ConfigrMgr 1511 – Service connection point issues

Hi reader,

I was running ConfigMgr 1511 from an upgraded System Center 2012 Configuration Manager R2 SP1 Infrastructure with configured Intune Subscription without a problem for more than a month. But due to my Azure Tenant Name selection more than two years ago, I wanted to change the Tenant name from uncoolname.onmicrosoft.com to hosebei.onmicrosoft.com, because you might already guess it: the SharePoint URL.
Exchange Hybrid and all other Services was not easy, but worked how I planned to do it. But unfortunately the Service Connector did not work after this change, even after changing the Intune Subscription to my new Tenant.

I encountered the following errors within the Logfiles of ConfigMgr. Within the DMPDownloader.log was stated that:
Certmgr has not installed certificate yet, sleep for 1 minutes.
and later on:
WARNING: Cannot find a suitable certificate. Included extensions: 1.2.840.113556.5.11,1.2.840.113556.5.4,1.2.840.113556.5.6. Excluded extensions: . AgentTypeId:

Within the DMPUploader.log was the same message about the missing certificate and the following message:
ERROR: ERROR: Exception occured while calling REST UserAuth Location service The Dmp Connector failed to read the connector certificate.

And within the DMPDownloader.log there was quite the same errors. Don’t be mislead by the failure within the ConnectorSetup.log:
CTool::RegisterManagedBinary: Failed to register D:\Program Files\Microsoft Configuration Manager\bin\x64\IntuneContentManager\Microsoft.ConfigurationManager.IntuneContentManager.dll with .Net Fx 2.0

As outlined in this TechNet Forums post Link, the registration of the DLL will success with another .Net Version and it is also visible within the Logfile two Lines below the error.
I removed the Intune Subscription again (I can remove the Subscription without an issue, due to the change of the Azure Tenant, but if you are in Production, removing the Intune Subscription will lead to reenroll your Devices, see comment from matt), and also the Service connection point role, and readded them again without success. As outlined on this Technet Article, at the bottom of the Page, see this important notice for remote Server usage:

When the role installs on a computer that is remote from the site server:
You must configure the site system server that hosts the role with a Site System Installation Account
The Site System Installation Account is used by the distribution manager on the site server to transfer updates from the service connection point.

But even doing the Installation of the Role on the Site Server itself was not successful, or to say it right, the Service connection point was not able to do his work. I uninstalled the Service Connection Point again, and rebooted my primary site server. After adding the Role again, it was able to create or receive (?) a new connector certificate, which is also written to the Logfile (dmpdownloader.log):
Found connector certificate with subject 'CN=
You can find the certificate within the normal Machine Store of the Server that hosts the Service connection Role:
Service Connection point Certificate

The synchronization afterwards was working like before.
Hope this helps.

8 thoughts on “ConfigrMgr 1511 – Service connection point issues

  1. Hey buddy, I’m missing the SC_Online_Issuning certificate. I’m guessing this is causing my issues with the error: The remote server returned an error: (401) Unauthorized.

  2. Hello.

    Removing the Intune Subscription from Configuration Manager may cause the need to un-enrol and re-enrol all of your devices. That’s bad.

    If your having certificate related issues with the Intune integration, we suggest you raise a support ticket.

    All Intune related support cases are FREE, so it’s best to just raise a case rather than risking it.

    Matt
    @ConfigMgrDogs
    blogs.technet.microsoft.com/ConfigMgrDogs

    • Hi Matt,
      thank you for your feedback. This is actually true, I did had good experiences using the Intune Support within the Office365 Portal.
      But as you might have overseen, I’m talking in this BlogPost about a Tenant change, which anyway means I have to reenroll my Devices. But I update the Blog Post, to clarify that deleting the Intune Subscription is not that good idea…

      Martin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s