IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM: Installation on hardened server

One of my Customers asked me to migrate an existing SCCM 2012 R2 to SCCM CB. They preferred side-by-side migration.

Everything looked good until I figure out the server they gave me for the new SCCM was hardened. I guess security team did it for good but as a result I had some fun with a trivial SCCM installation.

1. They used a third-party tool to remove TLS 1.0-1.1 and old SSL leavin only TLS 1.2 available. 3DES was killed too.

As a result, when I ran prereqchk.exe /Local before SCCM installation I received errors about SQL indexing, collation page (which I knew I set correctly), sysadmin membership etc… SQL looked good, but in

prereqchk log I saw: “Failed to connect to the SQL Server, connection type: SMS Master”

and in even log I observed: A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

I removed fresh Machine keys from Programdata\microsoft\crypto\RSA – did not help

I set “Use FIPS compliant algorithms for encryption”  after that the error in event log changed saying TLS 1.0 protocol is using (never new it is FIPS compliant), but it is not configured.

So, at this point I ran IISCrypto and learnt the protocols are disabled.

As soon as I enabled the old obsolete TLS 1.0 prereqchk.exe passed smoothly and I started SCCM installation

Microsoft says  only SSL3.0 should be disabled and clearly requires both TLS 1.1 and 1.2 enabled. But in my case I still needed TLS 1.0 enabled too. So it looks like a working progress for me.

There is another article from Microsoft. It talks about TLS 1.2 configuration for SCCM CB 1610+. But it looks like it is about post-installation TLS 1.2 support and had an issue during installation. In addition, I tried my best to understand what should I configure on Windows Server 2016 with .Net 4.7 and SQL 2016 SP1 and as far as I understood I should do nothing, it supposed just work Smile. I would prefer Microsoft present the information in some kind of matrix for different .Net versions, OS versions and SQL…

2. Everything was fine until installer tried to setup a Management Point.

This time an error in ConfigMgrsetup.log said:

Unable to find an existing certificate in the store.  Creating a new self-signed certificate…    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a cryptographic key (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to release a handle to a CSP or key container (0x80070057)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
Failed to create the certificate (0x8009000f)    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)
ERROR: Failed to find or create SQL Server certificate.    Configuration Manager Setup    11/20/2017 11:48:55 AM    3228 (0x0C9C)

this time I spent more time troubleshooting and finally opened a case with Microsoft. The tech found local Administrators was kicked out from permissions for Programdata\microsoft\crypto\RSA  and Setup could not create a private key there. We granted Full Control to local Administrators group, re-install MP and tis time it was setup.

3. Setup, bot not properly running – both standard tests (https://technet.microsoft.com/en-us/library/bb932118.aspx?f=255&MSPPError=-2147217396) from web browser gave me Internal Server Error (HTTP Error 500.19)

Fortunately I found Heinrich’s article (http://heinrichandsccm.blogspot.ca/2013/05/http-error-50019-internal-server-error.html). I re-installed WSUS  and MP started to work. After that I ran wsusutil for postinstall configuration and it finished successfully.

And after all changes above I succeeded to install SCM 4.0 before it failed with generic 1603 error.

Advertisements

One response to “SCCM: Installation on hardened server

  1. Hudson8 January 26, 2018 at 6:45 pm

    This is an amazing post. No one knows this, not even the MS techs. I spent 2.5 hours online with paid support, today. Lots of changes were made (including this one), but MS decided this was not necessary after eliminating the TLS1.0 server entry and seeing that prereqchk.exe still worked. (MS tech forgot that TLS1.0 requires a reboot to shut off again.)

    I rebooted after MS support signed off, and prereqchk.exe started to fail again. I thought I was sunk, but found this post of yours. It appears to be the only post on the Internet that states what is going on.
    Great Job!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: