows (it is a free download)
    1. https://www.telerik.com/download/fiddlerDownload Fiddler
  2. Install Fiddler on your local machine
    1. Double click fiddlersetup.exe
      Run fiddlersetup
    2. Agree to the End User License Agreement
      Fiddler Install - Accept EULA
    3. Set the installation directory and click Install
      Fiddler Install - Destination Folder
    4. Close the setup wizard
      Fiddler Install - Close Installation
  3. Launch Fiddler
    Launch Fiddler - Windows 10
  4. Click Cancel if prompted about AppContainers
    Fiddler - AppContainer Configuration - Cancel
  5. With Fiddler open click on Tools -> Telerik Fiddler Options…
    Fiddler - Tools - Telerik Fiddler Options
  6. Click on the Connections tab and check Allow remote computers to connect

  7. You will receive a dialog box saying it will need to restart.  Click OK and close out of Fiddler
  8. Once you relaunch Fiddler, click on the down arrow (if shown) and hover over the Online icon

At this point, Fiddler is configured properly, let’s shift over to your mobile device. We’ll shift gears to configuring the Android device to push traffic to Fiddler.

Configuring an Android device
(Android v6.0.1 at the time of writing)

  1. Slide down the notifications drawer from the top of the screen and hit the Settings (gear) icon in the top right
  2. Select Wi-Fi under the Wireless and networks section
  3. Select the wireless network you are connected to and click Edit

  4. Scroll down and check Show advanced options

  5. Select the drop-down for Proxy and choose Manual

  6. Type in the IP address gathered from Fiddler for the Proxy host name and set the Proxy Port to 8888 and click Save
    1. Note: 8888 is the default port for Fiddler, the port can be found under Fiddler -> Telerik Fiddler Options -> Connections tab
  7. Next, open up your web browser and navigate to http://ipv4.fiddler:8888
    1. Note: This is a small webpage served by the Fiddler application to validate the proxy settings are correct.  Likewise, we will use this page in the next step for SSL decryption
  8. On the Fiddler Echo Service page, click on the You can download the FiddlerRoot Certificate link
    1. Note: This download Fiddler’s root certificate to allow us to intercept SSL traffic for debugging purposes
  9. Once the certificate has downloaded, type Fiddler as the Certificate name and click OK

  10. Optional step: Open up your web browser and navigate to a website using SSL (I did https://google.com)
    1. Note: Here you can validate that the SSL certificate used is Fiddler’s root certificate.  This is a good sign that we are intercepting the traffic

Turn off Fiddler from intercepting SSL traffic

Remove the proxy settings

  1. Slide down the notifications drawer from the top of the screen and hit the Settings (gear) icon in the top right
  2. Select Wi-Fi under the Wireless and networks section
  3. Select the wireless network you are connected to and click Edit

  4. Scroll down and check Show advanced options (you should see your old proxy settings unlike my screenshot below)

  5. Select the drop-down for Proxy and choose None

  6. Select Save
  7. At this point, you should be able to capture the traffic through the Fiddler application on your Windows machine; see the screenshot below showing traffic from the android device
    1. NOTE/TIP: If you turn off capturing, you will turn off capturing on Windows, but not for the mobile device.  This can help cut down on the “noise” in getting your sample/debug logs.

Remove the Fiddler SSL certificate

  1. Slide down the notifications drawer from the top of the screen and hit the Settings (gear) icon in the top right
  2. Select Security

  3. Select Trusted credentials

  4. Select the User tab on the Trusted credentials window
  5. Scroll down through the certificate information and towards the bottom you will see a Remove button; press the REMOVE button.
    1. Note: You have to scroll the text, there is no scrollbar until you start the scrolling gesture

 

List of time zones consumed by Azure

When creating Azure Automation scripts, you may have to reference time zones by name.  Below is a table of acceptable values you may use in your scripts to denote the proper time zone.

