locked
Microsoft System Center Management Pack for AD CS 2016 RRS feed

  • Question

  • We are seeing errors that appear to be related to this Management Pack and the enforcement of TLS 1.2. I can't find anything about it in a web search. The errors on our Management Servers are:

    Topology10.0Discovery.vbs : Unable to connect to the database with the specified configuration string. Please make sure that your connection string is valid and that your credentials are authorized to access the database. Cause: [DBNETLIB][ConnectionOpen (SECCreateCredentials()).]SSL Security error.

    Is there any insight? I can't find a way to override this.

    Wednesday, October 2, 2019 5:40 PM

All replies

  • Hi,

    I can't say much about the error itself as I'm unfamiliar with it, but the "SSL Security error" does sound like a TLS issue, you could check the System event log it should log Schannel errors.

    You should also be able to create an override for the object discovery:

    Microsoft.Windows.CertificateServices.TopologyDiscovery (Discovery)

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, October 3, 2019 7:55 AM
  • Hi,

    agree with Leon, this relates to TLS. You can either enbale TLS as per:

    SSL Security error using Microsoft OLE DB Provider for SQL Server

    or 

    override the discovery itself (Leon pointed the proper discivery out).

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Thursday, October 3, 2019 8:05 AM
  • So, the article you link to is for a product called QlikView, but to that TLS 1.2 is properly configured, there are no issues there.

    The problem is the MP has a bug in it, and the discovery is important to us. Since Microsoft states support for TLS 1.2 in SCOM 2019, this appears to be a bug in the MP.

    Monday, October 7, 2019 3:55 PM
  • SCOM 2019 does indeed have support for TLS 1.2, but not all management packs are up-to-date, so it might very well be that the ADCS 2016 management pack does not have support for TLS 1.2.

    You can submit feedback about this over here: 
    https://systemcenterom.uservoice.com/forums/293064-general-operations-manager-feedback

    For now there's not much else that can be done than waiting for a management pack fix.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Monday, October 7, 2019 4:06 PM
  • Will do, but one would hope that this isn't too prevalent when dealing with MSFT MPs. This article shows the problem:

    https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/sql-native-client-for-tls1-2/

    And the code in this MP that fails is here:

    'generate connection string and return

    GetOpsMgrDBConnectionString = "Provider=SQLOLEDB;Data Source="

    & sDBServerName & ";Initial Catalog=" & sDBName & ";Integrated Security=SSPI;"

    Monday, October 7, 2019 5:41 PM
  • You may also check the Agent privileges  run on the managed Active Directory Certificate Services computer.  The minimum privileges required for the account whose context the Agent uses to run on the CA are:
    •    Member of the local Users group
    •    Member of the local Performance Monitor Users group
    •    "Manage auditing and security log" permission (SeSecurityPrivilege)
    •    "Allow log on locally" permission (SeInteractiveLogonRight)
    Roger
    Tuesday, October 8, 2019 3:23 AM
  • This is not helpful, as usual, Roger. Stop giving people terrible advice. This is obviously not a permissions issue.
    Tuesday, October 8, 2019 4:32 PM