none
SCCM 2012 Installation - Error creating SQL Server certificate

    Question

  • Having an issue with the SCCM 2012 instillation when it attempts to assign a self-signed certificate on the SQL  Server. The remote SQL box is running SQL Server 2008 R2 with SP1 and CU6 installed. We have a PKI in place using ADCS and I have completed the PKI prerequisites for SCCM (as found on TechNet for SCCM 2007) and additionally I had created/requested/installed/assigned a certificate for the SQL server before attempting the SCCM installation. I would think that the installation would see the certificate that I assigned via SQL Server Network Configuration and utilize that rather than try to create a self-signed cert.

    From the ConfigMgrSetup.log on the SCCM server:

    Starting service SMS_SERVER_BOOTSTRAP_****_SMS_SQL_SERVER with command-line arguments "S01 E:\SMS_****_SMS_SQL_SERVER0 /createcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER"...  $$<Configuration Manager Setup><05-02-2012 10:15:16.561+300><thread=4704 (0x1260)>
    Failed to create machine certificate on server ****  $$<Configuration Manager Setup><05-02-2012 10:15:23.624+300><thread=4704 (0x1260)>
    Bootstrap operation failed.  $$<Configuration Manager Setup><05-02-2012 10:15:23.624+300><thread=4704 (0x1260)>
    ERROR: Failed to create SQL Server certificate on server **** $$<Configuration Manager Setup><05-02-2012 10:15:23.624+300><thread=4704 (0x1260)>
    ERROR: Failed to create SQL Server [****] certificate remotely.  $$<Configuration Manager Setup><05-02-2012 10:15:23.624+300><thread=4704 (0x1260)>
    ~~===================== Completed Configuration Manager 2012 Server Setup =====================  $$<Configuration Manager Setup><05-02-2012 10:15:23.624+300><thread=4704 (0x1260)>

    From Srvboot.log on the SQL server:

    Creating machine self-signed certificate for site role [SMS_SQL_SERVER] on Server [****]...  $$<SMS_BOOTSTRAP><05-02-2012 10:15:21.663+30><thread=1230>
    Failed to find or create machine self-signed certificate.  $$<SMS_BOOTSTRAP><05-02-2012 10:15:21.702+30><thread=1230>
    Bootstrap operation failed: Failed to create machine self-signed certificate for site role [SMS_SQL_SERVER].  $$<SMS_BOOTSTRAP><05-02-2012 10:15:21.710+30><thread=1230>
    Disconnecting from Site Server.  $$<SMS_BOOTSTRAP><05-02-2012 10:15:21.712+30><thread=1230>
    SMS_SERVER_BOOTSTRAP_****l_SMS_SQL_SERVER stopped.  $$<SMS_BOOTSTRAP><05-02-2012 10:15:21.714+30><thread=1230>
    ********************************************************************************  $$<SMS_BOOTSTRAP><05-02-2012 10:15:21.715+30><thread=1230>

    Thinking it may be a permissions issue I have granted the managed SQL service account, the SCCM computer account, and the SCCM installation account both local admin and SQL sysadmin rights on the SQL server with no avail.

    Anyone have any thoughts?


    Wednesday, May 2, 2012 4:19 PM

Answers

  • @WillWorkForTaxes

    I have the same error as you in the configmgrsetup and srvboot logs.  I've had a case open with premier support for over a week now without resolution.

    Our setup is all Windows 2008 R2 Datacenter and SQL 2008 R2 SP1 CU4.  The site server and SQL server are on different machines but are on the same domain.  SQL runs as a service account.  I've tried the same workarounds you listed online.  Additionally support had me change permissions for the c:\programdata\microsoft\crypto\RSA\machinekeys folder and files within to Full Control for administrators (site server computer account is local admin on SQL server) and take ownership of all files with the administrators group.

    I ended up opening a case with Microsoft support myself and this was the fix for my issue. Make sure the service account running your SQL services is in the local administrators group so that it also takes ownership and full control of the directory and that should allow the SCCM install to assign the self-signed certificate via that account.

    I had followed the PKI guide linked above, although the installation wouldn't recognize the cert that was in place.

    The issue was classified as a bug and they are working to fix it in SP1.

    Tuesday, May 15, 2012 6:31 PM

All replies

  • If I'm understanding correctly, you created the certificates out of band from Configuration Manager? We only test and support SQL communication certificates created through the ConfigMgr infrastructure so it sounds like what you're describing is an unsupported scenario.

    Is there a particular reason you're using different certificates? We've had similar questions to yours come up a couple of times in our internal discussion lists as well and I'm trying to understand the specific requirements behind this scenario so we can evaluate ways to improve this in future releases.

    Wednesday, May 2, 2012 4:44 PM
  • I've actually tried the installation both with my certificate and by allowing SCCM to create and assign the cert, with the same results. Actually, creating the cert out-of-band was in response to troubleshooting the issue. Here is a link to a blog post I came across that closely details the steps I took if you want to take a look:

    http://www.jamesbannanit.com/2011/04/certificate-requirements-for-sccm-2012/

    At first I had thought that the installation process was having a permissions issue accessing the Certificate Store on the SQL server, but as far as I can tell all the accounts used should have local admin access to the box.