Name of Time Zone Time
Dateline Standard Time (UTC-12:00) International Date Line West
UTC-11 (UTC-11:00) Coordinated Universal Time-11
Hawaiian Standard Time (UTC-10:00) Hawaii
Alaskan Standard Time (UTC-09:00) Alaska
Pacific Standard Time (Mexico) (UTC-08:00) Baja California
Pacific Standard Time (UTC-08:00) Pacific Time (US & Canada)
US Mountain Standard Time (UTC-07:00) Arizona
Mountain Standard Time (Mexico) (UTC-07:00) Chihuahua, La Paz, Mazatlan
Mountain Standard Time (UTC-07:00) Mountain Time (US & Canada)
Central America Standard Time (UTC-06:00) Central America
Central Standard Time (UTC-06:00) Central Time (US & Canada)
Central Standard Time (Mexico) (UTC-06:00) Guadalajara, Mexico City, Monterrey
Canada Central Standard Time (UTC-06:00) Saskatchewan
SA Pacific Standard Time (UTC-05:00) Bogota, Lima, Quito, Rio Branco
Eastern Standard Time (Mexico) (UTC-05:00) Chetumal
Eastern Standard Time (UTC-05:00) Eastern Time (US & Canada)
US Eastern Standard Time (UTC-05:00) Indiana (East)
Venezuela Standard Time (UTC-04:30) Caracas
Paraguay Standard Time (UTC-04:00) Asuncion
Atlantic Standard Time (UTC-04:00) Atlantic Time (Canada)
Central Brazilian Standard Time (UTC-04:00) Cuiaba
SA Western Standard Time (UTC-04:00) Georgetown, La Paz, Manaus, San Juan
Newfoundland Standard Time (UTC-03:30) Newfoundland
E. South America Standard Time (UTC-03:00) Brasilia
SA Eastern Standard Time (UTC-03:00) Cayenne, Fortaleza
Argentina Standard Time (UTC-03:00) City of Buenos Aires
Greenland Standard Time (UTC-03:00) Greenland
Montevideo Standard Time (UTC-03:00) Montevideo
Bahia Standard Time (UTC-03:00) Salvador
Pacific SA Standard Time (UTC-03:00) Santiago
UTC-02 (UTC-02:00) Coordinated Universal Time-02
Azores Standard Time (UTC-01:00) Azores
Cape Verde Standard Time (UTC-01:00) Cabo Verde Is.
Morocco Standard Time (UTC) Casablanca
UTC (UTC) Coordinated Universal Time
GMT Standard Time (UTC) Dublin, Edinburgh, Lisbon, London
Greenwich Standard Time (UTC) Monrovia, Reykjavik
W. Europe Standard Time (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Central Europe Standard Time (UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
Romance Standard Time (UTC+01:00) Brussels, Copenhagen, Madrid, Paris
Central European Standard Time (UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb
W. Central Africa Standard Time (UTC+01:00) West Central Africa
Namibia Standard Time (UTC+01:00) Windhoek
Jordan Standard Time (UTC+02:00) Amman
GTB Standard Time (UTC+02:00) Athens, Bucharest
Middle East Standard Time (UTC+02:00) Beirut
Egypt Standard Time (UTC+02:00) Cairo
Syria Standard Time (UTC+02:00) Damascus
E. Europe Standard Time (UTC+02:00) E. Europe
South Africa Standard Time (UTC+02:00) Harare, Pretoria
FLE Standard Time (UTC+02:00) Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius
Turkey Standard Time (UTC+02:00) Istanbul
Israel Standard Time (UTC+02:00) Jerusalem
Kaliningrad Standard Time (UTC+02:00) Kaliningrad (RTZ 1)
Libya Standard Time (UTC+02:00) Tripoli
Arabic Standard Time (UTC+03:00) Baghdad
Arab Standard Time (UTC+03:00) Kuwait, Riyadh
Belarus Standard Time (UTC+03:00) Minsk
Russian Standard Time (UTC+03:00) Moscow, St. Petersburg, Volgograd (RTZ 2)
E. Africa Standard Time (UTC+03:00) Nairobi
Iran Standard Time (UTC+03:30) Tehran
Arabian Standard Time (UTC+04:00) Abu Dhabi, Muscat
Azerbaijan Standard Time (UTC+04:00) Baku
Russia Time Zone 3 (UTC+04:00) Izhevsk, Samara (RTZ 3)
Mauritius Standard Time (UTC+04:00) Port Louis
Georgian Standard Time (UTC+04:00) Tbilisi
Caucasus Standard Time (UTC+04:00) Yerevan
Afghanistan Standard Time (UTC+04:30) Kabul
West Asia Standard Time (UTC+05:00) Ashgabat, Tashkent
Ekaterinburg Standard Time (UTC+05:00) Ekaterinburg (RTZ 4)
Pakistan Standard Time (UTC+05:00) Islamabad, Karachi
India Standard Time (UTC+05:30) Chennai, Kolkata, Mumbai, New Delhi
Sri Lanka Standard Time (UTC+05:30) Sri Jayawardenepura
Nepal Standard Time (UTC+05:45) Kathmandu
Central Asia Standard Time (UTC+06:00) Astana
Bangladesh Standard Time (UTC+06:00) Dhaka
N. Central Asia Standard Time (UTC+06:00) Novosibirsk (RTZ 5)
Myanmar Standard Time (UTC+06:30) Yangon (Rangoon)
SE Asia Standard Time (UTC+07:00) Bangkok, Hanoi, Jakarta
North Asia Standard Time (UTC+07:00) Krasnoyarsk (RTZ 6)
China Standard Time (UTC+08:00) Beijing, Chongqing, Hong Kong, Urumqi
North Asia East Standard Time (UTC+08:00) Irkutsk (RTZ 7)
Singapore Standard Time (UTC+08:00) Kuala Lumpur, Singapore
W. Australia Standard Time (UTC+08:00) Perth
Taipei Standard Time (UTC+08:00) Taipei
Ulaanbaatar Standard Time (UTC+08:00) Ulaanbaatar
Tokyo Standard Time (UTC+09:00) Osaka, Sapporo, Tokyo
Korea Standard Time (UTC+09:00) Seoul
Yakutsk Standard Time (UTC+09:00) Yakutsk (RTZ 8)
Cen. Australia Standard Time (UTC+09:30) Adelaide
AUS Central Standard Time (UTC+09:30) Darwin
E. Australia Standard Time (UTC+10:00) Brisbane
AUS Eastern Standard Time (UTC+10:00) Canberra, Melbourne, Sydney
West Pacific Standard Time (UTC+10:00) Guam, Port Moresby
Tasmania Standard Time (UTC+10:00) Hobart
Magadan Standard Time (UTC+10:00) Magadan
Vladivostok Standard Time (UTC+10:00) Vladivostok, Magadan (RTZ 9)
Russia Time Zone 10 (UTC+11:00) Chokurdakh (RTZ 10)
Central Pacific Standard Time (UTC+11:00) Solomon Is., New Caledonia
Russia Time Zone 11 (UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky (RTZ 11)
New Zealand Standard Time (UTC+12:00) Auckland, Wellington
UTC+12 (UTC+12:00) Coordinated Universal Time+12
Fiji Standard Time (UTC+12:00) Fiji
Tonga Standard Time (UTC+13:00) Nuku’alofa
Samoa Standard Time (UTC+13:00) Samoa
Line Islands Standard Time (UTC+14:00) Kiritimati Island

[Tutorial] Using Fiddler to debug SAML tokens issued from ADFS

Problem:

Many applications want to federate with leverage certain attributes like nameid (nameidentifier), but the problem is the format is wildly different from one application to another.  In this case, one application might use a unique value like an employee ID, another UPN, another email address, and so on.  Or maybe it isn’t an attribute, but you are leveraging SHA1 as your signature hashing algorithm and the application is looking for MD5.

