locked
PXE Boot issue after HTTPS only and PKI has been applied RRS feed

  • Question

  • Main error: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set. Screenshot attached.

    - 1910 enviroment, transfered to HTTPS only mode with PKI usage
    - Certs in use: Web Cert for PS, Workstation Cert with Private Key Export for DP, Workstation Cert for Clients
    - Clients on-field are transformed to PKI mode and are capable of installing Applications and Packages
    - Boot imgaes are updated to DPs after PS and DP are transformed to use https only.


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Thursday, December 5, 2019 8:58 AM

Answers

  • > WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA

    The CA that issued your certs is not trusted.

    At Site properties, Root CA is not specified.

    Without this, the PXE and media boot clients won't trust the CA that issued the certs which is your issue.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Saturday, December 7, 2019 11:38 PM

All replies

  • Did you also do the PKI client cert on the DP settings aswell?
    One of the lines does mention somethng about "In SSL, but with no client certs"

    Website: www.walshamsolutions.com Technical Blog: https://www.walshamsolutions.com/technical-blog Personal Blog: https://www.walshamsolutions.com/personal-blog Twitter: Dwalshampro

    Thursday, December 5, 2019 10:26 AM
  • Like wrote above, I added wks cert for DP, which was exported with Private Key. Did it like this: https://www.windows-noob.com/forums/topic/16301-how-can-i-configure-system-center-configuration-manager-in-https-mode-pki-part-2/ 

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Thursday, December 5, 2019 10:47 AM
  • Is the root cert installed on the DP

    Is the export to pfx done from the DP

    Thursday, December 5, 2019 3:13 PM
  • Hi,

    Thanks for posting in TechNet. Please try the following actions:

    1.Please help try to re-import your DP Client Cert on your PXE DP and check your CRL availability for the certificate you are using on the DP.
    2. Please make sure the date and time on the PXE booted system are correct.
    3.Please also help go into the option of your PXE-enabled DP and look at the general tab and take a look to see if  the certificate has been imported and is the certificate valid. 

    Here is a similar thread for your reference: PXE boot fails when DP is on HTTPS mode

    Thanks for your time.

    Best regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 6, 2019 1:53 AM
  • Thanks for help, let me answer more…

    • Only one server, PS, DP, MP, SUP are all on the same server.
    • This Server has now 3 cert enrolled; web cert, DP cert, client cert. 
    • Cert for DP is imported, exported Private key and imported into DP properties. This cert is visible fine in DP properties. This procedure is also repeated, no help. Cert to DP is created from Workstation Auth template.
    • Date and time are correct on PXE client.
    • At Site properties, Root CA is not specified. Clients to check CRL is enabled. 
    • Also, WDS died after transform to https only and I started to use native SCCM PXE. If needed, I can re-install WDS and turn it back again.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Friday, December 6, 2019 9:34 AM
  • What i stumbled upon was that our Template was set to 4096bit and ony 2048bit is supported, and also the privatekey has to be exportable....

    More Info: https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/pki-certificate-requirements

    -> Site systems that have a distribution point installed


    Friday, December 6, 2019 10:35 AM
  • What i stumbled upon was that our Template was set to 4096bit and ony 2048bit is supported, and also the privatekey has to be exportable....

    More Info: https://docs.microsoft.com/en-us/configmgr/core/plan-design/network/pki-certificate-requirements

    -> Site systems that have a distribution point installed


    Thanks for the tip, did check, all are 2048 :)

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Friday, December 6, 2019 11:32 AM
  • This is interesting. I was using Native PXE instrad of WDS after https only transfer, because WDS died. Now I decided to re-install MP and DP roles and get back to WDS. WDS does load the boot image (client), but I see: (this is something new to me).


    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Friday, December 6, 2019 1:10 PM
  • warnings are safe to ignore, but the failure to pull policy on the client is worrying, i have the same issue (as you know) in one of my 1910 labs, and I will troubleshoot it some more and if nothing positive happens, i'll raise it to the PG,

    cheers

    niall


    Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.




    Saturday, December 7, 2019 8:04 PM
  • > WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA

    The CA that issued your certs is not trusted.

    At Site properties, Root CA is not specified.

    Without this, the PXE and media boot clients won't trust the CA that issued the certs which is your issue.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Saturday, December 7, 2019 11:38 PM
  • Jason was 100% correct, I've added it back to my CM1910 https previously non working lab and all is good, on my other CM1910 https working lab it was already correctly specified !

    thanks Jason :)

    cheers

    niall


    Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.

    Sunday, December 8, 2019 4:05 PM
  • Thanks, indeed, adding root CA solved the issue with PXE boot, TS is listed and loadable. Now I have another problem - during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Tuesday, December 10, 2019 7:18 PM
  • i'd suggest you open a new thread for that issue

    cheers

    niall


    Irishman living in Sweden. I blog about Microsoft Endpoint Manager (Configuration Manager and Microsoft Intune). Please visit https://windows-noob.com and https://niallbrady.com.

    Tuesday, December 10, 2019 8:32 PM
  • Now I have another problem - during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.

    Got it working. I disabled Bitlocker pre-provisioning, that might help.

    MCSE Mobility 2018. Expert on SCCM, Windows 10, ALOVPN, MBAM.


    Wednesday, December 11, 2019 5:42 PM
  • Hi,

    Thank you very much for your sharing and feedback. Here's a short summary for the problem.

    Problem/Symptom:
    ===================
    1.PXE Boot failed with the error WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA after HTTPS only and PKI has been applied
    2. during first OS phase, after image and drivers are layed down, both HP and Lenovo boot to bios. They don't continue to native OS.

    Solution:
    ===================
    1.Adding root CA solved the issue with PXE boot
    2. Disable Bitlocker pre-provisioning,

    Thanks again for your time.

    Thanks and regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 12, 2019 3:17 AM