Home
%3CLINGO-SUB%20id%3D%22lingo-sub-339910%22%20slang%3D%22en-US%22%3EConfigMgr%202012%3A%20DRS%20and%20SQL%20service%20broker%20certificate%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-339910%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20size%3D%221%22%3E%3CSTRONG%3E%20%3CFONT%20color%3D%22%23ff0000%22%3EFirst%20published%20on%20TECHNET%20on%20Dec%2012%2C%202013%3C%2FFONT%3E%20%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fumairkhan%2F2013%2F12%2F12%2Fconfigmgr-2012-drs-and-sql-service-broker-certificate-issues%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fumairkhan%2F2013%2F12%2F12%2Fconfigmgr-2012-drs-and-sql-service-broker-certificate-issues%2F%3C%2FA%3E%3C%2FSTRONG%3E%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Folks%2C%3C%2FP%3E%0A%3CP%3EToday's%20post%20is%20about%20the%20much%20talked%20about%20feature%20on%20ConfigMgr%202012-%20%3CSTRONG%3E%20Data%20Replication%20Service%20%3C%2FSTRONG%3E%20(DRS).%20The%20replication%20mechanism%20internally%20uses%20SQL%20Service%20broker%20and%20I%20am%20discussing%20the%20three%20common%20issues%20with%20SSB%20that%20can%20stop%20the%20replication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSTRONG%3EIssue%201%3A%20%3C%2FSTRONG%3E%3C%2FFONT%3E%20In%20the%20SQL%20error%20log%20we%20see%20the%20following%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20%3CEM%3E%20'Connection%20handshake%20failed.%20Error%2015581%20occurred%20while%20initializing%20the%20private%20key%20corresponding%20to%20the%20certificate.%20The%20SQL%20Server%20errorlog%20and%20the%20Windows%20event%20log%20may%20contain%20entries%20related%20to%20this%20error.%20State%2088.'%20%3CBR%20%2F%3E%3C%2FEM%3E%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20%3CSTRONG%3E%20sys.transmission_queue%20%3C%2FSTRONG%3E%20we%20see%20this%20in%20the%20%3CSTRONG%3E%20transmission_status%20%3C%2FSTRONG%3E%20column%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20%3CEM%3E%20Service%20Broker%20login%20attempt%20failed%20with%20error%3A%20'Connection%20handshake%20failed.%20An%20error%20occurred%20while%20receiving%20data%3A%20'10054(An%20existing%20connection%20was%20forcibly%20closed%20by%20the%20remote%20host.)'%20%3C%2FEM%3E%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSTRONG%3EApproach%201%20%3C%2FSTRONG%3E%20%3CSTRONG%3E%20%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThe%20history%20was%20the%20SQL%20server%20was%20installed%20with%20the%20system%20account%20and%20then%20later%20changed%20to%20a%20domain%20user%20account.%3C%2FP%3E%0A%3CP%3EThe%20problem%20with%20doing%20the%20above%20is%20that%20when%20Configuration%20Manager%20is%20installed%20it%20creates%20some%20internal%20certificates%20which%20are%20dependent%20on%20the%20master%20key.%20When%20the%20account%20being%20used%20to%20run%20the%20database%20server%20changes%20the%20new%20account%20is%20no%20longer%20able%20to%20'unlock'%20the%20master%20key%20and%20consequently%20can%20not%20read%20the%20internal%20certificates%20which%20then%20cause%20communication%20between%20sites%20to%20fail.%3C%2FP%3E%0A%3CP%3EIn%20order%20to%20address%20this%20we%20dropped%20and%20regenerated%20the%20master%20key%20in%20the%20SQL%20database%20-%20this%20effort%20was%20hampered%20because%20the%20user%20account%20being%20used%20to%20run%20the%20SQL%20Service%20appeared%20not%20to%20have%20sufficient%20rights%20to%20generate%20a%20new%20master%20key.%20To%20combat%20this%20we%20temporarily%20put%20the%20user%20account%20into%20the%20local%20administrators%20group%20after%20which%20a%20new%20master%20key%20could%20be%20generated.%20We%20then%20regenerated%20the%20primary%20site%20server's%20certificate%20using%20the%20%3CSTRONG%3E%20spCreateandBackupSQLCert%20%3C%2FSTRONG%3E%20stored%20procedure%20in%20the%20ConfigMgr%20database.%20Having%20successfully%20regenerated%20the%20SSB%20certificates%20we%20copied%20them%20to%20the%20CAS%20(parent)%20and%20Secondary%20(child)%20site%20and%20the%20SQL%20errorlogs%20no%20longer%20showed%20SQL%20Service%20Broker%20login%20failures.