In this case, sometimes you may not be sure what you are sending to the application and are looking to the vendor to help you understand what you need to change in ADFS or if you are working on a custom application, need help debugging your claims rules to integrate into that application.  In this case, I will show you how to leverage Fiddler to acquire the SAML Tokens issued by ADFS to validate what attributes/values you are passing to the federate application.

Tutorial:

  1. Grab the latest copy of Fiddler from their website (it is a free download)
    1. https://www.telerik.com/download/fiddlerDownload Fiddler
  2. Install Fiddler on your local machine
    1. Double click fiddlersetup.exe
      Run fiddlersetup
    2. Agree to the End User License Agreement
      Fiddler Install - Accept EULA
    3. Set the installation directory and click Install
      Fiddler Install - Destination Folder
    4. Close the setup wizard
      Fiddler Install - Close Installation
  3. Launch Fiddler
    Launch Fiddler - Windows 10
  4. Click Cancel if prompted about AppContainers
    Fiddler - AppContainer Configuration - Cancel
  5. With Fiddler open click on Tools -> Telerik Fiddler Options…
    Fiddler - Tools - Telerik Fiddler Options
  6. Click on the HTTPS tab and check Decrypt HTTPS traffic and click OK
    1. Note: you may be prompted to trust a certificate.  You must trust the certificate so Fiddler can intercept your encrypted traffic and decrypt it.  Fiddler will not permanently capture traffic when the application is closed.
      Fiddler - Tools - Telerik Fiddler Options - HTTPS - Decrypt HTTPS traffic
  7. Close out of Fiddler
    Fiddler - Close
  8. Open Fiddler
    Launch Fiddler - Windows 10
  9. Open up Internet Explorer in one window and Fiddler side-by-side.  Drag the Crosshair icon onto Internet Explorer.  This will target only traffic in this process (browser window) to help filter down intercepted traffic.
    Fiddler - Process Selector - Drag Drop
  10. Select the X icon with a dropdown and click Remove all to clear your trace
    Fiddler - X - Remove All
  11. Go to the url of the federated application and login.  In this case, I am going to use https://outlook.com/owa/jackstromberg.com; once you have logged into the application or received the error to your application upon login, click FileCapture Traffic to stop the logs
    Fiddler - File - Capture Traffic - ADFS
  12. Within your logs, look for the last 200 response from your ADFS server before being redirected to your application (which will not show up as a 302, since we are posting to the new URL)
    Fiddler - HTTPS 200 - ADFS - SAML Post
  13. Click on the Inspectors tab, and select the Raw tab at the bottom and copy the value from the hidden input tag with the name of wresult
    Fiddler - Inspectors - Raw - wresult - encoded html
  14. Paste the encoded HTML into my HTML Encoder/Decoder in the Encoded text box and click Decode.
    1. Note: The encoder/decoder is all JavaScript based that functions client/side, so no data will leave your network.
      JackStromberg - HTML Encoder - Decoder - SAML
  15. Copy the Decoded HTML and paste it into an XML formatter of your choice.  Here I am using Bing:
    Bing - XML Formatter - SAML Token
  16. Copy the result into Notepad and you can now read the information
    Notepad - SAML Decoded - Formatted XML

Going into the claim and how it works is outside the scope of this tutorial, but as you can see in the last screenshot above we have the raw SAML token we will send to the relying party trust to consume.  At this point, the vendor can be involved to help troubleshoot any values or attributes that are in an incorrect format.

Creating self-signed certificates with makecert

If you are even in a bind and need a quick self-signed SSL cert and have the Windows SDK installed on your machine, there’s a chance you may have the makecert utility and can generate a quick self-signed SSL cert.

The command is as follows:

makecert -r -pe -n “CN=SelfSigned SSL” -a sha1 -ss My -len 2048 -sy 24 -b 01/01/2015 -e 01/01/2050

A complete list of each of the switches can be found here:
https://msdn.microsoft.com/library/windows/desktop/aa386968.aspx

Additionally, a nice MSDN article has been posted on this subject as well: https://msdn.microsoft.com/en-us/library/ff699202.aspx

MakeCert is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/p/?linkid=84091

[Tutorial] How to install IIS on Server 2012 and Server 2012 R2

Here is a tutorial on how to install IIS on Server 2012 and Server 2012 R2.  The installation process for this is very straight forward and does not differ much from Server 2008 R2.  This guide will only go over the basic install, additional configuration of IIS is outside the scope of this tutorial.  Before beginning, you can choose to install IIS via PowerShell or the GUI.  Either option will result with the exact same configuration.

