SOLVED OSD broken after HTTPs setup

[TRichards]

Hello All!

I have hunted the internet over and have not been able to find a solution to my issues, so I was hoping someone here might guide me in the right direction. Our SCCM environment is setup with two servers. One for the DB, and the other for all the management roles. The environment was built as http, however, we recently changed our SCCM environment over to HTTPS for the MP/DP/SUP. Everything worked fine before the switch. Now everything is running correctly as HTTPS except for the PXE/OSD portion. When a machine PXE boots, the machine connects, gets an ip, gets to the password prompt screen, you enter the password and then it does the "Retrieving policy for this computer..." before throwing an error(8004005). There are no errors in the SMSPXE.log. The smsts.log shows the message below five times before it jumps to the finish page and shows the bottom message in the smsts.log. I know that it has something to do with the certificate, but my searching has not yet found the solution. I appreciate the help!

Thanks,
Tanner

 

[Sam Banford]

Is your PKI configuration good on the site?

Deploy PKI Certificates for SCCM Step by Step Guide

Deploy PKI Certificates for SCCM 2012 R2,Step by Step Guide to Deploy PKI Certificates for SCCM 2012 R2, Step by Step Guide SCCM 2012 R2 PKI

www.prajwaldesai.com

Might want to try disabling CRL checks, and it could also (but unlikely) be a time sync issue.

 

[TRichards]

Thanks for the response. I followed guides from here and a few other sites when building all the certs and making the switch over to https, so it should all be correct. I have the client check CRL unchecked, so I don't think that should be the issue either. Time on the SCCM server reflects time we are seeing on the DC's and clients, so that shouldn't be the issue either. I'll keep looking, but thanks for the reply!

 

[Edy]

post your smsts.log. cant really tell from your screenshot as the second line is already saying exiting TS.

 

[Edy]

i also remember there is a pxe setting where you can specify http, https or http and https. maybe try http and https?

have you tried pxe boot successfully on this computer? sometime the pxe failed because there is no network driver in the boot image to retrieve the policy.

 

[Sam Banford]

I'm kind of giving the stink eye to "WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA"...

 

[Greg Shafer]

I just went through this myself. I could PXE boot and enter my imaging password but crashed and burned when trying to load the available task sequences.

Most definitely take a look at the link that Sam Banford posted at the top. You will need to make sure that both your DP and IIS cert has been assigned to the DP (check certlm.msc). Make sure that you have the IIS cert assigned in IIS as well on the DP. I had to manually add https to the default website on the DP. Lastly, export the DP pfx and specify that PFX under the communication tab for the DP. Once I went through these steps, I was able to load task sequences and image.