Jump to content


Recommended Posts

Hi Nial

I've been following your MBAM in SCCM guide from here and we're already converted from HTTP to HTTPS. I needed to encrypt the recovery data so i followed this Microsoft guide. 

Now I'm attempting to install the MBAM websites with the mbamwebsiteinstaller.ps1 script, and I'm given the following errors....

Unable to find ConfigMgr SQL Server Identification Certificate
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException
    + PSComputerName        : azukssccm.ukg.local

Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling
"FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string."
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16
+     $success = Get-CertificateFromSqlServer $SqlServerName
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer

Install-MBAMWebSites : Failure acquring SQL identity certificate.
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5
+     Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites

 

Any help would be much appreciated.

Thanks

 

Share this post


Link to post
Share on other sites

ok what command line did you use to install, can you paste it here please

and did you create all the certificates or just one, what command lines did you use to create the certificates, the more info I have the more i can help

 

if you don't want to post it here then mail it to me, niall AT windows-noob DOT com

cheers

niall

Share this post


Link to post
Share on other sites

ok got them, when you created the certs did you get any errors during that process or did it all proceed happily ?

did you verify that it met all these requirements ?

  • The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT.

  • Encrypt this certificate with a database master key.

  • The following SQL users need Control permissions on the certificate:

    • RecoveryAndHardwareCore
    • RecoveryAndHardwareRead
    • RecoveryAndHardwareWrite
  • Deploy the same certificate at every site database in your hierarchy.

  • Create the certificate with the latest version of SQL Server in your environment. For example:

    • Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier.
    • Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later.

and lastly, did you verify the certificate creation using the Verify certificate SQL script ?

please confirm,

 

what i can try and do (in my lab) is to revert it and go through this process, see how it works for me, but... it is dependent on time,

 

Share this post


Link to post
Share on other sites

also can you modify your cmdline to correctly specify the reportserver via the -ReportWebServiceUrl switch,  yours is currently pointing to Reports and it should point to Reportserver

here's a sample

.\MBAMWebSiteInstaller.ps1 -SqlServerName cm01.windowsnoob.lab.local -SqlInstanceName MSSQLSERVER -SqlDatabaseName CM_P01 -ReportWebServiceUrl http://cm01.windowsnoob.lab.local/Reportserver -HelpdeskUsersGroupName "windowsnoob\MBAM_HD" -HelpdeskAdminsGroupName "windowsnoob\MBAM_HD_Adv" -MbamReportUsersGroupName "windowsnoob\MBAM_HD_Report" -SiteInstall 

 

Share this post


Link to post
Share on other sites
On 1/8/2020 at 10:09 AM, anyweb said:

ok got them, when you created the certs did you get any errors during that process or did it all proceed happily ? - No Errors

did you verify that it met all these requirements ? - As far as I can tell, yes I met all the requirements.

  • The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT.

  • Encrypt this certificate with a database master key.

  • The following SQL users need Control permissions on the certificate:

    • RecoveryAndHardwareCore
    • RecoveryAndHardwareRead
    • RecoveryAndHardwareWrite
  • Deploy the same certificate at every site database in your hierarchy.

  • Create the certificate with the latest version of SQL Server in your environment. For example:

    • Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier.
    • Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later.

and lastly, did you verify the certificate creation using the Verify certificate SQL script ? - Yes I ran the verify script which returns the value 1...  Whats interesting is that dispite returning '1', there is no mention of the 3 SQL users above in the SQL management studio (see screen shot)

please confirm,

 

what i can try and do (in my lab) is to revert it and go through this process, see how it works for me, but... it is dependent on time,

 

I have amended the mbaminstaller script with the correct report server URL.

 

Thanks

2020-01-09 10_20_16-Window.jpg

Share this post


Link to post
Share on other sites

ok good info, i'll try my best to verify this when I have time...

Share this post


Link to post
Share on other sites

I've got exactly the error.

 

EDIT: My workaround for this was to disable the convert::tobase64string($bytes) and convert::frombase64string($encodedCert) commands from the PS script

Edited by AS-NRY
Found Workaround

Share this post


Link to post
Share on other sites

Hi

Thanks for the tip, AS-NRY, it has moved my install script on somewhat but it still doesn't complete successfully.

 

Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate from
*******.***.local
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller_2.ps1:1171 char:16
+     $success = Get-CertificateFromSqlServer $SqlServerName
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer

Install-MBAMWebSites : Failure acquring SQL identity certificate.
At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller_2.ps1:1324 char:5
+     Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites

 

Share this post


Link to post
Share on other sites

scrap that, i re-enabled [Convert]::ToBase64String($bytes) and [Convert]::FromBase64String($encodedCert) and the script is working.

My issues were 2 fold, first was that I had to export the Bitlocker Managemanet cert from SQL and import it manually using certlm.msc, the second issue was that I didn't have an SQL Server Identification Cert that was named 'ConfigMgr SQL Server Identification Certificate' so I generated one...

Re-ran the script again et voila

Thanks again to anyweb and AS-NRY.

Share this post


Link to post
Share on other sites

thanks for posting the solution to your problem !

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...