none
System Cernter 2012 App Controller - Import Certificates Failed RRS feed

  • Question

  • So I'm having a problem with a new installation of App Controller and Virtual Machine Manager 2012.  Basically I have added a clustered file server and share to the library server of VMM.  That server has plenty of storage so I want to default all of the library files to point to there.  While I can add it to VMM just fine, when I go to app controller and try to import certificates of the VMM server they will fail.

    I have verified that the problem occurrs after I add the clustered file server to the library.  Importing the VMM server certificates work flawlessly when that clustered server is not attached to VMM.

    Here are the error messages that are generated every time it failes:

    Export of the library server certificate from the VMM server has failed for library server %clustered library server%. In order to perform this operation, you must be an Administrator in both Virtual Machine Manager and App Controller, and also a local Administrator on the server. (StatusCode: Microsoft.SystemCenter.CloudManager.Providers.ProviderException) - I have triple checked these permissions so I'm satisified that this is not the issue

    and

    An internal error has occurred trying to contact an agent on the NO_PARAM server: NO_PARAM: NO_PARAM.
    Ensure the agent is installed and running. Ensure the WS-Management service is installed and running, then restart the agent. (StatusCode: Microsoft.VirtualManager.Utils.CarmineException) - I'm assuming this is the main issue causing my problem.

    I have verified that the agent and WS-Management services are installed and running so I'm left in the dark.....


    • Edited by Ian.Davies Friday, June 8, 2012 8:05 PM
    Thursday, June 7, 2012 6:55 PM

Answers

  • Sorry for the super long delay on this folks.

    The good news is that we've got this into our bug system, and understand what the issue is with clustered library servers.

    More importantly for you we have some steps you can use to manually import the missing certificates.

    1. Open MMC (Start -> Run -> MMC)
    2. Add the certificate snap-in and select Computer account and specify your VMM server
    3. Add the certificate snap-in and select Computer account and specify your App Controller server
    4. Expand the Trusted People\Certificates folder for the App Controller server
    5. Browse to the Trusted People\Certificates folder for the VMM server
    6. Make sure you're looking in the Friendly Name column for the certificates
    7. Find the certificates that start with SCVMM_CERTIFICATE_KEY_CONTAINER and then has the FQDN of the library cluster nodes
      You only need the certificates for the library server - you don't need any of the certificates for the Hyper-V hosts
    8. Copy the certificates to the Trusted People\Certificates folder on the App Controller server

    If you previously had success importing certificates, you might find that some of the library certificates are already present. You do not need to recopy these certificates - just the missing certificates for the library servers.

    On the VMM server you will see a certificate for each of your host computers - you do NOT need to copy these certificates.

    Thanks

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, August 10, 2012 11:40 PM
  • One more addition: I had to restart IIS after making the change to make App Controller happy again.

    Noah

    Friday, August 17, 2012 2:26 PM
  • I can confirm this happened for us as well.

    One addition for those who have installed a clustered VMM server: in step two of Richard's procedure, specify the clustered service name, rather than the server name of any of the nodes. Only under the service name will the library certificates appear in the Certificates snap-in. I also copied over the certificate of the clustered service name, although I'm not sure if that was required.

    ----

    For the search engines, here's the error I received from App Controller after attempting to add the VMM server and import certificates automatically:

    Category: Critical

    Description: You cannot access VMM management server  <FQDN of host>.

    Details: Category: Critical

    Message: System.ServiceModel.CommunicationException

    Description: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:29.9060000'.

     

    Category: Critical

    Message: System.IO.IOException

    Description: The read operation failed, see inner exception.

     

    Category: Critical

    Message: System.ServiceModel.CommunicationException

    Description: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:29.9060000'.

     

    Category: Critical

    Message: System.Net.Sockets.SocketException

    Description: An existing connection was forcibly closed by the remote host

    Friday, August 17, 2012 2:22 PM

All replies

  • I'm not running a clustered file server, but I have run into a failing certificate import.

    The only workaround I was able to find after a lot of back and forth was to not upgrade the VMM console on the App Controller server to the latest patch. I'm running all patches on the VMM server, and have applied the App Controller patch as well, but with the RTM version of the VMM console. (Not sure if I'm missing out on something else by not patching it all the way.)

    Friday, June 8, 2012 4:29 PM
  • Hi Ian, Andreas,

    Sorry for being quiet on this thread - I'm currently talking to a couple of folks about this and will post again when I find out more. 

    Ian - I'll get a list of steps so that you can do a manual import of the certificates.

    Andreas - Update rollup 1 for App Controller requires that Update Rollup 1 for VMM be installed on the VMM console for the App Controller server. The App Controller update checks to ensure that the VMM update is installed before it installs. 

    Thanks

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, June 13, 2012 4:38 PM
  • I found a way around my problem.