PowerShell

  1. Open an elevated PowerShell console
    Server 2012 - PowerShell - Run as Administrator
  2. Execute the following command
    1. Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools
      PowerShell - Install-WindowsFeature -Name Web-Server Web-Mgmt-Tools

      1. Note: Web-Mgmt-Tools is optional, but in most instances added to get the Internet Information Services (IIS) Manager GUI snap-in to manage IIS

GUI

  1. Open Server Manager
    Server Manager
  2. Click on ManageAdd Roles and Features
    Server 2012 - Manage - Add Roles and Features
  3. Click Next > on the Before You Begin screen
    Add Roles and Features Wizard - Before you begin
  4. Click Next > on the Installation Type screen
    Add Roles and Features Wizard - Select installation type
  5. Click Next > on the Server Selection screen
    Add Roles and Features Wizard - Confirm installation selections - Restart the destination server automatically if required
  6. Select Web Server (IIS) from the list on Server Roles and click on the Add Features button once prompted.  Click Next >
    Add Roles and Features Wizard - Add features that are required for web server iis
    Add Roles and Features Wizard - Server Roles - Web Server IIS
  7. Click Next > on the Features screen
    Add Roles and Features Wizard - Features - Default
  8. Click Next > on the Web Server Role (IIS) screen
    Add Roles and Features Wizard - Web Server Role IIS
  9. Click Next > on the Role Services screen
    Add Roles and Features Wizard - Web Server Role IIS - Role Services
  10. Click Install on the Confirmation screen
    Add Roles and Features Wizard - Web Sever Role - Confirmation

[Tutorial] How to change the asset tag on a Surface Pro 3

Scenario: When logging into the UEFI BIOS, you can see the asset tag’s current value set as 0, but are unable to change it.

Solution: To change the asset tag on a Surface Pro 3, you must download a utility by Microsoft.

  1. Download a copy of the Surface Pro 3 Asset Tag CLI Utility
    http://www.microsoft.com/en-us/download/details.aspx?id=44076
  2. Extract the files from the zipped folder
  3. Open up an elevated command prompt
    Elevated Command Prompt
  4. Navigate to the folder you extracted the Surface Pro 3 Asset Tag CLI utility to
    Surface pro 3 AssetTag Directory
  5. Execute the following command
    1. AssetTag.exe -s ENTERYOURASSETTAGHERE
      AssetTag set Surface Pro 3

      1. Note: The asset tag can be up to 36 characters long. Valid characters include A-Z, a-z, 0-9, period and hyphen.
  6. Reboot the machine for the changes to take effect

 

About the tool

The utility comes with a readme on additional functionality.  This is copied directly from the Surface Pro 3 Asset Tag README.txt file for convience:

This tool gets or sets the proposed Asset Tag, which will be applied on next reboot.

The current Asset Tag is an SMBIOS setting which can be queried via WMI:
(Get-WmiObject -query “Select * from Win32_SystemEnclosure”).SMBiosAssetTag

Get proposed asset tag:
AssetTag -g

Clear proposed asset tag:
AssetTag -s

Set proposed asset tag:
AssetTag -s ABc-45.67

Valid values:
The asset tag can be up to 36 characters long.
Valid characters include A-Z, a-z, 0-9, period and hyphen.

PowerShell script demonstrating way to get proposed value and interpret errors.
Note that stout contains the Asset Tag and stderr contains error messages.

AssetTag -g > $asset_tag 2> $error_message
$asset_tag_return_code = $LASTEXITCODE
$asset_tag = $asset_tag.Trim(“`r`n”)

if ($asset_tag_return_code -eq 0) {
Write-Output (“Good Tag = ” + $asset_tag)
} else {
Write-Output (
“Failure: Code = ” + $asset_tag_return_code +
“Tag = ” + $asset_tag +
“Message = ” + $error_message)
}

Cisco AnyConnect – Windows 8 – The VPN client driver encountered an error. Please restart your computer or device, then try again error

Symptom: You receive the following error when trying to establish a connection with the Cisco AnyConnect client on Windows 8 x64.

Cisco AnyConnect VPN Client - The VPN client driver encountered an error.  Please restart your computer or device then try again error

Solution:

Option 1: PowerShell Method

  1. Go to the Windows 8 Start screen, search for PowerShell, Run as an Administrator
    Windows 8 - Search - powershell - run as administrator
  2. Execute the following powershell command
    1. Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\vpnva -Name DisplayName -Value ‘Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64‘
      PowerShell-Set-vpnva-DisplayName-Cisco-AnyConnect-VPN
  3. Exit and reopen the Cisco AnyConnect Program

Option 2: Registry Editor GUI Method

  1. Go to the Windows 8 Start screen, search for regedit, right click Run as administrator
    Windows 8 - Search - regedit - Run as administrator
  2. Navigate to the following registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnva
    HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-vpnva
  3. Double cick on the DisplayName value and replace the value with Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-vpnva - DisplayName - Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-vpnva - DisplayName - Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 - regedit
  4. Exit and reopen the Cisco AnyConnect VPN client

System Center 2012 R2 Configuration Manager – CcmSetup failed with error code 0x87d00280

Symptom: When trying to install the System Center 2012 R2 Configuration Manager client manually, the client seems to never finish the install.  When opening the install log in C:\Windows\ccmsetup\Logs\ccmsetup.log, you will notice the following behavior, pointing mostly to client HTTPS/certificate errors.

