Bitlocker installation 2 issues

matteu31 467 Reputation points
2020-10-20T07:06:52.953+00:00

Hello,

After my installation of bitlocker in my sccm server (2006), I can see 2 errors in the event logs :

1) event ID 1 :

Application: Default Web Site/HelpDesk is missing the following Service Principal Names (SPNs):
http/
Register the required SPNs on the account: sccmServerName$.

if sccmServerName = sccm
domain = test.lan

=> Do I need to execute the following commands or I can ignore the event :
setspn -S http://SCCM
setspn -S http://SCCM.test.lan

Then, How I can check if it's ok because the last event was yesterday ?

2) Event ID 111
stored procedure 'ComplianceCore.GetVersion' not found.

Same here, the last event where yesterday but I don't know where I have to search to find this stored procedure. I try on my SCCM database -> stored procedure but don't find it.

How can I solve this ?

Thank you

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,749 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Teemo Tang 11,336 Reputation points
    2020-10-21T01:40:23.093+00:00

    In order to register SPNs, execute your commands is a common method, you could do it.
    Setspn –s HTTP/FQDN_OF_IIS_SERVER domain\username
    and
    Setspn –s HTTP/FQDN_OF_IIS_SERVER domain\username
    In fact, don't have MBAM on the same server as SCCM. We usually move MBAM to another server. This Microsoft document explains SPNs and their role in kerberos authentication.
    https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017

    -------------------------------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. matteu31 467 Reputation points
    2020-10-21T07:17:12.02+00:00

    Thank you for your answer.
    OK for SPN.

    for MBAM with SCCM, I just follow the documentation here :
    https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/setup-websites

    "You can install the portals on an existing site server or site system server with IIS installed, or use a standalone web server to host them."

    I will wait and see if the SPN error continue before create it. I understand this website should not be used as http but only https.

  3. CLang 1 Reputation point
    2020-10-26T16:34:34.957+00:00

    I have this identical issue for our configuration. We did the setup on the site server, which in the documentation it states that it is ok to setup the MBAM portals on the site server if you are on SCCM 2006. I would be interested to hear if and how you resolved this as I have set the SPN correctly and am still getting the same error every time I try to access the HelpDesk portal.

  4. matteu31 467 Reputation points
    2020-11-23T17:35:34.48+00:00

    I come back here to see I created my SPN and I don't see message about SPN anymore.

    For other issue, it's exactly :

    An error occurred while retrieving the database schema version from the Compliance database.
    'ComplianceCore.GetVersion' stored procedure not found.
    mbam-web ID 111.

    I find microsoft documentation here : https://learn.microsoft.com/en-us/mem/configmgr/protect/tech-ref/bitlocker/server-event-logs

    and this is what microsoft says : Verify that the app pool account can connect to the compliance or recovery databases. Confirm that it has permissions to run the GetVersion stored procedure.

    But in 2006, I don't see this stored procedure too...

    Any microsoft sccm team member can help us about it ?

    0 comments
  5. TesfayeH 1 Reputation point
    2021-01-28T20:32:09.737+00:00

    Running version 2006 as well and just installed MBAM last night. I can run the reports from the report server and see the BitLocker activity, the SelfService website works and I can grab recovery keys. However, I can't do anything with the HelpDesk site except load the page. The audit report does nothing (I can run it from the report server), and I can't use any of the recovery pages. The event log complains about the website SPN so I'm not sure if I added the right SPN (http/fqdn of the server) based on Microsofts recommendation for an application pool running under Network Service. I also see WebAppReocveryDbError for 'NT AUTHORITY\ANONYMOUS LOGON', which I don't understand as we're running as Network Service. Also WebAppDbError regarding the missing stored procedure. I don't have ComplianceCore.GetVersion in my database either.

    I'll try opening a ticket with Microsoft, as much as I dread those exchanges, but maybe I'll get lucky here. I've done this build at another employer and had no issues, but this deployment is troublesome.