ukg_matt Posted January 7, 2020 Report post Posted January 7, 2020 Hi Nial I've been following your MBAM in SCCM guide from here and we're already converted from HTTP to HTTPS. I needed to encrypt the recovery data so i followed this Microsoft guide. Now I'm attempting to install the MBAM websites with the mbamwebsiteinstaller.ps1 script, and I'm given the following errors.... Unable to find ConfigMgr SQL Server Identification Certificate + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException + PSComputerName : azukssccm.ukg.local Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate: Exception calling "FromBase64String" with "1" argument(s): "Invalid length for a Base-64 char array or string." At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1171 char:16 + $success = Get-CertificateFromSqlServer $SqlServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer Install-MBAMWebSites : Failure acquring SQL identity certificate. At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller.ps1:1324 char:5 + Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites Any help would be much appreciated. Thanks Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted January 7, 2020 Report post Posted January 7, 2020 ok what command line did you use to install, can you paste it here please and did you create all the certificates or just one, what command lines did you use to create the certificates, the more info I have the more i can help if you don't want to post it here then mail it to me, niall AT windows-noob DOT com cheers niall Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted January 8, 2020 Report post Posted January 8, 2020 replied via email! Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted January 8, 2020 Report post Posted January 8, 2020 ok got them, when you created the certs did you get any errors during that process or did it all proceed happily ? did you verify that it met all these requirements ? The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT. Encrypt this certificate with a database master key. The following SQL users need Control permissions on the certificate: RecoveryAndHardwareCore RecoveryAndHardwareRead RecoveryAndHardwareWrite Deploy the same certificate at every site database in your hierarchy. Create the certificate with the latest version of SQL Server in your environment. For example: Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier. Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later. and lastly, did you verify the certificate creation using the Verify certificate SQL script ? please confirm, what i can try and do (in my lab) is to revert it and go through this process, see how it works for me, but... it is dependent on time, Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted January 8, 2020 Report post Posted January 8, 2020 also can you modify your cmdline to correctly specify the reportserver via the -ReportWebServiceUrl switch, yours is currently pointing to Reports and it should point to Reportserver here's a sample .\MBAMWebSiteInstaller.ps1 -SqlServerName cm01.windowsnoob.lab.local -SqlInstanceName MSSQLSERVER -SqlDatabaseName CM_P01 -ReportWebServiceUrl http://cm01.windowsnoob.lab.local/Reportserver -HelpdeskUsersGroupName "windowsnoob\MBAM_HD" -HelpdeskAdminsGroupName "windowsnoob\MBAM_HD_Adv" -MbamReportUsersGroupName "windowsnoob\MBAM_HD_Report" -SiteInstall Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted January 9, 2020 Report post Posted January 9, 2020 On 1/8/2020 at 10:09 AM, anyweb said: ok got them, when you created the certs did you get any errors during that process or did it all proceed happily ? - No Errors did you verify that it met all these requirements ? - As far as I can tell, yes I met all the requirements. The name of the BitLocker management encryption certificate must be BitLockerManagement_CERT. Encrypt this certificate with a database master key. The following SQL users need Control permissions on the certificate: RecoveryAndHardwareCore RecoveryAndHardwareRead RecoveryAndHardwareWrite Deploy the same certificate at every site database in your hierarchy. Create the certificate with the latest version of SQL Server in your environment. For example: Certificates created with SQL Server 2016 or later are compatible with SQL Server 2014 or earlier. Certificates created with SQL Server 2014 or earlier aren't compatible with SQL Server 2016 or later. and lastly, did you verify the certificate creation using the Verify certificate SQL script ? - Yes I ran the verify script which returns the value 1... Whats interesting is that dispite returning '1', there is no mention of the 3 SQL users above in the SQL management studio (see screen shot) please confirm, what i can try and do (in my lab) is to revert it and go through this process, see how it works for me, but... it is dependent on time, I have amended the mbaminstaller script with the correct report server URL. Thanks Quote Share this post Link to post Share on other sites More sharing options...
anyweb Posted January 9, 2020 Report post Posted January 9, 2020 ok good info, i'll try my best to verify this when I have time... Quote Share this post Link to post Share on other sites More sharing options...
AS-NRY Posted January 15, 2020 Report post Posted January 15, 2020 (edited) I've got exactly the error. EDIT: My workaround for this was to disable the convert::tobase64string($bytes) and convert::frombase64string($encodedCert) commands from the PS script Edited January 15, 2020 by AS-NRY Found Workaround Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted January 17, 2020 Report post Posted January 17, 2020 Hi Thanks for the tip, AS-NRY, it has moved my install script on somewhat but it still doesn't complete successfully. Get-CertificateFromSqlServer : Unable to export ConfigMgr SQL Server Identification Certificate from *******.***.local At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller_2.ps1:1171 char:16 + $success = Get-CertificateFromSqlServer $SqlServerName + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-CertificateFromSqlServer Install-MBAMWebSites : Failure acquring SQL identity certificate. At F:\Program Files\Microsoft Configuration Manager\bin\X64\mbamwebsiteinstaller_2.ps1:1324 char:5 + Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites Quote Share this post Link to post Share on other sites More sharing options...
ukg_matt Posted January 17, 2020 Report post Posted January 17, 2020 scrap that, i re-enabled [Convert]::ToBase64String($bytes) and [Convert]::FromBase64String($encodedCert) and the script is working. My issues were 2 fold, first was that I had to export the Bitlocker Managemanet cert from SQL and import it manually using certlm.msc, the second issue was that I didn't have an SQL Server Identification Cert that was named 'ConfigMgr SQL Server Identification Certificate' so I generated one... Re-ran the script again et voila Thanks again to anyweb and AS-NRY. Quote Share this post Link to post Share on other sites More sharing options...
