none
Connection Failed - Bad Certificate on SCCM R2 SP2

    Question

  • Good day,

    I am unable to find any information regarding the problem below.

    I installed the Asset Intelligence Sync Point Role on the SCCM 2007 R2 SP2 Server yesterday morning and ran Synchronize Catalog. The status changed from "Sync Point deployed" to "Connected to online service" successfully. Yesterday afternoon I found that the status changed to "Online service account is not provisioned". I thought this might have happended since I'm using the proxy server (as per forums) so I restarted the AI_UPDATE_SERVICE_POINT service. This worked and my status changed to "Sync Point deployed" and later to "Connected to online service".

    Today I found a different problem though. The status this morning was on "Connection Failed - Bad Certificate". I ran Synchronize Catalog which successfully changed the status again to "Connected to online service". In the AIUpdateSvc.log file there are multiple entries for "Authentication: Did not find machine certificate in ALM store" and "Current machine certificate is invalid or has expired".

    The staus changed again to "Online service account is not provisioned" so I restarted the service again and now it just stays on "Sync Point deployed".

    2 QUESTIONS:

    1) Do I need to request the companies' certificate from Microsoft via our Microsoft Account contact even though I have SCCM 2007 R2 SP2 or do I NOT need the certificate even though the log file states that it can not find the certificate? 

    2) Is it normal for the status to change to "Online service account is not provisioned" and "Sync Point deployed" and then stay on "Sync Point deployed" for such a long time?

    Thanks in advance.
    Johan

    Friday, January 22, 2010 11:02 AM

Answers

  • Yes I know this is an old post, I’m trying to clean up all un-answered post.

    There is a Post SP2 SU to fix the certificate issue, I assume by now that you have applied it.


    http://www.enhansoft.com/
    Sunday, July 31, 2011 8:03 PM
    Moderator

All replies

  • Hello, Has anyone found a solution to this problem? I am experiencing the same issue with SCCM 2007 SP2. I have a single site setup on a Windows 2008 SP1 x64 VM running on VMWare Esx 4.0, I have extended the AD schema? thank you
    Thursday, May 20, 2010 3:35 AM
  • I am having the same issue as well. Was anyone able to determine a fix?

    I have a SCCM 2007 SP2 R3 environment that is a single server solution. The server is installed with Windows Server 2008 R2 and is also running SQL Server 2008 R2 to host the SCCM database. The server is a new install. I am attempting to enable Asset Intelligence within SCCM i am not establishing a connection. Instead i am getting the error "Connection Failed - Bad Certificate".

    I then looked at the AIUpdateSvc.log and i noticed the following.

    The line "Asset Intelligence Catalog Sync Service Warning: 0 : Fri, 22 Apr 2011 03:52:00 GMT:System.Data.SqlClient.SqlException: AgentID BC3B6959-1268-4032-A73C-480FA14316A9 already has reached limit for maximum number of credentials" is a warning

    Followed by the error:

    Asset Intelligence Catalog Sync Service Error: 0 : Fri, 22 Apr 2011 03:52:00 GMT:Exception attempting sync - Bootstrap Certificate needs update

    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 22 Apr 2011 03:51:58 GMT:Redirected to URL https://sc.microsoft.com/CatalogService/service.svc
    Asset Intelligence Catalog Sync Service Warning: 0 : Fri, 22 Apr 2011 03:52:00 GMT:System.Data.SqlClient.SqlException: AgentID BC3B6959-1268-4032-A73C-480FA14316A9 already has reached limit for maximum number of credentials
       at Microsoft.Webstore.WstClient.CommandExecutor.ThrowException(Exception executeException)
       at Microsoft.Webstore.WstClient.CommandExecutor.ReportException(Exception executeException)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQueryWithSync(CommandExecutor commandExecutor)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQuery()
       at Microsoft.SystemCenter.Online.Data.ScoDataConnection.PerformNonQuery(String procedure, IList`1 parameterList) in d:\sd\sco_fb_next\enduser\scl\common\managed\data\WebstoreHelpers.cs:line 679
       at Microsoft.SystemCenter.Online.AccountManagement.Account.EnrollAgent(IAuthenticationToken agentToken, String agentRequest, String agentRole) in d:\sd\sco_fb_next\enduser\scl\service\middletier\acctmgmt\Account.cs:line 1328
       at Microsoft.SystemCenter.Online.CatalogService.Enroll(String enrollmentRequest) in d:\sd\sco_fb_next\enduser\scl\service\frontend\CatalogDownload\Service.cs:line 336
    Asset Intelligence Catalog Sync Service Error: 0 : Fri, 22 Apr 2011 03:52:00 GMT:Exception attempting sync - Bootstrap Certificate needs update
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 22 Apr 2011 03:52:00 GMT:=====================Data/Status copied to outbox=====================

    Any help in getting Asset Intelligence enabled would be greatly appreciated.

    Mike


    systems engineer
    Friday, April 22, 2011 1:18 PM
  • Yes I know this is an old post, I’m trying to clean up all un-answered post.