<![LOG[==========[ ccmsetup started in process 2576 ]==========]LOG]!><time=”16:00:01.707+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9437″>
<![LOG[Running on platform X64]LOG]!><time=”16:00:01.817+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”util.cpp:1837″>
<![LOG[Launch from folder \\SCCM01\Manual Client Install\]LOG]!><time=”16:00:01.817+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:721″>
<![LOG[CcmSetup version: 5.0.7958.1000]LOG]!><time=”16:00:01.817+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:727″>
<![LOG[Running on ‘Microsoft Windows 7 Professional ‘ (6.1.7601). Service Pack (1.0). SuiteMask = 272. Product Type = 18]LOG]!><time=”16:00:01.895+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”util.cpp:1919″>
<![LOG[Ccmsetup command line: “\\SCCM01\Manual Client Install\ccmsetup.exe” ]LOG]!><time=”16:00:01.895+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:3590″>
<![LOG[Local Machine is joined to an AD domain]LOG]!><time=”16:00:01.895+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:714″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[DhcpGetOriginalSubnetMask entry point is supported.]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:117″>
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1095″>
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time=”16:00:02.035+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1172″>
<![LOG[Adapter {39CB0535-CE77-4ED9-9807-2DB558378C86} is DHCP enabled. Checking quarantine status.]LOG]!><time=”16:00:02.051+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:436″>
<![LOG[Current AD site of machine is SomewhereOverTheRainbow]LOG]!><time=”16:00:02.066+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:770″>
<![LOG[Attempting to query AD for assigned site code]LOG]!><time=”16:00:02.066+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:2071″>
<![LOG[Performing AD query: ‘(&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=3232279113)(MSSMSRangedIPHigh>=3232279113))))’]LOG]!><time=”16:00:02.456+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[Performing AD query: ‘(&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=192.168.1.0)(mSSMSRoamingBoundaries=SomewhereOverTheRainbox)(mSSMSSiteCode=001)))’]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[LSIsSiteCompatible : Verifying Site Compatibility for <001>]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5419″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[LSGetSiteVersionFromAD : Attempting to query AD for MPs for site ‘001’]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:5248″>
<![LOG[Performing AD query: ‘(&(ObjectCategory=mSSMSManagementPoint)(mSSMSSiteCode=001))’]LOG]!><time=”16:00:02.924+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[LSGetSiteVersionFromAD : Successfully retrieved version ‘5.00.7958.1000’ for site ‘001’]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5317″>
<![LOG[LSIsSiteCompatible : Site Version = ‘5.00.7958.1000’ Site Capabilities = <Capabilities SchemaVersion=”1.0″><Property Name=”SSL” Version=”1″/><Property Name=”SSLState” Value=”63″/></Capabilities>]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:5474″>
<![LOG[LSIsSiteVersionCompatible : Site Version ‘5.00.7958.1000’ is compatible.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5385″>
<![LOG[LSIsSiteCompatible : Site <001> Version ‘5.00.7958.1000’ is compatible.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:5486″>
<![LOG[LSGetAssignedSiteFromAD : Trying to Assign to the Site <001>]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:2192″>
<![LOG[Got site code ‘001’ from AD.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:266″>
<![LOG[Performing AD query: ‘(&(ObjectCategory=mSSMSManagementPoint)(mSSMSDefaultMP=TRUE)(mSSMSSiteCode=001))’]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsad.cpp:656″>
<![LOG[OperationalXml ‘<ClientOperationalSettings><Version>5.00.7958.1000</Version><SecurityConfiguration><SecurityModeMask>63</SecurityModeMask><SecurityModeMaskEx>63</SecurityModeMaskEx><HTTPPort>80</HTTPPort><HTTPSPort>443</HTTPSPort><CertificateStoreName></CertificateStoreName><CertificateIssuers>CN=My Domain Root CA; OU=IT; O=My Domain; C=US</CertificateIssuers><CertificateSelectionCriteria></CertificateSelectionCriteria><CertificateSelectFirstFlag>1</CertificateSelectFirstFlag><SiteSigningCert>CertificateInfoRemoved</SiteSigningCert></SecurityConfiguration><RootSiteCode>001</RootSiteCode><CCM> <CommandLine>SMSSITECODE=001</CommandLine> </CCM><FSP> <FSPServer></FSPServer> </FSP><Capabilities SchemaVersion =”1.0″><Property Name=”SSL” Version=”1″ /><Property Name=”SSLState” Value=”63″ /></Capabilities><Domain Value=”mydomain.local” /><Forest Value=”mydomain.local” /></ClientOperationalSettings>’]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsadcache.cpp:236″>
<![LOG[Unable to open Registry key Software\Microsoft\CCM. Return Code [80070002]. Client HTTPS state is Unknown.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmutillib.cpp:373″>
<![LOG[The MP name retrieved is ‘SCCM01.mydomain.local’ with version ‘7958’ and capabilities ‘<Capabilities SchemaVersion=”1.0″><Property Name=”SSL” Version=”1″/><Property Name=”SSLState” Value=”63″/></Capabilities>’]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsadcache.cpp:334″>
<![LOG[MP ‘SCCM01.mydomain.local’ is compatible]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsadcache.cpp:339″>
<![LOG[Retrieved 1 MP records from AD for site ‘001’]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsadcache.cpp:287″>
<![LOG[FromAD: command line = SMSSITECODE=001]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:288″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[CMPInfoFromADCache requests are throttled for 01:07:09]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”lsadcache.cpp:173″>
<![LOG[Found MP https://SCCM01.mydomain.local from AD]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6197″>
<![LOG[SslState value: 255]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:4425″>
<![LOG[Ccmsetup was run without any user parameters specified. Running without registering ccmsetup as a service.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4490″>
<![LOG[Detected sitecode ‘001’ from AD.]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4500″>
<![LOG[CCMHTTPPORT: 80]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8617″>
<![LOG[CCMHTTPSPORT: 443]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8632″>
<![LOG[CCMHTTPSSTATE: 255]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8650″>
<![LOG[CCMHTTPSCERTNAME: ]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8668″>
<![LOG[FSP: ]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8720″>
<![LOG[CCMCERTISSUERS: CN=My Domain Root CA; OU=IT; O=My Domain; C=US]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8746″>
<![LOG[CCMFIRSTCERT: 1]LOG]!><time=”16:00:02.940+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:8778″>
<![LOG[Config file: ]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4539″>
<![LOG[Retry time: 10 minute(s)]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4540″>
<![LOG[MSI log file: C:\Windows\ccmsetup\Logs\client.msi.log]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4541″>
<![LOG[MSI properties: SMSSITECODE=”001″ CCMHTTPPORT=”80″ CCMHTTPSPORT=”443″ CCMHTTPSSTATE=”255″ CCMCERTISSUERS=”CN=My Domain Root CA; OU=IT; O=My Domain; C=US” CCMFIRSTCERT=”1″]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4542″>
<![LOG[Source List:]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4550″>
<![LOG[MPs:]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4569″>