    Basically I clustered the environment and added a large SAN partition for this data.  I then created a new virtual disk to use this storage and added it to the VMM as the main library storage.

    Wednesday, June 13, 2012 4:40 PM
  • I am having the orginal issue in this post . We just switched from a Stand Alone SCVMM to SCVMM 2012 on an HA Failover Cluster. The library share is now on clustered storage.  Have the manual import steps been posted anywhere ? And since it is trying to connect using the Client Access Point , How would you  create a  cert for that ?

    Friday, July 6, 2012 3:04 PM
  • Sorry for the super long delay on this folks.

    The good news is that we've got this into our bug system, and understand what the issue is with clustered library servers.

    More importantly for you we have some steps you can use to manually import the missing certificates.

    1. Open MMC (Start -> Run -> MMC)
    2. Add the certificate snap-in and select Computer account and specify your VMM server
    3. Add the certificate snap-in and select Computer account and specify your App Controller server
    4. Expand the Trusted People\Certificates folder for the App Controller server
    5. Browse to the Trusted People\Certificates folder for the VMM server
    6. Make sure you're looking in the Friendly Name column for the certificates
    7. Find the certificates that start with SCVMM_CERTIFICATE_KEY_CONTAINER and then has the FQDN of the library cluster nodes
      You only need the certificates for the library server - you don't need any of the certificates for the Hyper-V hosts
    8. Copy the certificates to the Trusted People\Certificates folder on the App Controller server

    If you previously had success importing certificates, you might find that some of the library certificates are already present. You do not need to recopy these certificates - just the missing certificates for the library servers.

    On the VMM server you will see a certificate for each of your host computers - you do NOT need to copy these certificates.

    Thanks

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, August 10, 2012 11:40 PM
  • I can confirm this happened for us as well.

    One addition for those who have installed a clustered VMM server: in step two of Richard's procedure, specify the clustered service name, rather than the server name of any of the nodes. Only under the service name will the library certificates appear in the Certificates snap-in. I also copied over the certificate of the clustered service name, although I'm not sure if that was required.

    ----

    For the search engines, here's the error I received from App Controller after attempting to add the VMM server and import certificates automatically:

    Category: Critical

    Description: You cannot access VMM management server  <FQDN of host>.

    Details: Category: Critical

    Message: System.ServiceModel.CommunicationException

    Description: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:29.9060000'.

     

    Category: Critical

    Message: System.IO.IOException

    Description: The read operation failed, see inner exception.

     

    Category: Critical

    Message: System.ServiceModel.CommunicationException

    Description: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:29.9060000'.

     

    Category: Critical

    Message: System.Net.Sockets.SocketException

    Description: An existing connection was forcibly closed by the remote host

    Friday, August 17, 2012 2:22 PM
  • One more addition: I had to restart IIS after making the change to make App Controller happy again.

    Noah

    Friday, August 17, 2012 2:26 PM
  • Thanks for the additional clarifications Noah!

    Regards

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Wednesday, August 22, 2012 5:25 AM
  • So I followed the instructions that you had mentioned above by manually importing the VMM library certs over to the Trusted Peoples\Certificates Store of my AppController server, and I am still receiving the following connectivity error as mentioned above in your post when I try to connect my VMM clustered server to my AppController server.  I even restarted IIS on my AppController server to make it happy again.  Do you have any additional insight you can offer? 

    Thanks

    Rich

    Friday, November 1, 2013 4:05 PM
  • Hi Rich,

    Can you share which version of VMM and App Controller (2012, 2012 SP1, 2012 R2) you are running, and which update rollup is applied?

    Are the VMM server and the VMM console on the App Controller server running the same update rollup version?

    Kind Regards,

    Richard


    This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, November 1, 2013 4:32 PM
  • I am running VMM 2012 R2 and App Controller 2012 R2 for both servers.

    Are upgrade rollups applicable for 2012 R2 (VMM and AppController)?

    I am still getting the same error when trying to connect my VMM from my AppContoller Server

    Category: Critical
    Description: Connection attempt to the target system failed.
    Details: Category: Critical
    Message: 1604–ConnectServerAuthenticationFailed
    Description: You cannot access VMM management server <FQDN of Host>.
    Details: Category: Critical
    Message: System.ServiceModel.CommunicationException
    Description: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:29.9860000'.

    Category: Critical
    Message: System.IO.IOException
    Description: The read operation failed, see inner exception.

    Category: Critical
    Message: System.ServiceModel.CommunicationException
    Description: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:29.9860000'.

    Category: Critical
    Message: System.Net.Sockets.SocketException
    Description: An existing connection was forcibly closed by the remote host

    Sincerely,

    Rich

    Friday, November 1, 2013 5:01 PM