%3C%2FP%3E%0A%3CP%3EFollowing%20this%20we%20left%20the%20sites%20to%20recover%20but%20overnight%20it%20appeared%20that%20some%20init%20messages%20from%20the%20Primary%20had%20become%20lost%20in%20transit%20-%20possibly%20cleared%20from%20the%20queue%20as%20a%20part%20of%20the%20spCreateandBackupSQLCert%20stored%20proc.%20We%20set%20the%20current%20rows%20with%20status%20%26lt%3B%203%20in%20RCM_DRSInitilizationTracking%20to%20status%20%3D%207%20to%20kick%20off%20the%20replication%20initialization%20process.%20This%20executed%20very%20quickly%20and%20replication%20appeared%20to%20be%20working%20as%20expected.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20Approach%202%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20resolve%20this%20issue%2C%20give%20full%20control%20permissions%20to%20the%20account%20that%20the%20SQL%20Service%20is%20running%20under%20to%20the%20%3CSTRONG%3E%20ProgramData%5CMicrosoft%5CCrypto%5CRSA%5CMachineKeys%20%3C%2FSTRONG%3E%20directory.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20Issue%202%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20%3CEM%3E%20Service%20Broker%20login%20attempt%20failed%20with%20error%3A%20'Connection%20handshake%20failed.%20The%20login%20'ConfigMgrEndpointLoginCAS'%20does%20not%20have%20CONNECT%20permission%20on%20the%20endpoint.%20State%2084.%20%3C%2FEM%3E%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20many%20cases%20the%20Endpoint%20itself%20would%20be%20missing%20we%20can%20create%20the%20same%20and%20give%20it%20the%20connect%20permissions%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%20id%3D%22codeSnippetWrapper%22%3E%0A%3CDIV%20id%3D%22codeSnippet%22%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3ECREATE%3C%2FSPAN%3E%20ENDPOINT%20%5BConfigMgrEndpoint%5D%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EAUTHORIZATION%3C%2FSPAN%3E%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%5B%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3Edomain%3C%2FSPAN%3E%5Caccount%5D%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3ESTATE%3C%2FSPAN%3E%3DSTARTED%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EAS%3C%2FSPAN%3E%20TCP%20(LISTENER_PORT%20%3D%204022%2C%20LISTENER_IP%20%3D%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EALL%3C%2FSPAN%3E)%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EFOR%3C%2FSPAN%3E%20SERVICE_BROKER%20(MESSAGE_FORWARDING%20%3D%20ENABLED%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%2C%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3EMESSAGE_FORWARD_SIZE%20%3D%205%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%2C%20AUTHENTICATION%20%3D%20CERTIFICATE%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%5BConfigMgrEndpointCert%5D%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%2C%20ENCRYPTION%20%3D%20REQUIRED%20ALGORITHM%20AES)%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EGO%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESQL%20%26gt%3B%20Security%20%26gt%3B%20logins%20%26gt%3B%20checked%20ConfigMGRENDPOINTLOGINCAS%20%26gt%3B%20properites%20%26gt%3B%20Securables%20and%20there%20were%20no%20permissions%20for%20the%20Connect%20for%20the%20user%2C%20Gave%20Grant%20for%20Connect.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%230000ff%22%3E%20Issue%203%3A%3C%2FFONT%3E%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%20%3CEM%3E%20Service%20Broker%20login%20attempt%20failed%20with%20error%3A%20'Connection%20handshake%20failed.%20The%20certificate%20used%20by%20the%20peer%20is%20invalid%20due%20to%20the%20following%20reason%3A%20Certificate%20not%20found.%20State%2089.'.%26nbsp%3B%20%5BCLIENT%3A%2010.172.20.133%5D%20%3C%2FEM%3E%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20happens%20when%20the%20public%20key%20cert%20of%20the%20other%20SSB%20endpoint%20login%20for%20the%20ConfigMgr%20somehow%20goes%20missing%20on%20the%20other%20SSB%20endpoint%20login.