<![LOG[ https://SCCM01.mydomain.local]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:4584″>
<![LOG[No version of the client is currently detected.]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2748″>
<![LOG[Folder ‘Microsoft\Configuration Manager’ not found. Task does not exist.]LOG]!><time=”16:00:03.018+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”wintask.cpp:622″>
<![LOG[Updated security on object C:\Windows\ccmsetup\.]LOG]!><time=”16:00:03.033+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9281″>
<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’100′ will not be sent.]LOG]!><time=”16:00:03.033+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9763″>
<![LOG[Downloading file \\SCCM01\Manual Client Install\ccmsetup.exe]LOG]!><time=”16:00:04.048+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:5685″>
<![LOG[Downloading \\SCCM01\Manual Client Install\ccmsetup.exe to C:\Windows\ccmsetup\ccmsetup.exe]LOG]!><time=”16:00:04.048+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:5769″>
<![LOG[File download 3% complete (61440 of 1614520 bytes).]LOG]!><time=”16:00:04.079+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 7% complete (122880 of 1614520 bytes).]LOG]!><time=”16:00:04.079+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 11% complete (184320 of 1614520 bytes).]LOG]!><time=”16:00:04.079+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 15% complete (245760 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 19% complete (307200 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 22% complete (368640 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 26% complete (430080 of 1614520 bytes).]LOG]!><time=”16:00:04.126+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 30% complete (491520 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 34% complete (552960 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 38% complete (614400 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 41% complete (675840 of 1614520 bytes).]LOG]!><time=”16:00:04.172+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 45% complete (737280 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 49% complete (798720 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 53% complete (860160 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 57% complete (921600 of 1614520 bytes).]LOG]!><time=”16:00:04.219+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 60% complete (983040 of 1614520 bytes).]LOG]!><time=”16:00:04.250+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 64% complete (1044480 of 1614520 bytes).]LOG]!><time=”16:00:04.250+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 68% complete (1105920 of 1614520 bytes).]LOG]!><time=”16:00:04.266+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 72% complete (1167360 of 1614520 bytes).]LOG]!><time=”16:00:04.266+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 76% complete (1228800 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 79% complete (1290240 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 83% complete (1351680 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 87% complete (1413120 of 1614520 bytes).]LOG]!><time=”16:00:04.313+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 91% complete (1474560 of 1614520 bytes).]LOG]!><time=”16:00:04.344+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 95% complete (1536000 of 1614520 bytes).]LOG]!><time=”16:00:04.344+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 98% complete (1597440 of 1614520 bytes).]LOG]!><time=”16:00:04.344+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[File download 100% complete (1614520 of 1614520 bytes).]LOG]!><time=”16:00:04.391+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:9185″>
<![LOG[Download complete.]LOG]!><time=”16:00:04.391+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:5867″>
<![LOG[Running as user “ej.admin”]LOG]!><time=”16:00:05.311+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:1995″>
<![LOG[Detected 223212 MB free disk space on system drive.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”util.cpp:628″>
<![LOG[Checking Write Filter Status.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2024″>
<![LOG[This is not a supported write filter device. We are not in a write filter maintenance mode.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2051″>
<![LOG[SiteCode: 001]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2076″>
<![LOG[SiteVersion: 5.00.7958.1000]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:2077″>
<![LOG[Only one MP https://SCCM01.mydomain.local is specified. Use it.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:10080″>
<![LOG[Searching for DP locations from MP(s)…]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:11018″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[Current AD site of machine is SomewhereOverTheRainbow]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:770″>
<![LOG[DHCP entry points already initialized.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:75″>
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1095″>
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1172″>
<![LOG[Adapter {39CB0535-CE77-4ED9-9807-2DB558378C86} is DHCP enabled. Checking quarantine status.]LOG]!><time=”16:00:05.327+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:436″>
<![LOG[Sending message body ‘<ContentLocationRequest SchemaVersion=”1.00″>
<AssignedSite SiteCode=”001″/>
<ClientPackage/>
<ClientLocationInfo LocationType=”SMSPACKAGE” DistributeOnDemand=”0″ UseProtected=”0″ AllowCaching=”0″ BranchDPFlags=”0″ AllowHTTP=”1″ AllowSMB=”0″ AllowMulticast=”0″ UseInternetDP=”0″>
<ADSite Name=”SomewhereOverTheRainbow”/>
<Forest Name=”mydomain.local”/>
<Domain Name=”mydomain.local”/>
<IPAddresses>
<IPAddress SubnetAddress=”192.168.1.0″ Address=”192.168.1.73″/>
</IPAddresses>
</ClientLocationInfo>
</ContentLocationRequest>
‘]LOG]!><time=”16:00:05.342+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:96″>
<![LOG[Sending message header ‘<Msg SchemaVersion=”1.1″><ID>{F41949F6-9FCA-4C08-AB45-AD13397E03E4}</ID><SourceHost>MACHINENAME</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:MACHINENAME:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://SCCM01.mydomain.local</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2014-09-19T21:00:05Z</SentTime><Body Type=”ByteRange” Offset=”0″ Length=”1146″/><Hooks><Hook3 Name=”zlib-compress”/></Hooks><Payload Type=”inline”/></Msg>’]LOG]!><time=”16:00:05.342+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:177″>
<![LOG[CCM_POST ‘https://SCCM01.mydomain.local/ccm_system/request’]LOG]!><time=”16:00:05.342+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”httphelper.cpp:807″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.389+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Certificate Issuer 1 [CN=My Domain Root CA; OU=IT; O=My Domain; C=US]]LOG]!><time=”16:00:05.389+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4409″>
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4516″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4702″>
<![LOG[Locate client certificate bypassing Certificate Issuers restriction]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6121″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Begin to select client certificate]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4706″>
<![LOG[The ‘Certificate Selection Criteria’ was not specified, counting number of certificates present in ‘MY’ store of ‘Local Computer’.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmcert.cpp:4742″>
