none
Bad Certificate Error, SCCM SP2, R3 Hotfix KB2483225 installed

    質問

  • I am getting a Bad Certificate error with SCCM while syncing AI.  I am on SP2, R3 and I have installed the hotfix 2483225.  I have removed AI, read logs and waited for uninstall to complete, installed AI which was successful.  I am still getting this error.  I am seeing an ALM folder in my cert store but it is empty.

    Here is a sip fromAIUpdateSvc.log. It shows the bootstrap cert error and "already has reached limit for maximum number of credentials".  I am not sure if this is why I am still getting the cert error.

    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:12 GMT:=====================Data/Status copied to outbox=====================
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:13 GMT:Next scheduled sync time: 02/15/2012 13:05:00
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:13 GMT:Next scheduled sync is within poll period. Kicking it off..
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:13 GMT:No proxy server
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:13 GMT:Authentication: Did not find machine certificate in ALM store
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:13 GMT:Enrollment Certicate Path is
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:15 GMT:Redirected to URL https://sc.microsoft.com/CatalogService/service.svc
    Asset Intelligence Catalog Sync Service Warning: 0 : Wed, 15 Feb 2012 20:57:18 GMT:System.Data.SqlClient.SqlException: AgentID BC3B6959-1268-4032-A73C-480FA14316A9 already has reached limit for maximum number of credentials
       at Microsoft.Webstore.WstClient.CommandExecutor.ThrowException(Exception executeException)
       at Microsoft.Webstore.WstClient.CommandExecutor.ReportException(Exception executeException)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQueryWithSync(CommandExecutor commandExecutor)
       at Microsoft.Webstore.WstClient.WstCommand.ExecuteNonQuery()
       at Microsoft.SystemCenter.Online.Data.ScoDataConnection.PerformNonQuery(String procedure, IList`1 parameterList) in d:\sd\sco_fb_next\enduser\scl\common\managed\data\WebstoreHelpers.cs:line 679
       at Microsoft.SystemCenter.Online.AccountManagement.Account.EnrollAgent(IAuthenticationToken agentToken, String agentRequest, String agentRole) in d:\sd\sco_fb_next\enduser\scl\service\middletier\acctmgmt\Account.cs:line 1328
       at Microsoft.SystemCenter.Online.CatalogService.Enroll(String enrollmentRequest) in d:\sd\sco_fb_next\enduser\scl\service\frontend\CatalogDownload\Service.cs:line 336
    Asset Intelligence Catalog Sync Service Error: 0 : Wed, 15 Feb 2012 20:57:18 GMT:Exception attempting sync - Bootstrap Certificate needs update
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 20:57:18 GMT:=====================Data/Status copied to outbox=====================
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 21:12:18 GMT:Next scheduled sync time: 02/16/2012 13:05:00
    Asset Intelligence Catalog Sync Service Information: 0 : Wed, 15 Feb 2012 21:27:18 GMT:Next scheduled sync time: 02/16/2012 13:05:00


    Jason

    2012年2月15日 21:44

回答

  • Hello Ambrozy,
    Thank you for posting the details of this issue. We have identified a problem with the most recent certificate on Server 2003 systems (only; 2008 is fine) and will update this thread and others in the community as soon as we have the fix ready.

    2012年10月19日 20:58

すべての返信

  • Did you see your files changed ? as mentioned in the KB ?

    System Center Configuration Manager 2007 SP2 file information notes
    File name File version File size Date Time Platform
    Aiupdatesvc.exe 4.0.6487.2164 92,008 01-Feb-2010 14:15 x86
    Aius.msi Not Applicable 1,447,424 01-Feb-2010 14:15 Not applicabl


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Click on "vote as Helpful" if you feel this post helpful to you. This can be beneficial to other community members reading the thread.

    2012年2月17日 17:37
  • Hope you have restarted the SCCM related services ...... http://blogs.technet.com/b/mwiles/archive/2011/05/27/asset-intelligence-is-failing-to-sync.aspx

    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Click on "vote as Helpful" if you feel this post helpful to you. This can be beneficial to other community members reading the thread.

