Quick note on an issue you might encounter after installing Microsoft Security Update 3004375

FIXWe’ve seen an issue relating to 3004375 that occurs due to a regression, and while it’s already been fixed (by installing 3023562), we wanted to take a minute and let you know about some of the details in case you happen to see it.

This issue manifests itself in a number of SDK clients (e.g. Exchange Correlation Engine, Console, Reporting Installation, Management Server Installation, etc.). In each of these clients the behavior may vary. For example, Exchange Correlation Engine might fail with error 714 in the Application Event Log, Reporting and Management Server installation might fail after hitting an exception from the SDK layer, the admin console might report a crash after encountering an exception from the SDK layer, etc.

With Operations Manager, the environment seems stable. Management Servers successfully read and write from the DB, send configuration to the agents, process Run As Accounts, run workflows, etc. However, the SDK layer, whenever approached by the SDK clients in a certain way, can generate an exception that causes failures. When this happens you will see an error message and stack trace similar to the following:

Error: An error has been detected by Operations Manager Root Management Server '<ms-server>'.  Error message: Microsoft.EnterpriseManagement.Common.UnknownServiceException: The service threw an unknown exception. See inner exception for details. —> System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: The type initializer for 'Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess' threw an exception. (Fault Detail is equal to An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.TypeInitializationException: The type initializer for 'Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess' threw an exception. —-> System.Exception: Exception decrypting. The specified file could not be decrypted
   at Microsoft.EnterpriseManagement.Security.DPAPIWrapper.Decrypt(Byte[] cipherText)
   at Microsoft.EnterpriseManagement.Security.AsymmetricKeyManager.Initialize(Byte[] publicKey)
   at Microsoft.EnterpriseManagement.Security.SecureStorageManager.Initialize()
   at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess.get_secureStorageDatabaseManager()
   at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess..cctor()
   — End of inner ExceptionDetail stack trace —
   at Microsoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccess..ctor()
   at CreateMicrosoft.EnterpriseManagement.Mom.ServiceDataLayer.SdkDataAccessBackCompatProxy()
   at Syst…).
   — End of inner exception stack trace —
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
   at Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings)
   at Microsoft.EnterpriseManagement.ManagementGroup..ctor(ManagementGroupConnectionSettings connectionSettings)
   at Microsoft.EnterpriseManagement.ManagementGroup.Connect(ManagementGroupConnectionSettings connectionSettings)
   at Microsoft.Exchange.Monitoring.CorrelationEngine.MomSdkProxy..ctor(String momServer, String domain, String user, SecureString password, String mpId, String extensionMPId)

In some cases such as console view load failures, you might just see the following information:

System.Exception: Exception decrypting. The specified file could not be decrypted
   at Microsoft.EnterpriseManagement.Security.DPAPIWrapper.Decrypt(Byte[] cipherText)
   at Microsoft.EnterpriseManagement.Security.AsymmetricKeyManager.Initialize(Byte[] publicKey)

For products other than System Center 2012 Operations Manager, such as Windows, you might find the following exception on debugging:

Error Code c00000a5 (ERROR_BAD_IMPERSONATION_LEVEL)

As mentioned earlier, this issue occurs due to a regression in cng.sys in 3004375. If you have this hotfix installed on the OpsMgr Management Server then it is likely that you are affected by this issue.

The corrected code has been shipped in the hotfix released in 3023562. After applying this fix the issue is resolved, just keep in mind that the SDK service might require a restart.

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

System Center 2012 Operations Manager System Center 2012 R2 Operations Manager OpsMgr 2012 R2