<![LOG[There are no certificates in the ‘MY’ store.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4764″>
<![LOG[GetSSLCertificateContext failed with error 0x87d00280]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:6141″>
<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’315′ will not be sent.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9763″>
<![LOG[GetHttpRequestObjects failed for verb: ‘CCM_POST’, url: ‘https://SCCM01.mydomain.local/ccm_system/request’]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:947″>
<![LOG[GetDPLocations failed with error 0x87d00280]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”siteinfo.cpp:532″>
<![LOG[Failed to get DP locations as the expected version from MP ‘https://SCCM01.mydomain.local’. Error 0x87d00280]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmsetup.cpp:11261″>
<![LOG[A Fallback Status Point has not been specified. Message with STATEID=’101′ will not be sent.]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:9763″>
<![LOG[Next retry in 10 minute(s)…]LOG]!><time=”16:00:05.436+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmsetup.cpp:8835″>
<![LOG[Current AD forest name is mydomain.local, domain name is mydomain.local]LOG]!><time=”16:10:09.190+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:842″>
<![LOG[Domain joined client is in Intranet]LOG]!><time=”16:10:09.190+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:1047″>
<![LOG[Current AD site of machine is SomewhereOverTheRainbow]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”1″ thread=”2624″ file=”lsad.cpp:770″>
<![LOG[DHCP entry points already initialized.]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:75″>
<![LOG[Begin checking Alternate Network Configuration]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1095″>
<![LOG[Finished checking Alternate Network Configuration]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:1172″>
<![LOG[Adapter {39CB0535-CE77-4ED9-9807-2DB558378C86} is DHCP enabled. Checking quarantine status.]LOG]!><time=”16:10:09.299+300″ date=”09-19-2014″ component=”LocationServices” context=”” type=”0″ thread=”2624″ file=”ccmiputil.cpp:436″>
<![LOG[Sending message body ‘<ContentLocationRequest SchemaVersion=”1.00″>
<AssignedSite SiteCode=”001″/>
<ClientPackage/>
<ClientLocationInfo LocationType=”SMSPACKAGE” DistributeOnDemand=”0″ UseProtected=”0″ AllowCaching=”0″ BranchDPFlags=”0″ AllowHTTP=”1″ AllowSMB=”0″ AllowMulticast=”0″ UseInternetDP=”0″>
<ADSite Name=”SomewhereOverTheRainbow”/>
<Forest Name=”mydomain.local”/>
<Domain Name=”mydomain.local”/>
<IPAddresses>
<IPAddress SubnetAddress=”192.168.1.0″ Address=”192.168.170.73″/>
</IPAddresses>
</ClientLocationInfo>
</ContentLocationRequest>
‘]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:96″>
<![LOG[Sending message header ‘<Msg SchemaVersion=”1.1″><ID>{6DCC55BE-D180-41DC-ACF9-2B909F186F1A}</ID><SourceHost>MACHINENAME</SourceHost><TargetAddress>mp:[http]MP_LocationManager</TargetAddress><ReplyTo>direct:MACHINENAME:LS_ReplyLocations</ReplyTo><Priority>3</Priority><Timeout>600</Timeout><ReqVersion>5931</ReqVersion><TargetHost>https://SCCM01.mydomain.local</TargetHost><TargetEndpoint>MP_LocationManager</TargetEndpoint><ReplyMode>Sync</ReplyMode><Protocol>http</Protocol><SentTime>2014-09-19T21:10:09Z</SentTime><Body Type=”ByteRange” Offset=”0″ Length=”1146″/><Hooks><Hook3 Name=”zlib-compress”/></Hooks><Payload Type=”inline”/></Msg>’]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”siteinfo.cpp:177″>
<![LOG[CCM_POST ‘https://SCCM01.mydomain.local/ccm_system/request’]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”httphelper.cpp:807″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Certificate Issuer 1 [CN=My Domain Root CA; OU=IT; O=My Domain; C=US]]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4409″>
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4516″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4702″>
<![LOG[Locate client certificate bypassing Certificate Issuers restriction]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6121″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Begin to select client certificate]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4706″>
<![LOG[The ‘Certificate Selection Criteria’ was not specified, counting number of certificates present in ‘MY’ store of ‘Local Computer’.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmcert.cpp:4742″>
<![LOG[There are no certificates in the ‘MY’ store.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4764″>
<![LOG[GetSSLCertificateContext failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:6141″>
<![LOG[GetHttpRequestObjects failed for verb: ‘CCM_POST’, url: ‘https://SCCM01.mydomain.local/ccm_system/request’]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:947″>
<![LOG[GetDPLocations failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”siteinfo.cpp:532″>
<![LOG[Failed to get DP locations as the expected version from MP ‘https://SCCM01.mydomain.local’. Error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmsetup.cpp:11261″>
<![LOG[Failed to find DP locations from MP ‘https://SCCM01.mydomain.local’ with error 0x87d00280, status code 200. Check next MP.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmsetup.cpp:11117″>
<![LOG[Only one MP https://SCCM01.mydomain.local is specified. Use it.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:10080″>
<![LOG[Have already tried all MPs. Couldn’t find DP locations.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:11146″>
<![LOG[GET ‘https://SCCM01.mydomain.local/CCM_Client/ccmsetup.cab’]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”httphelper.cpp:807″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Certificate Issuer 1 [CN=My Domain Root CA; OU=IT; O=My Domain; C=US]]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4409″>
<![LOG[Finding certificate by issuer chain returned error 80092004]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4516″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Unable to find any Certificate based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”2″ thread=”2624″ file=”ccmcert.cpp:4702″>
<![LOG[Locate client certificate bypassing Certificate Issuers restriction]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:6121″>
<![LOG[Begin searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4393″>
<![LOG[Completed searching client certificates based on Certificate Issuers]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4550″>
<![LOG[Begin to select client certificate]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4706″>
<![LOG[The ‘Certificate Selection Criteria’ was not specified, counting number of certificates present in ‘MY’ store of ‘Local Computer’.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”0″ thread=”2624″ file=”ccmcert.cpp:4742″>
<![LOG[There are no certificates in the ‘MY’ store.]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmcert.cpp:4764″>
<![LOG[GetSSLCertificateContext failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”ccmsetup.cpp:6141″>
<![LOG[GetHttpRequestObjects failed for verb: ‘GET’, url: ‘https://SCCM01.mydomain.local/CCM_Client/ccmsetup.cab’]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:947″>
<![LOG[DownloadFileByWinHTTP failed with error 0x87d00280]LOG]!><time=”16:10:09.315+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”3″ thread=”2624″ file=”httphelper.cpp:1081″>
<![LOG[CcmSetup failed with error code 0x87d00280]LOG]!><time=”16:10:09.331+300″ date=”09-19-2014″ component=”ccmsetup” context=”” type=”1″ thread=”2624″ file=”ccmsetup.cpp:10879″>