    2012年2月17日 17:45
  • The file verison is correct but it appears the size is different.

    Jason

    2012年2月17日 18:52
  • Have you also restarted the SCCM services ?

    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. Click on "vote as Helpful" if you feel this post helpful to you. This can be beneficial to other community members reading the thread.

    2012年2月17日 19:11
  • I have rebooted the server.

    Jason

    2012年2月17日 20:23
  • Something else other than the size being different.  When I check the cert on Aiupdatesvc.exe, the cert expires in 2010.  Runnning patch the cert expires on 3/2011.  Is it possible that Microsoft needs to update the download link to the hotfix to a newer one?

    Jason

    2012年2月17日 20:26
  • 2012年3月10日 16:11
    モデレータ
  • I know this is a really old post, but I have been searching for two days on thew error and this thread comes up first when looking.

    It turns out the certificate has expired AGAIN in Sept 2012 and so another new hotfix is required now if you install a new Asset Intellegence sync point.  I happened to be moving mine onto new hardware and so ran into this issue.

    Anyway, for future seekers, the hotfix you are looking for is 2733615 not 2483225.  Now, if someone at Microsoft could be coaxed into updating the 2483225 KB article to let everyone know that one has been superceeded, that would be great.  I left feedback on 2483225.

    2012年9月27日 16:06
  • Hello,

    I have installed hotfix 2733615,  restarted sccm server but still can not download Asset Intelligence Catalog.

    t Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:33 GMT:Service Starting
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:34 GMT:Service Started
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:34 GMT:Co-located on site server CRAS11
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:34 GMT:Output directory is C:\Program Files (x86)\Microsoft Configuration Manager\inboxes\AIKbMgr.box
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:34 GMT:Invalid LastPollTime in registry, using DateTime.Min
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:34 GMT:=====================Data/Status copied to outbox=====================
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:30:35 GMT:Next scheduled sync time: 09/28/2012 00:00:00
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:45:35 GMT:Sync Now detected
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:45:35 GMT:Next scheduled sync time: 09/28/2012 00:00:00
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:45:35 GMT:No proxy server
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:45:35 GMT:Authentication: Did not find machine certificate in ALM store
    Asset Intelligence Catalog Sync Service Information: 0 : Thu, 27 Sep 2012 17:45:35 GMT:Enrollment Certicate Path is
    Asset Intelligence Catalog Sync Service Error: 0 : Thu, 27 Sep 2012 17:45:35 GMT:CryptoException trying to get certificate - The specified network password

    Does anyone know what is wrong ?

    2012年9月27日 17:52
  • Becasue I have SCCM installed on Windows 2003 SP2, it seems, that the issue here is with the AI that fails to load a certificate. Gaining an exception on Windows Server 2003 and the exception is "System.Security.Cryptography.CryptographicException: The specified network password is not correct." 

    I found information that on Windows XP or Windows Server 2003, any characters greater or equal to 32 characters are ignored. Windows Server 2008 and later has no password limit so the code succeeds on that OS. On Windows Server 2003 the code fails to load the PFX because the password is more than 31 characters in length.


    Any comment ??

    2012年9月27日 20:47
  • Hello Ambrozy,
    Thank you for posting the details of this issue. We have identified a problem with the most recent certificate on Server 2003 systems (only; 2008 is fine) and will update this thread and others in the community as soon as we have the fix ready.

    2012年10月19日 20:58
  • Hi,

    Any update on this?

    I am enabling Asset Intelligence as well. applied hotfix KB2483225 and getting the same CryptoException trying to get certificate - The specified network password is not correct in AIUpdateSvc.log as well.

    SCCM is running in Windows 2003 Server .

    2012年11月19日 7:47
  • Can you confirm if this is still an outstanding certificate problem that is being looked into because I am experiencing the same problem.

    Thanks

    2013年2月8日 16:39
  • There seems to have been another update http://support.microsoft.com/kb/2783924 to address this.

    2013年3月12日 12:48