Troubleshooting Secure Key Exchange
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If the Active Directory schema has not been extended for Configuration Manager 2007 or site information is not being published to Active Directory, the site’s public key will not be available to other sites in Active Directory. Sites located in different Active Directory forests are unable to query for site information published for sites in different forests.
In any of these situations, the destination server will check in its <install directory>\inboxes\hman.box directory for a public key for the sending site (not in the <install dir>\inboxes\hman.box\pubkey directory).
If the sending site’s public key cannot be found in Active Directory or the <install directory>\inboxes\hman.box directory, the received data will be rejected and the sites will be unable to communicate.
When installing a new secondary site for a primary site configured for secure key exchange, if you do not manually transfer the public key to the parent site, the secondary site installs successfully but is unable to properly establish a connection to the parent site. The primary site will continue to attempt to find a public key for the secondary site to allow it to connect about every five minutes, one hundred times. Secondary site communications will be rejected by the parent site until the keys are manually exchanged.
Until the public keys are manually exchanged, the following behaviors should be expected:
Parent Site Despooler Inbox
The <install directory>\inboxes\despoolr.box\receive directory (which stores data that is received from other sites) on the primary site will begin to fill with secondary site communication files. The files are typically processed and moved as soon as the site server receives the instruction files (.ins files), but they will remain until they are rejected and deleted by the receiving site in this situation.
Parent Site Despool.log Log File
The Despool.log file on the receiving site (which records incoming site-to-site communication transfers) will have entries similar to the following:
"Cannot find a public key for instruction <install directory>\inboxes\despoolr.box\receive incoming from site <secondary site code>, retry it later."
"Cannot find valid public key for key exchange instruction coming from site <secondary site code>."
Receiving Site SMS_Despooler Component Status Messages
You will receive the following status messages for the SMS_DESPOOLER component on the receiving site:
Status message 4404, stating that the despooler component received an instruction and package file from a site that will not be processed because the site does not allow unsigned key exchange between sites.
Status message 4405, stating that the site has received an instruction file containing inter-site replication data that will not be processed and retired because a valid public key cannot be located for the sending site.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.