    There is a Post SP2 SU to fix the certificate issue, I assume by now that you have applied it.


    http://www.enhansoft.com/
    Sunday, July 31, 2011 8:03 PM
    Moderator
  • I have similar problem. kb2483225 doesn't fix my problem. In AIUpdateSVC.log I see:

    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:49 GMT:=====================Data/Status copied to outbox=====================
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:49 GMT:Next scheduled sync time: 09/01/2011 11:40:00
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:49 GMT:Next scheduled sync is within poll period. Kicking it off..
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:49 GMT:No proxy server
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:49 GMT:Authentication: Did not find machine certificate in ALM store
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:49 GMT:Enrollment Certicate Path is
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:50 GMT:Redirected to URL https://sc.microsoft.com/CatalogService/service.svc
    Asset Intelligence Catalog Sync Service Warning: 0 : Thu, 01 Sep 2011 07:36:51 GMT:System.Data.SqlClient.SqlException: AgentID BC3B6959-1268-4032-A73C-480FA14316A9 already has reached limit for maximum number of credentials
       at Microsoft.Webstore.WstClient.CommandExecutor.ThrowException(Exception executeException)
       at Microsoft.Webstore.WstClient.CommandExecutor.ReportException(Exception executeException)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQueryWithSync(CommandExecutor commandExecutor)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQuery()
       at Microsoft.SystemCenter.Online.Data.ScoDataConnection.PerformNonQuery(String procedure, IList`1 parameterList) in d:\sd\sco_fb_next\enduser\scl\common\managed\data\WebstoreHelpers.cs:line 679
       at Microsoft.SystemCenter.Online.AccountManagement.Account.EnrollAgent(IAuthenticationToken agentToken, String agentRequest, String agentRole) in d:\sd\sco_fb_next\enduser\scl\service\middletier\acctmgmt\Account.cs:line 1328
       at Microsoft.SystemCenter.Online.CatalogService.Enroll(String enrollmentRequest) in d:\sd\sco_fb_next\enduser\scl\service\frontend\CatalogDownload\Service.cs:line 336
    Asset Intelligence Catalog Sync Service Error: 0 : Thu, 01 Sep 2011 07:36:51 GMT:Exception attempting sync - Bootstrap Certificate needs update
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:36:51 GMT:=====================Data/Status copied to outbox=====================
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 01 Sep 2011 07:51:51 GMT:Next scheduled sync time: 09/05/2011 11:40:00

     

    And nothing about HTTP error 403: Forbidden. Only about Bootstrap Certificate.

    In my environment installed SCCM 2007 SP2 R3 with ICP2.

    Thursday, September 01, 2011 8:00 AM
  • bobgreen84 - Did you ever find a solution to your error. I am receiving the exact same error as you are. I've installed kb2483225 multiple times, rebooted the server and still receive the "Connection failed - bad certificate" error. I requested the certificate and tried setting it up manually and receive the same error. The AIUpdateSVC.log looks the same:

     

    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 16:55:25 GMT:=====================Data/Status copied to outbox=====================
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 17:10:31 GMT:Next scheduled sync time: 09/16/2011 10:12:00
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 17:10:31 GMT:Next scheduled sync is within poll period. Kicking it off..
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 17:10:31 GMT:No proxy server
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 17:10:31 GMT:Authentication: Did not find machine certificate in ALM store
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 17:10:31 GMT:Enrollment Certicate Path is 
    Asset Intelligence Catalog Sync Service Information: 0 : Fri, 16 Sep 2011 17:10:32 GMT:Redirected to URL https://sc.microsoft.com/CatalogService/service.svc
    Asset Intelligence Catalog Sync Service Warning: 0 : Fri, 16 Sep 2011 17:10:33 GMT:System.Data.SqlClient.SqlException: AgentID BC3B6959-1268-4032-A73C-480FA14316A9 already has reached limit for maximum number of credentials
       at Microsoft.Webstore.WstClient.CommandExecutor.ThrowException(Exception executeException)
       at Microsoft.Webstore.WstClient.CommandExecutor.ReportException(Exception executeException)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQueryWithSync(CommandExecutor commandExecutor)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQuery()
       at Microsoft.SystemCenter.Online.Data.ScoDataConnection.PerformNonQuery(String procedure, IList`1 parameterList) in d:\sd\sco_fb_next\enduser\scl\common\managed\data\WebstoreHelpers.cs:line 679
       at Microsoft.SystemCenter.Online.AccountManagement.Account.EnrollAgent(IAuthenticationToken agentToken, String agentRequest, String agentRole) in d:\sd\sco_fb_next\enduser\scl\service\middletier\acctmgmt\Account.cs:line 1328
       at Microsoft.SystemCenter.Online.CatalogService.Enroll(String enrollmentRequest) in d:\sd\sco_fb_next\enduser\scl\service\frontend\CatalogDownload\Service.cs:line 336
    Asset Intelligence Catalog Sync Service Error: 0 : Fri, 16 Sep 2011 17:10:33 GMT:Exception attempting sync - Bootstrap Certificate needs update

    Friday, September 16, 2011 5:59 PM
  • if this is not working for you then I sugget call CSS. This is the only way to get this fixed.
    http://www.enhansoft.com/
    Friday, September 16, 2011 6:16 PM
    Moderator
  • bobgreen84 - Did you ever find a solution to your error.

    No, I haven't solution. :(
    Monday, October 24, 2011 1:50 PM
  • bobgreen84 - Did you ever find a solution to your error.

    No, I haven't solution. :(

    Have you opened a support case with MS on this?
    http://www.enhansoft.com/
    Monday, October 24, 2011 3:14 PM
    Moderator
  • No, we haven't support yet.
    Monday, October 24, 2011 6:31 PM
  • If I run in PoSH Get-WmiObject -Namespace "root\SMS\site_<SITECODE>" -Class SMS_AMTCertificate | fl , I see no results. Someone can run on SCCM server this command in powershell cmd with priveleged rights and can tell about results? Replace <SITECODE> on SCCM Site Code.
    Friday, November 04, 2011 12:02 PM