    Wednesday, May 2, 2012 4:55 PM
  • What account is the SQL Server Service running as? Network Service, Local System, or something else?
    • Proposed as answer by David Sumners Thursday, May 2, 2013 5:39 PM
    Wednesday, May 2, 2012 5:08 PM
  • Its a domain user, we use domain service accounts for our SQL boxes. Through my troubleshooting that account has been added to the local admins group on the SQL server, and also granted sysadmin permissions within SQL itself.
    Wednesday, May 2, 2012 5:12 PM
  • Does that domain user have local admin rights on the site server box as well?
    Wednesday, May 2, 2012 5:35 PM
  • Yes.
    Wednesday, May 2, 2012 5:37 PM
  • Unfortunately this goes beyond my expertise. I'll have to defer to someone else with deeper knowledge here. :(
    Wednesday, May 2, 2012 6:39 PM
  • No worries, thanks for the help.
    Wednesday, May 2, 2012 6:51 PM
  • Just to clarify - we do support and test using PKI certificates for the SQL Server as documented here:

    http://technet.microsoft.com/en-us/library/gg699362.aspx

    For this particular issue, you may want to engage CSS to have them analyze your specific situation.

    Jason

    Thursday, May 3, 2012 6:37 PM
  • @WillWorkForTaxes

    I have the same error as you in the configmgrsetup and srvboot logs.  I've had a case open with premier support for over a week now without resolution.

    Our setup is all Windows 2008 R2 Datacenter and SQL 2008 R2 SP1 CU4.  The site server and SQL server are on different machines but are on the same domain.  SQL runs as a service account.  I've tried the same workarounds you listed online.  Additionally support had me change permissions for the c:\programdata\microsoft\crypto\RSA\machinekeys folder and files within to Full Control for administrators (site server computer account is local admin on SQL server) and take ownership of all files with the administrators group.

    Saturday, May 5, 2012 4:34 AM
  • @Jason Adams

    How do we specify the PKI certificates during installation?  I've created a template using web server (version 2/2003 template) and requested and validate the certificates in the personal store on both the site and sql servers.  The installer still tries to generate a self signed cert.  I then assigned the certificate to the sql communtication profile.  Same result.

    Saturday, May 5, 2012 5:10 AM
  • The support team found my issue today.  After reviewing a trace of the installer running, they found it failing to create the certificate because the CNG Key Isolation (KeyIso, lsass.exe) service was not running.  This is disabled on all of our systems except CAs.  This service is an undocumented prerequisite.  The engineer working the case said he will try to get product documentation updated and a line out to the team who builds the prerequisite checker.

    Monday, May 7, 2012 6:45 PM
  • Total side question: Why?

    For reference: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM304


    Jason | http://blog.configmgrftw.com | Twitter @JasonSandys

    Monday, May 7, 2012 8:02 PM
    Moderator
  • @WillWorkForTaxes

    I have the same error as you in the configmgrsetup and srvboot logs.  I've had a case open with premier support for over a week now without resolution.

    Our setup is all Windows 2008 R2 Datacenter and SQL 2008 R2 SP1 CU4.  The site server and SQL server are on different machines but are on the same domain.  SQL runs as a service account.  I've tried the same workarounds you listed online.  Additionally support had me change permissions for the c:\programdata\microsoft\crypto\RSA\machinekeys folder and files within to Full Control for administrators (site server computer account is local admin on SQL server) and take ownership of all files with the administrators group.

    I ended up opening a case with Microsoft support myself and this was the fix for my issue. Make sure the service account running your SQL services is in the local administrators group so that it also takes ownership and full control of the directory and that should allow the SCCM install to assign the self-signed certificate via that account.

    I had followed the PKI guide linked above, although the installation wouldn't recognize the cert that was in place.

    The issue was classified as a bug and they are working to fix it in SP1.

    Tuesday, May 15, 2012 6:31 PM
  • For those that are still having an issue with this, as I did, don't forget your SQL SPN. Once the DBA created one, the install continued on without problems...

    Joe Thompson

    Friday, May 18, 2012 1:43 PM
  • In my case this solved the problem, thank you.

    I've set my sql spn like this:

    setspn -A MSSQLSvc/S-SCCM.domain.local:1433 mydomain\SQLService

    setspn -A MSSQLSvc/S-SCCM:1433 domain\SQLService

    SQLService is your SQL service account

    domain is your domainname

    1433 is the default port

    This is the technet howto: Link

    Thursday, May 24, 2012 3:16 PM
  • I have been troubleshooting this problem for 2 days now. I have tried each and every solution posted in this thread.......however I am still unable to go ahead with the installation. It keeps on failing with this error in the log:

    ERROR: Failed to create SQL Server [abcd.domain.com] certificate remotely.  $$<Configuration Manager Setup><05-25-2012 10:31:59.381+240><thread=1172 (0x494)>

    Friday, May 25, 2012 2:45 PM
  • Okay ive been having some fun with this cretificate error as well, but its workning now

    Its SCCM 2012 RTM on SQL 2012

    * For SQL Collation you must use SQL_Latin1_General_CP1_CI_AS.

    * I extended the schema

    * I change the services account of SQL to use the System account (since its a lab this is okay)

    * I made sure that CNG Key Isolation (KeyIso, lsass.exe) service was running

    Wednesday, June 27, 2012 10:48 AM
  • Its SCCM 2012 RTM on SQL 2012

    Great that it's working, but SQL 2012 is not supported yet: http://technet.microsoft.com/en-us/library/gg682077.aspx#BKMK_SupConfigSQLDBconfig

    Torsten Meringer | http://www.mssccmfaq.de


    Wednesday, June 27, 2012 10:58 AM