SCCM 2007 Asset Intelligence – Bad Certificate

Continuing on my foray into SCCM, I installed the Asset Intelligence Sync Point role on my system, then clicked, “Enable Asset Intelligence” in the AI section. When I clicked “Synchronize Catalog” I got a bad certificate warning. Looks like plenty of others have as well:

Everyone points to this site which provides the hotfix for this issue. Sweet, right? (DANGER: DON’T INSTALL IT)

  • KB2483225 – “Bad certificate” error when you use an Asset Intelligence synchronization point on a System Center Configuration Manager 2007 SP2 site server after the bootstrap certificate expires.

I installed the hotfix and tried to re-synchronize, but SCCM informed me that I’d need to wait 12 hours. Twelve hours later the sync worked, yay! That’s when I realized that all of my OSD clients were now reporting, “An error occurred while retrieving policy for this computer (0x80072f78).  For more information, please contact your system admin or helpdesk operator”. OH NOES.

Looking online I found nothing helpful. The logs showed a bunch of MSI, Webdav, and BITS Extension failures. Bad times. I installed a new SCCM server from scratch and applied the hotfix — same result: AI was fixed, everything else was broken.

Workaround

I found a suggestion at the following link, though it was a little difficult to figure out without a bit more info.

Asset Intelligence Bad Certificate even after hotfix KB2483225

You’re not gonna like this. My workaround was to install a brand new SCCM single-server primary site on a blank VM, run the hotfix, export the certificate, and import it into a restored backup of my SCCM server. If you already applied the hotfix to your production server and don’t have backups it might be too late…

The Process

Generating a New Certificate

  1. Build a new SCCM server from scratch on a blank VM. We just need the system long enough to export the certificate, it can be deleted after.
  2. Once your new SCCM server is up and running, install an Asset Intelligence Sync Point, enable Asset Intelligence, and make an attempt to synchronize the catalog. This should fail with ‘Bad Certificate’.
  3. Install the hotfix from KB2483225.
  4. Go to Start -> Run and type “MMC” then press enter. Microsoft management console should appear.
  5. Click File -> Add\Remove Snap-In, then add the ‘Certificates’ snap-in.
  6. Choose ‘Computer Account’ -> ‘Local Computer’ -> OK.
  7. Browse to the “ALM” store which only exists after you’ve made at least 1 attempt to synchronize an AI catalog.
  8. There should be a single certificate in this store. Right-click and export it as a pfx file.

Importing the New Certificate

  1. On your production SCCM server open mmc and the certificates snap-in.
  2. If you don’t see an ALM certificate store, open SCCM Console and attempt an Asset Intelligence catalog sync. Then, refresh the certificates mmc view. Unfortunately, this step is necessary even though it prevents you from sync’ing again for 12 hours.
  3. Right-click the ALM store and import the certificate exported from the temporary sccm server.

After this procedure, you should be able to synchronize properly. To check progress, use trace32 to watch “%programfiles(x86)%\Microsoft Configuration Manager\Logs\AIUpdateSvc.log”. It sometimes takes 15mins to start after initiating the sync. Also, it will sometimes get stuck for 5-10mins with no output to the logs. Both of these situations are normal.

Good luck!

Advertisements

One thought on “SCCM 2007 Asset Intelligence – Bad Certificate

  1. Pingback: Table of Contents | windowsmasher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s