How to Resolve Errors with Duplicate ConfigMgrEndpoint Certificates in ConfigMgr 2012

~ Scott Rachui

ToolsHi everyone, Scott Rachui here with some tips on how to troubleshoot issues with duplicate certificates when trying to configure SQL Broker in System Center 2012 Configuration Manager.

Overview

When setting up database replicas for management points in ConfigMgr 2012, it is possible that you could end up with a duplicate certificate in place when trying to configure the SQL Broker service. This article outlines that scenario and offers a way to resolve it.

The Scenario

Recently while working with a customer to set up a database replica for one of their management points in Configuration Manager we encountered the following situation:

– We were working through the process of setting up the SQL Broker service which is an essential element of configuring database replicas. Part of this process (explained in detail in this article) was to export and exchange ConfigMgrEndpoint certificates for each database server.

– On the primary database, we imported the certificate with a reference to the default instance of SQL on the database replica. An example of the stored procedure we used is shown below.

EXEC sp_BgbConfigSSBForRemoteService 'REPLICA', '4022', 'C:\Test\Cert.cer', 'S12-MP1.W2K12-LAB.LOCAL', 'CM_MP1'

– After the stored procedure had completed, we remembered that we were using a named instance for the database. This means the stored procedure should have been written as follows:

EXEC sp_BgbConfigSSBForRemoteService 'REPLICA', '4022', 'C:\Test\Cert.cer', 'S12-MP1.W2K12-LAB.LOCAL', 'TestInstance\CM_MP1'

NOTE The format is ‘<InstanceName>\<Database Name>’. In the example above, ‘TestInstance’ is just an example of a name that I selected to illustrate the stored procedure with a named instance.

The problem came in when we re-ran the stored procedure. We received an error that said the following:

Msg 15232, Level 16, State 1, Line 17

A certificate with name 'ConfigMgrEndPointCert0x8eae7c6bf36b15ed2ea186928fcf6c4e' already exists or this certificate already has been added to the database.

Where is the ConfigMgrEndPointCert?

If you've worked very long with certificates in Windows, you'll know that the default place to go when you need to find a certificate is the Certificates MMC snap-in.  We opened MMC and added this snap-in, then proceeded to search through every container but we did not find what we were looking for.

At this point I thought that perhaps the certificate had an unexpected name, so I opened it (since I had previously exported it I knew where it was). To be clear, I was looking at the database replica certificate that I had imported to the primary database.

I searched again, using the name highlighted above but I still could not find it. I also searched by Expiration Date but nothing matched up.

Finding the Certificate

Further research and collaboration with colleagues finally pointed me to the certificate. I learned that in order to see it, I needed to look inside of SQL Server Mgmt. Studio. To locate it, I did the following:

1. Opened SQL Server Management Studio and connected to the primary database server.

2. In Object Explorer, I expanded the server and navigated to Server Objects\Endpoints\Service Broker. Within the Service Broker container I could see that the ConfigMgrEndpoint node was present.

3. I right-clicked this node and selected ‘Script Endpoint as > CREATE To > New Query Editor Window’. This opened a query window with the following information visible:

 

USE [master]

GO

 

/****** Object:  Endpoint [ConfigMgrEndpoint]    Script Date: 9/23/2014 9:27:40 AM ******/

CREATE ENDPOINT [ConfigMgrEndpoint]

       STATE=STARTED

       AS TCP (LISTENER_PORT = 4022, LISTENER_IP = ALL)

       FOR SERVICE_BROKER (MESSAGE_FORWARDING = ENABLED

, MESSAGE_FORWARD_SIZE = 5

, AUTHENTICATION = CERTIFICATE [ConfigMgrEndpointCert]

, ENCRYPTION = REQUIRED ALGORITHM AES)

GO

But this is only part of the story. To find the actual certificate, I had to do the following:

1. Still in SQL Server Management Studio, I expanded Security\Logins. Note that this is not the security tab within the database. Here, we are looking for the Security tab that is a peer of the Databases container.

2. Within Logins, I could see the ConfigMgrLogEndpointLogin account with the same hexadecimal code as was listed in the error message above.

I had found where the certificate was located. Now how to get it out of there?

Removing the Certificate

Deleting the certificate so I could run the correct stored procedure ended up being as simple as right-clicking the ConfigMgrEndpointLogin account and selecting ‘Delete’. Doing this removed the Login and I was able to run the stored procedure with the correct entries (in my case, <named instance>\<database name>) and the certificate imported without difficulty.

If you need to rebuild the ConfigMgrEndPoint altogether

Hopefully this will never be necessary, but in order to be thorough I am outlining the process of deleting and re-importing the ConfigMgrEndpoint certificate as a part of recreating the ConfigMgrEndpoint object itself.

Before making any big changes to my SQL database I always create a backup, which is something that should always be done before making any significant change in your database. In this case, however, it turns out that when I navigated to Server Objects\Endpoints\Service Broker\ConfigMgrEnpoint and selected ‘Script Endpoint as > CREATE To > New Query Editor Window’, I was exposing the SQL code necessary to recreate the ConfigMgrEndpoint node if needed.

With this in mind, it was straightforward to take the following steps:

1. I made sure the CREATE statement for ConfigMgrEndpoint was available in one of the Query windows. If the CREATE statement is not available, right-click the node again and select ‘Script Endpoint as > CREATE To > New Query Editor Window’

2. Next, I right-clicked the ConfigMgrEndpoint node and selected ‘Delete’. This brought up the Delete Object wizard. I selected ‘OK’ to confirm the node’s deletion

3. At this point I went into Security\Logins and deleted the ConfigMgrEndpointLogin login by right-clicking and selecting ‘Delete’. I again got the Delete Object wizard and selected ‘OK’.

NOTE At this point there is no ConfigMgrEndpoint node under Service Broker, so running the stored procedure to import the certificate from the database replica will fail.

4. I recreated the ConfigMgrEndpoint object by running the CREATE statement exposed in the query window. In my environment, this is the code (repeated here for convenience):

 

USE [master]

GO

 

/****** Object:  Endpoint [ConfigMgrEndpoint]    Script Date: 9/23/2014 9:27:40 AM ******/

CREATE ENDPOINT [ConfigMgrEndpoint]

       STATE=STARTED

       AS TCP (LISTENER_PORT = 4022, LISTENER_IP = ALL)

       FOR SERVICE_BROKER (MESSAGE_FORWARDING = ENABLED

, MESSAGE_FORWARD_SIZE = 5

, AUTHENTICATION = CERTIFICATE [ConfigMgrEndpointCert]

, ENCRYPTION = REQUIRED ALGORITHM AES)

GO

Once I verified that the ConfigMgrEndpoint node was successfully recreated, I re-ran the stored procedure with the named instance specified as shown below.

EXEC sp_BgbConfigSSBForRemoteService 'REPLICA', '4022', 'C:\Test\Cert.cer', 'S12-MP1.W2K12-LAB.LOCAL', 'TestInstance\CM_MP1'

After taking each of these steps, the certificate imported again successfully.

Summary

While this issue is hopefully not something that is encountered frequently (or at all), it’s nice to know how to deal with it if it comes up. Hopefully this short guide provides that information.

Special thanks to Clint Koenig for all his fantastic help working this issue. Thanks Clint!

Scott Rachui | Senior Support Escalation Engineer | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/