question

matteu31400 avatar image
0 Votes"
matteu31400 asked ChandraMohan-4824 commented

Bitlocker installation 2 issues

Hello,

After my installation of bitlocker in my sccm server (2006), I can see 2 errors in the event logs :

1) event ID 1 :

Application: Default Web Site/HelpDesk is missing the following Service Principal Names (SPNs):
http/
Register the required SPNs on the account: sccmServerName$.

if sccmServerName = sccm
domain = test.lan

=> Do I need to execute the following commands or I can ignore the event :
setspn -S http://SCCM
setspn -S http://SCCM.test.lan

Then, How I can check if it's ok because the last event was yesterday ?

2) Event ID 111
stored procedure 'ComplianceCore.GetVersion' not found.

Same here, the last event where yesterday but I don't know where I have to search to find this stored procedure. I try on my SCCM database -> stored procedure but don't find it.

How can I solve this ?

Thank you


windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

In order to register SPNs, execute your commands is a common method, you could do it.
Setspn –s HTTP/FQDN_OF_IIS_SERVER domain\username
and
Setspn –s HTTP/FQDN_OF_IIS_SERVER domain\username
In fact, don't have MBAM on the same server as SCCM. We usually move MBAM to another server. This Microsoft document explains SPNs and their role in kerberos authentication.
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-2017


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

matteu31400 avatar image
0 Votes"
matteu31400 answered TeemoTang-MSFT commented

Thank you for your answer.
OK for SPN.

for MBAM with SCCM, I just follow the documentation here :
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/setup-websites

"You can install the portals on an existing site server or site system server with IIS installed, or use a standalone web server to host them."

I will wait and see if the SPN error continue before create it. I understand this website should not be used as http but only https.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

You are welcome, look forward to your good news

0 Votes 0 ·
ChrisLang-6352 avatar image
0 Votes"
ChrisLang-6352 answered BrandonM-0342 edited

I have this identical issue for our configuration. We did the setup on the site server, which in the documentation it states that it is ok to setup the MBAM portals on the site server if you are on SCCM 2006. I would be interested to hear if and how you resolved this as I have set the SPN correctly and am still getting the same error every time I try to access the HelpDesk portal.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am also receiving these errors, also running SCCM 2006. I have HTTP SPNs registered on computer account. I also get an error when running a BitLocker report. The report runs fine but the output shows "Error: The "MBAM Policy" view does not exist. I looked for that ComplianceCore.GetVersion SP but do not see it in the database. I do see the ComplianceRead.GetAuditInformation SP.

It seems like some items (Views and Stored Procedures) are missing from the database.

0 Votes 0 ·
matteu31400 avatar image
0 Votes"
matteu31400 answered

I come back here to see I created my SPN and I don't see message about SPN anymore.

For other issue, it's exactly :

An error occurred while retrieving the database schema version from the Compliance database.
'ComplianceCore.GetVersion' stored procedure not found.
mbam-web ID 111.

I find microsoft documentation here : https://docs.microsoft.com/en-us/mem/configmgr/protect/tech-ref/bitlocker/server-event-logs

and this is what microsoft says : Verify that the app pool account can connect to the compliance or recovery databases. Confirm that it has permissions to run the GetVersion stored procedure.

But in 2006, I don't see this stored procedure too...

Any microsoft sccm team member can help us about it ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TesfayeH avatar image
0 Votes"
TesfayeH answered ChandraMohan-4824 commented

Running version 2006 as well and just installed MBAM last night. I can run the reports from the report server and see the BitLocker activity, the SelfService website works and I can grab recovery keys. However, I can't do anything with the HelpDesk site except load the page. The audit report does nothing (I can run it from the report server), and I can't use any of the recovery pages. The event log complains about the website SPN so I'm not sure if I added the right SPN (http/fqdn of the server) based on Microsofts recommendation for an application pool running under Network Service. I also see WebAppReocveryDbError for 'NT AUTHORITY\ANONYMOUS LOGON', which I don't understand as we're running as Network Service. Also WebAppDbError regarding the missing stored procedure. I don't have ComplianceCore.GetVersion in my database either.

I'll try opening a ticket with Microsoft, as much as I dread those exchanges, but maybe I'll get lucky here. I've done this build at another employer and had no issues, but this deployment is troublesome.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi TesfayeH

Did you find the solution with Microsoft ?

0 Votes 0 ·