PENDING 2 Domains: Client doesnt have PKI issued Cert

[ands04]

Hello,
after I already solved so much problems using this Forum, this time I have a question by myself so I finally registered here. We have the following situation:

We have 2 Domains which are connected with a 2-way trust.
In Domain A we have the SCCM MP and 1000 clients which work fine. Domain A has also a PKI CA which generates certificates for the clients of Domain A.
In Domain B we have an SCCM DP and also an own PKI CA which generates certificates for the clients of Domain B.
In SCCM we have set both Root CAs as Trusted Root Certification Authorities.

The clients of Domain B will fail to install the SCCM Agent with the following errors:

If i create a PKI Cert for a Client of Domain B from the CA of Domain A everything works fine. But we need to get this work with the PKI certs of Domain B.
Any ideas?

Regards,
ands04

 

[ands04]

Any ideas?

 

[ands04]

Hello again
i have the following findings:
The problem is with the IIS CRL check. If we disable IIS Crl check, sccm works correctly on a Client on Domain B with Cert from Domain B. But crl disabled is not an option.

If Crl is enabled, we get the following error in IIS log:
ccmhttp 403 13 2148081683 1423 62

The CRL from the PKI of Domain B is published via http. I can access and download it from the sccm MP Server. But when the client connects, the crl check of the iis fails.

Any ideas?