ConfigMgr CB Upgrade “SSL Provider: The target principal name is incorrect” or “Win32 Error = 145” when using /testdbupgrade


If you are performing a ConfigMgr CB upgrade from ConfigMgr 2012 and you are utilizing a Clustered SQL Server environment with named instances, you may be greeted with the following error when attempting to perform the command for the testdbupgrade prior to the actual upgrade. These two errors are commonly seen together when performing this command line against a SQL Cluster with named instances.

 

setup.exe /testdbupgrade <virtualclustername>\<instancename>\<dbname>

 

This command when attempted against a SQL Cluster with named instances will result in the following entry in the C:\ConfigMgrSetup.log:

 

*** [0801][-2146893022][Microsoft][SQL Server Client 11.0]SSL Provider: The target principal name is incorrect.
*** [0801][-2146893022][Microsoft][SQL Server Client 11.0]Client unable to establish connection
*** Failed to connect to the SQL Server, connection type: SQL2012\InstanceName\CM_PRI
INFO: SQL Connection failed. Connection: SQL2012\InstanceName\CM_PRI, Type: Secure

 

This error is due to process attempting to connect to a physical node of the cluster instead of the virtual cluster instance.

To get past this error, you will want to utilize the following command line structure\syntax:

 

Setup.exe /testdbupgrade <SQL FQDN>\<Named Instance>\<Database Name>

(Example: Setup.exe /testdbupgrade SQL2012Serv.contoso.com\MySQLInstance\CM_PRI)

 

Now to address the error Win32 Error = 145, this will show up in your ConfigMgrSetup.log looking as such, may be more or less depending on the number of nodes in your cluster:

Installing service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER on remote server SQL2012.contoso.com … Configuration Manager Setup 5/6/2016 9:32:12 AM 3324 (0x0CFC)
Installed service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER on remote server SQL2012.contoso.com Configuration Manager Setup 5/6/2016 9:32:12 AM 3324 (0x0CFC)
Starting service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER with command-line arguments “TST V:\SMS_SQL2012.contoso.com_SMS_SQL_SERVER1 /createcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER”… Configuration Manager Setup 5/6/2016 9:32:12 AM 3324 (0x0CFC)
Machine certificate has been created successfully on server SQL2012.contoso.com. Configuration Manager Setup 5/6/2016 9:32:19 AM 3324 (0x0CFC)
Deinstalled service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER on SQL2012.contoso.com. Configuration Manager Setup 5/6/2016 9:32:19 AM 3324 (0x0CFC)
Deleting \\?\UNC\SQL2012.contoso.com\V$\SMS_SQL2012.contoso.com_SMS_SQL_SERVER1, FAILED, Win32 Error = 145 Configuration Manager Setup 5/6/2016 9:32:19 AM 3324 (0x0CFC)
INFO: Import SQL Server Certificate to each node because SQL Server is running clustering environment. Configuration Manager Setup 5/6/2016 9:32:20 AM 3324 (0x0CFC)
Installing service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER on remote server SQL2012DB … Configuration Manager Setup 5/6/2016 9:34:29 AM 3324 (0x0CFC)
Installed service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER on remote server SQL2012DB Configuration Manager Setup 5/6/2016 9:34:29 AM 3324 (0x0CFC)
Starting service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER with command-line arguments “TST C:\SMS_SQL2012.contoso.com_SMS_SQL_SERVER1 /importcertificate SOFTWARE\MicrosoftCertBootStrap\ SMS_SQL_SERVER”… Configuration Manager Setup 5/6/2016 9:34:29 AM 3324 (0x0CFC)
Machine certificate has been created successfully on server SQL2012DB. Configuration Manager Setup 5/6/2016 9:34:37 AM 3324 (0x0CFC)
Deinstalled service SMS_SERVER_BOOTSTRAP_SQL2012.contoso.com_SMS_SQL_SERVER on SQL2012DB. Configuration Manager Setup 5/6/2016 9:34:37 AM 3324 (0x0CFC)
Deleting \\?\UNC\SQL2012DB\C$\SMS_SQL2012.contoso.com_SMS_SQL_SERVER1, FAILED, Win32 Error = 145 Configuration Manager Setup 5/6/2016 9:34:37 AM 3324 (0x0CFC)

 

This issue is caused by the ConfigMgr system not having the permissions to create the self-signed certificate on the SQL server cluster nodes, this can be resolved via the steps below.

 

Action Steps A – Site System Account

Perform these steps on each node for the SQL Cluster

1. On the SQL Server Open the Computer Management

2. Expand the Users and Groups

3. Expand Groups

4. Make sure the Machine Account for the ConfigMgr Primary Site is in the local Administrators Group

5. Make sure the SQL Service Account is in the local Administrators Group

 

Action steps B – Permissions

Perform these steps on each node for the SQL Cluster

1. Open File Explorer

2. Navigate to C:\programdata\microsoft\crypto\RSA\MachineKeys folder

3. Change the permissions MachineKeys folder so that Administrators have FULL Control to Folder and All Sub Folders \ Files

 

Disclaimer: The information on this site is provided “AS IS” with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of any included script samples are subject to the terms specified in the Terms of Use

Main System Center blog: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/

Data Protection Manager Team blog: http://blogs.technet.com/dpm/

Orchestrator Team blog: http://blogs.technet.com/b/orchestrator/

Operations Manager Team blog: http://blogs.technet.com/momteam/

Service Manager Team blog: http://blogs.technet.com/b/servicemanager

Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/

WSUS Support Team blog: http://blogs.technet.com/sus/

RMS blog: http://blogs.technet.com/b/rms/

App-V Team blog: http://blogs.technet.com/appv/

MED-V Team blog: http://blogs.technet.com/medv/

Server App-V Team blog: http://blogs.technet.com/b/serverappv

Forefront Endpoint Protection blog: http://blogs.technet.com/b/clientsecurity/

Forefront Identity Manager blog: http://blogs.msdn.com/b/ms-identity-support/

Forefront TMG blog: http://blogs.technet.com/b/isablog/

Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Surface Team blog: http://blogs.technet.com/b/surface/

Have a question about content? Join us on Yammer


Comments (0)