PENDING Client communication problems after upgrade 2103 to 2107/2111/2203

[Manuel8899]

Hello everbody,
our Configuration Manager was on version 2010. Because of end of support we tried to upgrade to 2203. The upgrade was successful but the clients did not communicate with the server anymore. In device overview we see only a grey X for all the clients. Sometimes the icon is green but only for some minutes.
After 2203 we tested this with all the other available releases (reverted to backup first, everything is working again): With version 2103 the clients are working, but with version 2107 and newer the clients stop working. We are now on the last working version 2103 and try to upgrade. The SCCM upgrade itself is completely successful, all upgrade steps succeeds and all site components are reporting "OK".

We have only a single standalone site on one server using Windows Server 2016 and SQL Server 2016. The communication setting is HTTPS/HTTP mode with configuration manager self-signed certificates (no PKI).

In CcmNotificationAgent.log we see this logs:
Connecting to server with IP: xxx.xxx.110.59 Port: 10123
Handshake was successful
Error: Server certificate retrieved in TLS is not an exact match of the current MP encryption certificate.
Error: 0x80090322 authenticating server credentials!
Failed to signin bgb client with error = 80090322.
Connecting to server with IP: xxx.xxx.110.59 Port: 10123
Handshake was successful
Error: Server certificate retrieved in TLS is not an exact match of the current MP encryption certificate.
Error: 0x80090322 authenticating server credentials!
Failed to signin bgb client with error = 80090322.
Fallback to HTTP connection.
Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:CAC20C74-6478-4B08-B192-1F4915F99E42";
DateTime = "20220628071649.264000+000";
HostName = "SANDBOA.xxxxxxxxxxxxxx";
HRESULT = "0x00000000";
ProcessID = 4404;
StatusCode = 0;
ThreadID = 8532;
};
Message validation failure with error = 80090006.
Failed to signin bgb client with error = 80090006.

Can somebody give us a hint to fix this problem?

Thank you in advance,
Manuel

 

[Prajwal Desai]

I have not seen this error before, can you go to Monitoring workspace and confirm if the components are all up (Green). Are you sure the upgrade was successful?.

 

[Manuel8899]

Hello Prajwal,
thanks for your answer. I don't like be the first with an error ;-)
Yes, all 69 components are green with Status "OK".
The upgrade was successfully, both the major upgrade and the Hotfix Rollup:"Turning on Features" not started yet, but in other tests it was completed too. I just restarted the server to trigger this step again.

The Precheck warning is because of missing .NET Framework 4.8. We tried to stay on 4.6.2 for the test but it makes no difference.

Our last idea was that it may be a problem with TLS 1.2, but we follows the Microsoft Guide https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client and set the registry keys for server and client as described.

Best,
Manuel

 

[richardsebastian]

In our case the issue was with the Server authentication certificate bound with the IIS sites on the MP/Primary Site. The issue was when certificate was installed the Friendly name which was just set as hostname - XYZSERVER, whereas the certificate was issued to FQDN and client was trying to communicate with FQDN. Once Friendly name was changed to FQDN and web sites restarted it fixed communication.