How to Find and Fix SCCM Site Installation Error: TLS SCHANNEL Protocols Blocked

incorrect registry of server installation SCCM

Recently we ran into an issue that was really a complete roadblock when installing a new SCCM site for a customer. Since I was unable to find anything in other forums or blogs about this issue, I wanted to share this issue and its solution.

Environment

The customer’s environment is sized such that a single primary site server with SQL 2016 and all roles collocated on a single server will more than suffice. The primary site server is Server 2016. The install will be started using build 1702, but this issue will also apply to 1511, 1608, etc.

Process

We began by extending the schema, installing all prerequisites, creating service accounts/groups, and applying permissions as appropriate. After that, we installed SQL 2016 standard and pre-staged the SQL database for our SCCM site so that it’s sized for the environment. The SPNs were also configured to use our SQL service account. Up to this point everything is operating and installing as expected.

The Errors

At a command prompt, we ran the Prerequisite Checker (prereqchk.exe /LOCAL) to run the full gamut of checks on the server.

Here are the snippets of the errors in the ConfigMgrPrereq.log file.

> INFO: Check required collation of Sql Server.
> INFO: LangID <409>
> ERROR: Failed to get SQL Server connection for SCCM.MyDomain.local (master)
> ERROR: Failed to connected to SQL Server, cannot verify required collation
> SCCM.MyDomain.local; Required SQL Server Collation; Error; Configuration Manager requires that you configure your SQL Server instance and Configuration Manager site database (if already present) to use the SQL_Latin1_General_CP1_CI_AS collation, unless you are using a Chinese operating system and require GB18030 support. For information about changing your SQL Server instance and database collations, see http://go.microsoft.com/fwlink/p/?LinkID=234541. For information about enabling GB18030 support, see http://go.microsoft.com/fwlink/p/?LinkId=234542. 
> SCCM.MyDomain.local; SQL availability group configured for readable secondaries; Passed
> SCCM.MyDomain.local; SQL availability group configured for manual failover; Passed
> SCCM.MyDomain.local; SQL availability group replicas on default instance; Passed
> ===== INFO: Prerequisite Type & Server: SITE_SEC:SCCM.MyDomain.local =====

> ===== INFO: Prerequisite Type & Server: SQL:SCCM.MyDomain.local =====
> <<<RuleCategory: Access Permissions>>>
> <<<CategoryDesc: Checking access permissions…>>>
> ERROR: Failed to connect to SQL Server database.
> SCCM.MyDomain.local; SQL Server sysadmin rights; Error; Either the user account running Configuration Manager Setup does not have sysadmin SQL Server role permissions on the SQL Server instance selected for site database installation, or the SQL Server instance could not be contacted to verify permissions. Setup cannot continue.

> INFO: Cannot connect to registry key.
> SCCM.MyDomain.local; Dedicated SQL Server instance; Passed
> INFO: Checking sql index create memory.
> ERROR: Failed to connect to SQL Server database.
> SCCM.MyDomain.local; SQL Index Create Memory option; Warning; SQL Index create memory is not configured as default value of 0 and might hit issue

> INFO: Check required collation of Sql Server.
> INFO: LangID <409>
> ERROR: Failed to get SQL Server connection for SCCM.MyDomain.local (master)
> ERROR: Failed to connected to SQL Server, cannot verify required collation
> SCCM.MyDomain.local; Required SQL Server Collation; Error; Configuration Manager requires that you configure your SQL Server instance and Configuration Manager site database (if already present) to use the SQL_Latin1_General_CP1_CI_AS collation, unless you are using a Chinese operating system and require GB18030 support. For information about changing your SQL Server instance and database collations, see http://go.microsoft.com/fwlink/p/?LinkID=234541. For information about enabling GB18030 support, see http://go.microsoft.com/fwlink/p/?LinkId=234542.
> SCCM.MyDomain.local; SQL availability group configured for readable secondaries; Passed
> SCCM.MyDomain.local; SQL availability group configured for manual failover; Passed
> SCCM.MyDomain.local; SQL availability group replicas on default instance; Passed

> SCCM.MyDomain.local; Unsupported Cloud Management Gateway on the expanded primary site; Passed
> ===== INFO: Prerequisite Type & Server: SQL:SCCM.MyDomain.local =====
> <<>>
> <<>>
> ERROR: Failed to connect to SQL Server database.
> SCCM.MyDomain.local; SQL Server sysadmin rights; Error; Either the user account running Configuration Manager Setup does not have sysadmin SQL Server role permissions on the SQL Server instance selected for site database installation, or the SQL Server instance could not be contacted to verify permissions. Setup cannot continue.
> ===== INFO: Prerequisite Type & Server: SDK:SCCM.MyDomain.local =====

INFO: SQL Server instance <>
> ERROR: Failed to get SQL Server connection for SCCM.MyDomain.local (master)
> SCCM.MyDomain.local; Site System to SQL Server Communication; Passed

Here are the snippets of the errors in the ConfigMgrSetup.log file if we went ahead and attempted the installer, knowing that it wasn’t going to succeed given the failures of the precheck.

INFO: Registered type SMS ACCESS for SCCM.MyDomain.local CM_BIG Configuration Manager Setup 2/9/2018 4:42:55 PM 16644 (0x4104)
*** [08001][18][Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error Configuration Manager Setup 2/9/2018 4:43:56 PM 16644 (0x4104)
*** [01000][772][Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECDoClientHandshake()). Configuration Manager Setup 2/9/2018 4:43:56 PM 16644 (0x4104)
*** Failed to connect to the SQL Server, connection type: SCCM.MyDomain.local MASTER. Configuration Manager Setup 2/9/2018 4:43:56 PM 16644 (0x4104)
*** [08001][18][Microsoft][ODBC SQL Server Driver][Shared Memory]SSL Security error Configuration Manager Setup 2/9/2018 4:44:57 PM 16644 (0x4104)
*** [01000][772][Microsoft][ODBC SQL Server Driver][Shared Memory]ConnectionOpen (SECDoClientHandshake()). Configuration Manager Setup 2/9/2018 4:44:57 PM 16644 (0x4104)
*** Failed to connect to the SQL Server, connection type: SCCM.MyDomain.local MASTER. Configuration Manager Setup 2/9/2018 4:44:57 PM 16644 (0x4104)
Removed SQL alias SCCM.MyDomain.local successfully. Configuration Manager Setup 2/9/2018 4:48:02 PM 13440 (0x3480)

The GUI installer would make it all the way to this page, and then error out with a message paraphrased as the instance of SQL 2012 or 2014 needed to be updated. Obviously, this wasn’t the issue since the SQL was 2016 with all of the latest cumulative updates and patches.

System Center Configuration Manager Installation problem Setup Wizard Screenshot

Resolution

We again confirmed that permissions, prerequisites, and the SPNs were correctly in place using “setspn -L bi\sccm-sqlsvc and also confirmed that another application was able to install to the SQL instance to test permissions and communications.

Everything seemed to be correct until we started digging in the registry, specifically looking at the SCHANNEL protocols.

Here’s what the registry of a standard installation of Server looks like for SCHANNEL.

standard SCHANNEL SCCM installation registry screenshot

The registry of the server we had been provided had some unwanted additions. There were keys added to disable TLS 1.0, 1.1, and 1.2.

incorrect registry of server installation SCCM

After we re-enabled the TLS SCHANNEL protocols, the Prerequisite Checker (prereqchk.exe /LOCAL) was able to run without any errors, and the install was able to complete as well.

Lucas Guth, PEI

Leave a Reply