New secondary site installation may fail if data signing is turned on in SMS 2.0 SP5 or in SMS 2003 (827887)



The information in this article applies to:

  • Microsoft Systems Management Server 2.0 SP5
  • Microsoft Systems Management Server 2003

SYMPTOMS

When you try to create a new secondary site in Microsoft Systems Management Server (SMS) 2.0 Service Pack 5 (SP5) or in SMS 2003, the child site installation is not completed, and the child site status remains Pending in the SMS Administrator Console. If you have turned on logging for the SMS Despooler component, the following may appear in the Despool.log file on the parent SMS site server, where xxx is the site code for the child site:
Waiting for ready instruction file....  
Verifying signature for instruction C:\SMS\inboxes\despoolr.box\receive\ds_1vfda.ist of type MICROSOFT|SMS|MINIJOBINSTRUCTION|TRANSFER  
CPublicKeyLookup::CPublicKeyLookup("xxx")  
CPublicKeyLookup::CPublicKeyLookup("xxx") Initializing to file: C:\SMS\inboxes\hman.box\pubkey\xxx.pkc  
CPublicKeyLookup::GetNextKey() Getting Iteration: 2  
CPublicKeyLookup::GetNextKey() Checking C:\SMS\inboxes\hman.box\pubkey\xxx.pkc for Key0  
CPublicKeyLookup::GetNextKey() No Match Found, Trying C:\SMS\inboxes\hman.box\pubkey\xxx.pkp  
CPublicKeyLookup::GetNextKey() Found Key:  
CPublicKeyLookup::CPublicKeyLookup("xxx")  
Cannot find valid public key for key exchange instruction coming from site xxx  
Retry the instruction (C:\SMS\inboxes\despoolr.box\receive\ds_1vfda.ist) because this site does not allow untrusted child sites.  
Will retry instruction C:\SMS\inboxes\despoolr.box\receive\ds_1vfda.ist 100 more times, the next retry is in about 5 minutes  
Instruction C:\SMS\inboxes\despoolr.box\receive\r_g1bzte.sni won't be processed till 07/29/2003 12:42:51 PM Eastern Daylight Time  Waiting for ready instruction file....  
The log entries appear for each .sni file from the secondary site that is processed by the parent site. The secondary site cannot report status to the parent site. You may also notice a backlog of files in the \SMS\Inboxes\Despool.box file on the parent site server computer.

CAUSE

This problem occurs because of new security features that are available with SMS 2.0 SP5 and with SMS 2003. The security features allow an SMS administrator to reject communication from SMS sites that do not use signed data. The security features can prevent the installation of additional secondary sites in the SMS hierarchy that do not meet the security requirements.

RESOLUTION

To resolve this problem, follow these steps:
  1. On the secondary site computer, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, change to the \SMS\bin\i386\00000409 folder.
  3. Type preinst.exe /KEYFORPARENT, and then press ENTER.

    Preinst.exe creates a SiteCode.CT4 file in the root folder of the largest drive partition, where SiteCode is the site code of the secondary site.
  4. Copy the SiteCode.CT4 file to the \SMS\Inboxes\Hman.box folder on the parent site computer.
The SMS Hierarchy Manager component processes the .CT4 file and adds the security key to its list of accepted keys for data transfer. After the security key is added to the SMS parent site, the backlog of files on the parent site is processed by the SMS Despooler component.

When the new .CT4 file is processed, the following log entries appear in the Hman.log file, where xxx is the site code for the child site:
Wait for site control changes...  
Processing C:\SMS\inboxes\hman.box\xxx_7W21.CT4 file, containing 1 keys.  CPublicKeyLookup::UpdateCurrentKey("xxx", "0602000000A400005253413100020000010001008F581AE90DEF71C4F156B96D19CAD050C82F4D7E6FEDF516CE20335CB0E37D4A1BE164C8C8113CEFBF285BC88F84BF0E928AB054A86260868A955D5F292A29A4")  
CPublicKeyLookup::UpdateCurrentKey() Checking C:\SMS\inboxes\hman.box\pubkey\xxx.pkc for Key0  CPublicKeyLookup::UpdateCurrentKey() Updating Key0  
No parent site to forward CT4 file C:\SMS\inboxes\hman.box\xxx_7W21.CT4 to.  Deleting.  
Wait for site control changes... 
After the SMS Hierarchy Manager has processed the .CT4 file, the secondary site communications are accepted, and the secondary site appears as Active.

MORE INFORMATION

In SMS 2.0 SP5, the following options appear on the Site Connection tab in the Site Properties dialog box. In SMS 2003, the following options appear on the Advanced tab in the Site Properties dialog box:
  • Do not accept unsigned data from sites running SMS 2.0 SP4 and earlier.
  • Require secure key exchange between sites.
If these options are turned on, new SMS 2.0 child sites may not complete the installation process. A new secondary site may remain in a Pending state in the SMS Administrator Console of the parent site.

Modification Type:MajorLast Reviewed:3/15/2006
Keywords:kbtshoot kbServer kbsmsAdmin kbSysSettings kbsetup kbSecurity kbprb KB827887 kbAudITPRO