SCCM 2012 – Web Redirect is evil

SCCM 2012 – Web Redirect is evil

Hi All,

recently i was at a customer site performing the Build & Capture and it was failing when the Install Application step was invoked.

Customer was running WS2012R2, SCCM 2012 R2 with CU3, so the latest updates 🙂

because we were doing the B&C for Windows 8.1, the hotfix for Windows 7 did not apply, so there problem had to be something else.

Looking at the client logs, I saw:

ClientLocation
[CCMHTTP] ERROR: URL=http://xxxxxx, PORT=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE

LocationServices
Workgroup Client is in unknown location
Failed to execute LSExecuteTask
[CCMHTTP] Error: URL=http://xxxxx, PORT=80, Options=224, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE
Raising event: instance of CCM_CcmHttp_Status{ ………………..
Successfully sent location services HTTP failure message
Error sending HEAD request. HTTP code 401, status ‘Unauthorized’

CertificateMaintenance
MP xxxx does not allow client connections matching the client connection type

StatusAgent
HandleFSPCcmHttpStatus – Failed to retrieve assigned MP. Assuming ‘xxxxxx’ is not a relevant MP

So, looking at the IIS logs, I saw that before the setup windows the machine did connect properly to the MP folders (ie /SMS_MP/.sms_aut MPLOCATION, /ccm_system/request, SMS_MP/.sms_pol, etc) not once I see it connecting direct to the root /

However, once the client is installed, it start connecting to the root / and I see this as HEAD / and just after i was it being redirected to /CMApplicationCatalog with HTTP ID 302 but was getting HTTP error 401

Of course this is not normal, but this was happening because we did redirect the default IIS default website to /CMApplicationCatalog

This repeat few times per second, so at the end of the day, with 1 T&B TS, we got around 450MB of IIS log, not good, as this could fill up the drive quickly.

you may be asking, why this redirection? customer had a single server, single primary site. they have created a CNAME called InstallSoftware where the users could open the Internet and browse to http://InstallSoftware to get to the CMApplicationCatalog. as we don’t want users to see the IIS Default webpage and you know, users will not remember to add the /CMApplicationCatalog, we added the redirection…

Once we removed the redirection (that was done via a default.aspx file), it connects to the root / and get status 200, it them goes to ccm_system/request, sms_fsp, etc…fine

Speaking with MS, i asked why this request to the root / as this request doesn’t seem to be necessary and only cause extra network traffic (small, but extra…)

from the reply i’ve got, this behaviour was implemented on SP1 or R2 for specific workgroup scenarios to detect if the client is internet or intranet.

This still not make sense for me and i’ve submitted a DCR to have this behaviour changed, however, while speaking with MS, my fellow MVP Kim Oppalfens gave me the idea to test the IIS Url Rewrite module and i have to say that after testing it, this resolve the issue.

So, to get the redirection to the CMApplicationCatalog (or another website) without breaking your MP connection on a workgroup / OSD scenario, perform the following tasks:

1- Download the URL Rewrite (http://www.iis.net/downloads/microsoft/url-rewrite)
2- Install it (basic next-next-finish)
3- Open IIS and navigate to the default webiste
4- Select URL Re-write and add a new rule
4.1 – Under Match URL -> Using, change to Wildcards
4.2 – Under Match URL -> Pattern, type *
4.3 – Under Conditions, add:
4.3.1 – Condition Input -> {HTTP_USER_AGENT}, check if input string -> Does not match the pattern, Pattern -> SMS+CCM+5.0
4.3.2 – Condition Input -> {PATH_INFO}, check if input string -> Match the pattern, Pattern -> /
4.3.3 – Condition Input -> {REQUEST_METHOD}, check if input string -> Does not match the pattern, Pattern -> HEAD
4.4 – Under Action
4.4.1 – Action type -> Redirect
4.4.2 – Action Properties -> Redirect URL -> type /CMApplicationCatalog (or any other url you want)
4.4.3 – Action Properties -> check append query string
4.4.4 – Action Properties -> Redirection type -> Permanent (301)

02

once this has been done, i was able to use the TS Build & Capture with the redirection.

About

Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , , ,