question

ErikTank-9610 avatar image
0 Votes"
ErikTank-9610 asked ErikTank-9610 answered

Our new 2022 datacenter cluster cannot enable/perform cluster aware updating - 0x800b010f CimException - The certifcate's CN name does not match the passed value.

I have three HP DL380 G10's with identical hardware and software - fresh installs of windows from scratch - brand new cluster. Everything appears to be working properly - live migration, cluster communication, etc etc. BUT When I try to set up Cluster Aware Updating, it gives me an error for two of our three nodes that say the error in the title: 0x800b010f CimException - The certifcate's CN name does not match the passed value.

Screenshot here:
https://www.screencast.com/t/9R9Glaccq

When I try to use Windows Administration Center to set up the CAU, it tells me:

Cluster-Aware Updating
You can't use Cluster-Aware updating tool without enabling CredSSP and providing explicit credentials.


So some google sleuthing led me to run a few PowerShell commands.

On each node:
Disable-WsmanCredSSP -Role Server
Test-ComputerSecureChannel -Verbose -Repair -Credential <username>
gpupdate /force
reboot

On the WAC server I ran
Disable-WsmanCredSSP -Role Client
Test-ComputerSecureChannel -Verbose -Repair -Credential <username>
gpupdate /force
reboot

This has made no changes in either error when trying to make the cluster-aware updating functional. The same error appears now as listed above for both situations (using CFM or using WAC to create/setup the CAU)

What is a good method to troubleshoot this? I've never really used WAC, but have it set up on a server to play around with and while it's slow, it does seem pretty nice.

I have checked all three nodes and they DO have our internal CA's certificate in the computer/trusted roots/certificates area - as well as four certificates in their /computer/personal/certificates area:

CLIUSR issued by CLIUSR
servernode1.domain.com issued by our Certificate Authority for client authentication using the configmgr client certificate template.
servernode1.domain.com issued by our CA for client authentication using the Domain Controller Authentication template.
servernode1.domain.com issued by servernode1.domain.com for server authentication with the friendly name SCVMM_Certificate_Key_ContainerServernode1.domain.com (self-signed, no template)

I originally attempted to add this cluster to our old SCVMM server, but it had issues with CredSPP as well. Is this a 2022 thing? I had a 2016 cluster running without any issues and we haven't used CredSPP on our domain (that I'm aware of) for years...

Do I need to run "winrm set winrm/config/service/auth @{CredSSP="true"}" on each of my nodes? I really don't want any protocols on our network that contain clear-text passwords, especially remote executable scripts with clear-text passwords. We use Kerberos everywhere - is CredSPP really needed for WAC functionality?

So in a nutshell I can't tell if this is a certificate issue, or a protocol issue with security authentication. Has anyone seen this before or know how I could walk through and troubleshoot things?

windows-server-hyper-vwindows-server-update-serviceswindows-server-clustering
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi @ErikTank-9610

I would like to suggest below items in your scenario to resolve the issue.

  1. Please Uninstall Cluster Aware Updating from all your Nodes and reboot your Servers then Install it again.

  2. Please Uninstall .net Framework on your Nodes and Install it again.

  3. Disable any Antivirus program or Windows firewall you may have for temporary purpose.

  4. Please re-enable WMI Remoting using below cmd.

winrm quickconfig -q

  1. To enable self-updating mode and certain CAU features in remote-updating mode, PowerShell must be installed and enabled to run remote commands on all cluster nodes.

Run the Enable-PSRemoting cmdlet ( https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/Enable-PSRemoting )

  1. If CAU is used in self-updating mode, the plug-in must be installed on all cluster nodes. If CAU is used in remote-updating mode, the plug-in must be installed on the remote Update Coordinator computer.

https://docs.microsoft.com/en-us/windows-server/failover-clustering/cluster-aware-updating-plug-ins#BKMK_WUP

Hope this answers your question :)
Thank you.


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ErikTank-9610 avatar image
0 Votes"
ErikTank-9610 answered

In my 2016 cluster, I was able to use CAU without a WSUS server and have it get updates directly from MS. However, I decided to try to fix the two warnings I had when checking for CAU readiness and one was a location for WSUS (GPO) and the other is a proxy. We do not use a proxy so I ignored that one - but I setup the WSUS location to a new WSUS server and magically it all works now. Very strange that WSUS is required for CAU to work in 2022 - I'd much prefer to get my updates from MS directly as we use SCCM for our updates otherwise and did not utilize a WSUS server... (I know the WSUS option gives me the ability to block updates, etc. but that's never really been an issue for us and managing an entire new server for WSUS solely for 3 servers to get updates is pretty silly IMHO.)

Thanks for the response - maybe my findings can help someone in the future.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.