Unable to create bitlocker portals with SCCM provided script.

Question

Unable to create bitlocker portals with SCCM provided script.

AlexS 1

I am running the script (Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X6\MBAMWebSiteInstaller.ps1) that is provided by Microsoft and it is generating the following error:

Set-MachineUserOnSql : Unable to set permissions for machine on SQL server: Exception calling "Open" with "0" argument(s): "A connection was successfully established with the server, but then an error occurred during the login 
process. (provider: SSL Provider, error: 0 - The target principal name is incorrect.)"
At D:\Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64\MBAMWebSiteInstaller.ps1:1371 char:16
+     $success = Set-MachineUserOnSql
+                ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-MachineUserOnSql
 
Install-MBAMWebSites : Failure setting machine account privileges on SQL
At D:\Program Files\Microsoft Configuration Manager\cd.latest\SMSSETUP\BIN\X64\MBAMWebSiteInstaller.ps1:1520 char:5
+     Install-MBAMWebSites -SqlServerName $SqlServerName -SqlInstanceNa ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Install-MBAMWebSites

The SPN exists as follows (replace the obvious with my site specific info):

CN=HOSTNAME,OU=Final,DC=fully,DC=qualified,DC=com
        MSOLAPSvc.3/HOSTNAME.FQDN:TEST_SCCM
        MSOLAPSvc.3/HOSTNAME:TEST_SCCM
        MSSQLSvc/HOSTNAME.FQDN
        CmRcService/HOSTNAME
        CmRcService/HOSTNAME.FQDN
        WSMAN/HOSTNAME
        WSMAN/HOSTNAME.FQDN
        TERMSRV/HOSTNAME
        TERMSRV/HOSTNAME.FQDN
        RestrictedKrbHost/HOSTNAME
        HOST/HOSTNAME
        RestrictedKrbHost/HOSTNAME.FQDN
        HOST/HOSTNAME.FQDN

The account running the script has sysadmin rights on the database.

3 answers

Your answer

Answer 1

CherryZhang-MSFT 6,506

Hi @Salisbury, Alex,

1, What is the command line when you run the script MBAMWebSiteInstaller.ps1? Please upload it for our reference.

2, Do you use the parameters -DomainName? If so, this similar threader maybe can help you.

The link: https://www.reddit.com/r/SCCM/comments/og8no9/troubles_installing_mbam_sites/

Note: Microsoft provides third-party contact information to help you understand the problem. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Looking forward to your reply.

Best regards,
Cherry

AlexS 1 Reputation point

2023-02-22T17:11:06.3333333+00:00

I have seen that post, and I tried with both fqdn and -domain option.

.\MBAMWebSiteInstaller.ps1 -SqlServerName sqlserver.fqdm.tld -SqlInstanceName TEST_SCCM -SqlDatabaseName CM_DB -ReportWebServiceUrl "https://ssrs.reporting.server/ReportServer" -HelpdeskUsersGroupName "dom\username" -HelpdeskAdminsGroupName "dom\username" -MbamReportUsersGroupName "dom\username" -SiteInstal Both

and I tried the same command with no fqdn on the sqlservername, but with -domain.

and I tried with fqdn on the sqlservername with -domain.

Answer 2

AlexS 1

I wonder if the issue with the script is that my hostname is not a top level domain? When I run the function for dnsDomain it comes back to something.something.com.

CherryZhang-MSFT 6,506 Reputation points

2023-02-24T02:17:47.84+00:00

Hi @Salisbury, Alex,

1, I can run the script use following command. I am using a domain admin to run the script. Besides, I find a similar threader, we can also try to run the script use the SA account.

.\MBAMWebSiteInstaller.ps1 -SqlServerName CheSQL.CHE.COM -SqlInstanceName MSSQLSERVER -SqlDatabaseName CM_CHE -ReportWebServiceUrl "http://CHESQL:80/ReportServer" -HelpdeskUsersGroupName "Che\administrator" -HelpdeskAdminsGroupName "Che\administrator" -MbamReportUsersGroupName "Che\administrator" -SiteInstal Both

2, What is the SCCM version are you using? Are you running this command on primary site? Besides, for parameters, something we need to confirm:

-SqlServerName: Primary site database server

-SqlInstanceName: SQL Server instance name for the primary site database

-SqlDatabaseName: Primary site database

-ReportWebServiceUrl: Web service URL of the primary site's reporting service point

Looking forward to your reply.

Best regards,
Cherry
AlexS 1 Reputation point

2023-02-27T17:26:06.0066667+00:00

SCCM 2211, yes I am putting all the correct names in the fields.
CherryZhang-MSFT 6,506 Reputation points

2023-02-28T08:45:50.11+00:00

Hi @Salisbury, Alex,

1, You can install the portals on an existing site server or site system server with IIS installed or use a standalone web server to host them. Which server are you running the script? Are SCCM server in the same domain or subdomain as SQL server?

2, Please help make sure that your environment meets the prerequisites from the link:

Plan for BitLocker management - Configuration Manager | Microsoft Learn

I will be back if I have any update.

Thanks for your time.

Best regards,
Cherry

Answer 3

Tor 0

I've stuck with the same issue. did you find a soloution for this?

Share via

Unable to create bitlocker portals with SCCM provided script.

3 answers

Your answer