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20suppose%20if%20I%20have%20the%20hierarchy%20is%20as%20follows-%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPRI%3C%2FP%3E%0A%3CP%3E%7C%3C%2FP%3E%0A%3CP%3ESEC%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20I%20run%20the%20SpDiagDRS%20on%20the%20PRI%20site%2C%20I%20see%20that%20it%20cannot%20find%20the%20cert%20for%20the%20SEC%20site.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20I%20export%20the%20cert%20from%20SEC%20by%20using%20the%20query%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EUse%3C%2FSPAN%3E%20master%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EBackup%3C%2FSPAN%3E%20Certificate%20ConfigMgrEndpointCert%20%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3ETO%3C%2FSPAN%3E%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EFILE%3C%2FSPAN%3E%3D%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23006080%3B%22%3E'C%3A%5CSEC.CER'%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F75304i9A811AF0CBE3632F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20copy%20the%20%3CSTRONG%3E%20SEC.CER%20%3C%2FSTRONG%3E%20file%20onto%20the%20primary%20site%20%3CSTRONG%3E%20C%3A%5CSEC.cer%20%3C%2FSTRONG%3E%20.%3C%2FP%3E%0A%3CP%3EAfter%20this%20we%20can%20connect%20to%20the%20Primary%20site%20DB%20and%20run%20the%20below%20query.%3C%2FP%3E%0A%3CDIV%20id%3D%22codeSnippetWrapper%22%3E%0A%3CDIV%20id%3D%22codeSnippet%22%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%26nbsp%3B%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EUse%3C%2FSPAN%3E%20CM_PRI%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3EExec%3C%2FSPAN%3E%20dbo.spCreateSSBLogin%20%40EndPointLogin%3D%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23006080%3B%22%3E'ConfigMgrEndpointLoginSEC'%3C%2FSPAN%3E%2C%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20%23f4f4f4%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%40DestSiteCode%3D%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23006080%3B%22%3E'SEC'%3C%2FSPAN%3E%2C%20%40DestSiteCertFile%3D%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23006080%3B%22%3E'C%3A%5CSEC.cer'%3C%2FSPAN%3E%2C%20%3C%2FPRE%3E%0A%3CPRE%20style%3D%22box-sizing%3A%20border-box%3B%20overflow%3A%20visible%3B%20font-family%3A%20'Courier%20New'%2C%20courier%2C%20monospace%3B%20font-size%3A%208pt%3B%20display%3A%20block%3B%20padding%3A%200px%3B%20margin%3A%200em%3B%20line-height%3A%2012pt%3B%20color%3A%20black%3B%20word-break%3A%20break-all%3B%20overflow-wrap%3A%20break-word%3B%20background-color%3A%20white%3B%20border%3A%201px%20none%20%23cccccc%3B%20border-radius%3A%204px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%20direction%3A%20ltr%3B%20width%3A%20823.625px%3B%22%3E%40EndpointName%3D%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23006080%3B%22%3E'ConfigMgrEndpoint'%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20it%20helps%20!%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%3B%20color%3A%20%23333333%3B%20font-family%3A%20'Segoe%20UI'%2C%20Tahoma%2C%20Arial%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20sans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%230000ff%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3EUmair%20Khan%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20margin%3A%200px%200px%2010px%3B%20color%3A%20%23333333%3B%20font-family%3A%20'Segoe%20UI'%2C%20Tahoma%2C%20Arial%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20sans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20start%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%3CSTRONG%20style%3D%22box-sizing%3A%20border-box%3B%20font-weight%3A%20bold%3B%22%3ESupport%20Escalation%20Engineer%20%7C%20ConfigMgr%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-339910%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TECHNET%20on%20Dec%2012%2C%202013%20Hi%20Folks%2C%20Today's%20post%20is%20about%20the%20much%20talked%20about%20feature%20on%20ConfigMgr%202012-%20Data%20Replication%20Service%20(DRS).%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Microsoft

