I have three HP DL380 G10's with identical hardware and software - fresh installs of windows from scratch - brand new cluster. Everything appears to be working properly - live migration, cluster communication, etc etc. BUT When I try to set up Cluster Aware Updating, it gives me an error for two of our three nodes that say the error in the title: 0x800b010f CimException - The certifcate's CN name does not match the passed value.
Screenshot here:
https://www.screencast.com/t/9R9Glaccq
When I try to use Windows Administration Center to set up the CAU, it tells me:
Cluster-Aware Updating
You can't use Cluster-Aware updating tool without enabling CredSSP and providing explicit credentials.
So some google sleuthing led me to run a few PowerShell commands.
On each node:
Disable-WsmanCredSSP -Role Server
Test-ComputerSecureChannel -Verbose -Repair -Credential <username>
gpupdate /force
reboot
On the WAC server I ran
Disable-WsmanCredSSP -Role Client
Test-ComputerSecureChannel -Verbose -Repair -Credential <username>
gpupdate /force
reboot
This has made no changes in either error when trying to make the cluster-aware updating functional. The same error appears now as listed above for both situations (using CFM or using WAC to create/setup the CAU)
What is a good method to troubleshoot this? I've never really used WAC, but have it set up on a server to play around with and while it's slow, it does seem pretty nice.
I have checked all three nodes and they DO have our internal CA's certificate in the computer/trusted roots/certificates area - as well as four certificates in their /computer/personal/certificates area:
CLIUSR issued by CLIUSR
servernode1.domain.com issued by our Certificate Authority for client authentication using the configmgr client certificate template.
servernode1.domain.com issued by our CA for client authentication using the Domain Controller Authentication template.
servernode1.domain.com issued by servernode1.domain.com for server authentication with the friendly name SCVMM_Certificate_Key_ContainerServernode1.domain.com (self-signed, no template)
I originally attempted to add this cluster to our old SCVMM server, but it had issues with CredSPP as well. Is this a 2022 thing? I had a 2016 cluster running without any issues and we haven't used CredSPP on our domain (that I'm aware of) for years...
Do I need to run "winrm set winrm/config/service/auth @{CredSSP="true"}" on each of my nodes? I really don't want any protocols on our network that contain clear-text passwords, especially remote executable scripts with clear-text passwords. We use Kerberos everywhere - is CredSPP really needed for WAC functionality?
So in a nutshell I can't tell if this is a certificate issue, or a protocol issue with security authentication. Has anyone seen this before or know how I could walk through and troubleshoot things?