none
Installing Distribution Point via PowerShell Certificate Errors RRS feed

  • Question

  • Hello All,

    We are working on integrating our SCCM 1610 Distribution Point installation to occur during our Windows Server 2012 R2 task sequence and have been getting some (very annoying) unexpected results.

    The script that we're using is based off of David Obrien's method located at https://david-obrien.net/2013/03/how-to-install-new-distribution-point-sccm-2012/

    The result is that the Site System gets created, the DP installs but all of the code around TsMediaAPI.dll fails and the certificate does not get created.

    Eventually the site server seems to populate the HKLM\Software\Microsoft\SMS\DP\Identity\IdentCert key with the cert string and the DP appears to be functional - almost.

    The next step in our TS is to load PreLoad content onto the newly created DP using ExtractContent.exe.  The problem is, this fails every single time with an error:

    Failed to create certificate store from encoded certificate..
    The specified network password is not correct. (Error: 80070056; Source: Windows)
    Error reading site settings when needed to extract content from prestaged content file.

    Per the updated SDK, the TsMediaAPI.dll seems to no longer be supported as a redistributable file.  Is there another method of creating the self-signed cert via PowerShell?

    Thanks in advance.

    Friday, March 24, 2017 3:00 PM

All replies

  • The Add-CMDistributionPoint cmdlet will create a self-signed cert for you -- no need to create your own.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, March 24, 2017 3:56 PM
  • Not True Jason, I am having the same problem.Key point is he is trying the PS command from within the TS.

    So if he is like me he needs to run the ps using different creds that have access to SCCM to create the DP.

    Add-CMDistributionPoint create cert doesnt work. there is no profile loaded so it wont create it.

    Friday, March 24, 2017 5:29 PM
  • The cmdlet absolutely works outside of a TS so my answer is true.

    The method he is using is not the same -- David's scripts pre-date the built-in cmdlets.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, March 24, 2017 6:12 PM
  • Yes the cmdlet does work outside of a TS but within the TS is what I was asking.  :)

    I had tried the installation a number of different ways within the TS including:

    Method 1:

    • Copy CM PS modules to new server being build
    • Use a Run Command to execute a script that loads the cmdlets and runs Add-CM-Distribution Point

    This failed with Cert errors.

    Method 2:

    • Run PowerShell script that performs an Invoke-Command scriptblock that connects to the CAS and runs the Add-CMDistribution Point on the CAS itself using a service account that had rights on the server and in SCCM

    This actually worked flawlessly for about a week and then started failing with cert errors which is what made me resort to trying Method #3.

    This is similar to Kaido's post at http://blog.coretech.dk/kaj/how-to-add-configuration-manager-distribution-point-remotely-with-powershell/ but I didn't need to do CredSSP.  Similar concept though.

    Method 3:

    • WMI method of installing the DP similar to David O'Brien's post noted earlier.

    Result: DP installed but cert errors persisted and DP not properly configured.  Preload package content failed.

    What I ultimately went back to was Method #2 after finding that the Cert errors were the result of an issue with the private key file under C:\Users\<user>\AppData\Roaming\Microsoft\Crypto\RSA.  After deleting the contents of this folder on the CAS and re-running my script it works and my TS is now completing successfully again and unpacking the preload packages.

    Tuesday, March 28, 2017 6:54 PM
  • Can you share the method you got working in the task sequence please, the script sample would be great!

    Cliff Hughes (MSFT)

    Saturday, August 17, 2019 2:47 PM