Create ConfigMgr SQL Server Identification Certificate
In this article, I will show you how to create ConfigMgr SQL Server identification certificate, which is useful when you cannot connect to the report server database.
Few days back, I was working on implementing PKI for SCCM, and I encountered an issue related to SQL server certificate in the production environment. While cleaning up the unwanted certificates from the SCCM server, one of my associate accidentally deleted the SQL server identification certificate.
After a few minutes, I noticed that the admins weren’t able to use the Configuration Manager console. The admins encountered the error where the ConfigMgr console was unable to connect to the site database.
The SQL Server, SQL Server reporting services and SQL server agent services stopped automatically. After checking the event viewer logs I checked the certificate store on the machine and noticed that the SQL Server identification certificate was missing.
In this article, I will show you how to create ConfigMgr SQL server identification certificate. I have simulated the same issue in my lab setup, and I am going to show you how to fix resolve it.
SQL Server Identification Certificate Errors
Whenever the SQL Server Identification Certificate is deleted from the SCCM server, you will encounter several errors. Upon checking the event viewer logs, I found Report Server (MSSQLSERVER) cannot connect to the report server database.
Also Read: Fix The report server has encountered a configuration error
spid10s Unable to load user-specified certificate [Cert Hash(sha1) "BCDDA9DF02E4091B6865B15394DF5FA0F1D9ABF3"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
spid10s Error: 17182, Severity: 16, State: 1.
spid10s TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
spid10s Error: 17182, Severity: 16, State: 1.
spid10s TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
spid10s Error: 17826, Severity: 18, State: 3.
spid10s Could not start the network library because of an internal error in the network library. To determine the cause, review the errors immediately preceding this one in the error log.
spid10s Error: 17120, Severity: 16, State: 1.
spid10s SQL Server could not spawn FRunCommunicationsManager thread. Check the SQL Server error log and the Windows event logs for information about possible related problems.
What gave me a hint of the missing certificate was this error line: “The server will not accept a connection. You should verify that the certificate is correctly installed“.
When I attempted to start the SQL server service and SQL server agent service, I got the below error. Windows could not start the SQL Server (MSSQLSERVER) on the local computer. For more information, review the system event log.
The only way to resolve the above errors is to create the SQL Server Identification Certificate.
Also Read: Fix SCCM SQL Server Report Builder Access Error
Create ConfigMgr SQL Server Identification Certificate
Use the following steps to create ConfigMgr SQL server identification certificate:
- Launch the IIS management console.
- Select the server and under the IIS section, click on Server Certificates.
Right click on the right pane and click Create Self-Signed Certificate.
Provide a friendly name to this cert. Choose the certificate to be stored in Personal store. Click OK.
You can now see that the new SQL Server identification certificate has been created.
Recommended: Install Report Builder for SCCM | Edit SSRS Reports
Assign the SQL Server Identification Certificate
Launch the SQL Server Configuration Manager, expand SQL Server Network Configuration, right-click Protocols for MSSQLSERVER and click Properties.
Select the Certificate tab and use the dropdown to select the new SQL self-signed certificate you created. You can double-check this by making sure the Issued By field matches the server name. Click OK.
After you have assigned the SQL Server identification certificate, right-click on the SQL Server services and start them. Ensure the state of each service shows Running.
This completes the steps to create the SQL Server identification certificate for SCCM. If you have any questions, kindly let me know in the comments section.
Is this certificate necessary to be created for SQL server local to the primary server before implementing PKI?
Thank you for!!! Its worked
Do I need to install IIS on the SQL server if the SCCM DB is located on a separate, dedicated SQL instance ?
THANK YOU!!! I deleted an expired certificate and caused this issue.
Hello Prajwal,
I migrated the SCCM SQL DB to another server and when i do site maintenance i get below errors. Can i perform the above steps mentioned by you?
I have standalone primary server and IIS 6.1 and server 2008 R2.
Destination SQL is 2012
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.
*** Failed to connect to the SQL Server, connection type: SMS ACCESS.
> INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure
> ERROR: SQL Connection failed. Connection: SMS ACCESS, Type: Secure
> ERROR: Failed to get SQL Server connection.
Regards,
Santhosh B S
Hello Prajwal,
we migrated the SCCM SQL DB to another server and when i tried to do a site maintenance i got error as below
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.
*** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection
*** Failed to connect to the SQL Server, connection type: SMS ACCESS.
> INFO: SQL Connection failed. Connection: SMS ACCESS, Type: Secure
> ERROR: SQL Connection failed. Connection: SMS ACCESS, Type: Secure
> ERROR: Failed to get SQL Server connection.
Can i perform the above steps mentioned by you?
Regards,
Santhosh B S