First published on TECHNET on Dec 12, 2013
https://blogs.technet.microsoft.com/umairkhan/2013/12/12/configmgr-2012-drs-and-sql-service-broker-c...

 

Hi Folks,

Today's post is about the much talked about feature on ConfigMgr 2012- Data Replication Service (DRS). The replication mechanism internally uses SQL Service broker and I am discussing the three common issues with SSB that can stop the replication.

 

Issue 1: In the SQL error log we see the following:

'Connection handshake failed. Error 15581 occurred while initializing the private key corresponding to the certificate. The SQL Server errorlog and the Windows event log may contain entries related to this error. State 88.'

 

In the sys.transmission_queue we see this in the transmission_status column:

Service Broker login attempt failed with error: 'Connection handshake failed. An error occurred while receiving data: '10054(An existing connection was forcibly closed by the remote host.)'


Approach 1
:

The history was the SQL server was installed with the system account and then later changed to a domain user account.

The problem with doing the above is that when Configuration Manager is installed it creates some internal certificates which are dependent on the master key. When the account being used to run the database server changes the new account is no longer able to 'unlock' the master key and consequently can not read the internal certificates which then cause communication between sites to fail.

In order to address this we dropped and regenerated the master key in the SQL database - this effort was hampered because the user account being used to run the SQL Service appeared not to have sufficient rights to generate a new master key. To combat this we temporarily put the user account into the local administrators group after which a new master key could be generated. We then regenerated the primary site server's certificate using the spCreateandBackupSQLCert stored procedure in the ConfigMgr database. Having successfully regenerated the SSB certificates we copied them to the CAS (parent) and Secondary (child) site and the SQL errorlogs no longer showed SQL Service Broker login failures.

Following this we left the sites to recover but overnight it appeared that some init messages from the Primary had become lost in transit - possibly cleared from the queue as a part of the spCreateandBackupSQLCert stored proc. We set the current rows with status < 3 in RCM_DRSInitilizationTracking to status = 7 to kick off the replication initialization process. This executed very quickly and replication appeared to be working as expected.

Approach 2:

To resolve this issue, give full control permissions to the account that the SQL Service is running under to the ProgramData\Microsoft\Crypto\RSA\MachineKeys directory.

 

Issue 2:

Service Broker login attempt failed with error: 'Connection handshake failed. The login 'ConfigMgrEndpointLoginCAS' does not have CONNECT permission on the endpoint. State 84.

In many cases the Endpoint itself would be missing we can create the same and give it the connect permissions:

 

CREATE ENDPOINT [ConfigMgrEndpoint] 
AUTHORIZATION 
[domain\account]
STATE=STARTED
AS TCP (LISTENER_PORT = 4022, LISTENER_IP = 
ALL)
FOR SERVICE_BROKER (MESSAGE_FORWARDING = ENABLED
, 
MESSAGE_FORWARD_SIZE = 5
, AUTHENTICATION = CERTIFICATE 
[ConfigMgrEndpointCert]
, ENCRYPTION = REQUIRED ALGORITHM AES)
GO

 

SQL > Security > logins > checked ConfigMGRENDPOINTLOGINCAS > properites > Securables and there were no permissions for the Connect for the user, Gave Grant for Connect.

 

Issue 3:

 

Service Broker login attempt failed with error: 'Connection handshake failed. The certificate used by the peer is invalid due to the following reason: Certificate not found. State 89.'.  [CLIENT: 10.172.20.133]

 

This happens when the public key cert of the other SSB endpoint login for the ConfigMgr somehow goes missing on the other SSB endpoint login.

 

So suppose if I have the hierarchy is as follows-

 

PRI

|

SEC

 

When I run the SpDiagDRS on the PRI site, I see that it cannot find the cert for the SEC site.

 

Then I export the cert from SEC by using the query:

Use master
Backup Certificate ConfigMgrEndpointCert TO 
FILE='C:\SEC.CER'

 

 

Then copy the SEC.CER file onto the primary site C:\SEC.cer .

After this we can connect to the Primary site DB and run the below query.

 
Use CM_PRI
Exec dbo.spCreateSSBLogin @EndPointLogin='ConfigMgrEndpointLoginSEC', 
@DestSiteCode='SEC', @DestSiteCertFile='C:\SEC.cer', 
@EndpointName='ConfigMgrEndpoint'

 

Hope it helps !

Umair Khan

Support Escalation Engineer | ConfigMgr Microsoft