Resolution: This behavior is 100% caused by an invalid configuration using HTTPS.  In this particular case, machines were not autoenrolling in machine based certificates, thus, System Center could not authenticate the client and would not allow setup to complete.

Here are some things to try to point you in the general direction of where something may have gone wrong in your deployment:

  1. If you are not using HTTPS (do not have a PKI environment), make sure you have turned off HTTPS configurations for your site.
  2. Ensure your clients are properly configured for autoenrollment
  3. Ensure your clients are actually receiving a machine certificate from autoenrollment
  4. Ensure your certificate authority’s certificate and CRL lists are not expired

System Center 2012 R2 – The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database

Symptom: When any user account, other than the individual who originally configured SCCM, tries to manage System Center Configuration Manager (SCCM), they are presented with the following error:

The user account running the Configuration Manager console has insufficient permissions to read information from the Configuration Manager site database.  The account must belong to a security role in Configuration Manager.  The account must also have the Windows Server Distributed Componenet Object Model (DCOM) Remote Activation permission for the computer running the Configuration Manager site server and the SMS Provider. Configuration Manager cannot connect to the site - System Center 2012 R2 Configuration Manager

Solution: We need to provide a list of users/groups to have access to System Center through the configuration console.  Follow the steps below on how to grant access.

  1.  Open up the System Center Configuration Manager Console System Center 2012 R2 Configuration Manager Console - Task Bar
  2. Select Administration
    System Center 2012 R2 Configuration Manager - Administration
  3. Expand Security, select Administrative Users, and select Add User or Group at the top
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group
  4. Click the Browse button to add security group or user you wish to add for the User or group name
    1. Note about Domain Admins: the first group you might try to add is Domain Admins, however if you add that group you will notice that users in this group will still be unable to open the console.  This is due to the behavior of user context logged in.  If UAC is enabled on the machine, you won’t have access to the SCCM you login to the machine with a domain admin account, unless you right click on the console and run it is Administrator.  If you want this to work as intended, you will need to create a new security group in Active Directory, add Domain Admins to it, and then specify that group in SCCM.
  5. Click the Add… button
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Add
  6. Check Full Administrator, and click OK
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Add - Add Security Role
  7. Click OK
    System Center 2012 R2 - Administration - Security - Administrative Users - Add User or Group - Group and Security Roles assigned
  8. The end result should now look like this.  At this point, any member or group inside of SCCM Admins should have access to manage SCCM now via the console.
    System Center 2012 R2 - Administration - Security - Administrative Users - Security Group and User