Asset Intelligence synchronization point failing to update, Status = Online Service account is not provisioned

Has anyone seen or dealt with this issue?

We are running SCCM 2012 R2 CU3 on Win 2008 R2 server and are having problems with our AI synch point where the Online Service Account is showing as not provisioned.  It's on the CAS and it synched months ago so it *was* working.  Attempted to uninstall and reinstall thinking that may help, but no luck.  Cannot locate anywhere to input an online service account or how to obtain one and we are not using a proxy to get out. Any help would be appreciated.

Thanks

Dave

Errors in the AIUpdateSvc.log

Asset Intelligence Catalog Sync Service Warning: 0 : Tue, 09 Dec 2014 19:04:19 GMT:WebException trying to enroll: Status = Timeout
Asset Intelligence Catalog Sync Service Error: 0 : Tue, 09 Dec 2014 19:04:19 GMT:Retrieve Machine Cert, Error - The operation has timed out
Asset Intelligence Catalog Sync Service Error: 0 : Tue, 09 Dec 2014 19:04:19 GMT:Exception attempting sync - The operation has timed out
Asset Intelligence Catalog Sync Service Information: 0 : Tue, 09 Dec 2014 19:04:19 GMT:Exception details:
Microsoft.AssetIntelligence.CatalogSyncException: The operation has timed out ---> System.Net.WebException: The operation has tim

December 9th, 2014 7:35pm

Hi,

Please make sure the traffic between CAS server and Microsoft hasn't been blocked by something.

Asset Intelligence Synchronization Point -- > Microsoft

http://technet.microsoft.com/en-us/library/hh427328.aspx

Best Regards,

Joyce

Free Windows Admin Tool Kit Click here and download it now
December 10th, 2014 8:27am

Hello thanks for the reply... 

nope, nothing blocking access to Microsoft. 

I did see the 403 in the logs and when I throw https://sc.microsoft.com/CatalogService/service.svc into a browser in or outside our network I get at 403.

Asset Intelligence Catalog Sync Service Information: 0 : Fri, 12 Dec 2014 14:51:58 GMT:Redirected to URL https://sc.microsoft.com/CatalogService/service.svc
Asset Intelligence Catalog Sync Service Warning: 0 : Fri, 12 Dec 2014 14:51:59 GMT:WebException trying to enroll: Status = ProtocolError
Asset Intelligence Catalog Sync Service Error: 0 : Fri, 12 Dec 2014 14:51:59 GMT:Retrieve Machine Cert, Error - The request failed with HTTP status 403: Forbidden.
Asset Intelligence Catalog Sync Service Error: 0 : Fri, 12 Dec 2014 14:51:59 GMT:Exception attempting sync - The request failed with HTTP status 403: Forbidden.

December 12th, 2014 3:09pm

Hi Dave,

"trying to enroll: Status = ProtocolError", "HTTP status 403: Forbidden". Basically a certficate issue. Try the following and see how it goes. :

1. Export the cert from another working site and import it. Restart the server.

2. Reconfigure the proxy setting.

Btw, did you or your network team make any change on the Proxy Server, Gateway etc...?

Thanks.

Free Windows Admin Tool Kit Click here and download it now
December 16th, 2014 9:55am

Thanks Aaron,

What cert are you referring to?

No proxy server or gateway changes have been made.

Thanks

January 9th, 2015 4:30pm

Hi Dave,

For the Certificate, I mean client authentication. Please check the PKI Certificates for Clients part in the following link:

PKI Certificate Requirements for Configuration Manager
http://technet.microsoft.com/en-us/library/gg699362.aspx

Additional information about client certificate for authentication:

How to call a Web service by using a client certificate for authentication in an ASP.NET Web application
http://support.microsoft.com/kb/901183

T

Free Windows Admin Tool Kit Click here and download it now
January 13th, 2015 7:46am

Looks like someone *did* change the internet gateways at ONE of our locations. Was hard to troubleshoot, but Microsoft provided me with a few tweaks to enable network logging.
February 5th, 2015 3:56pm

Just ran into this myself, turns out the certificate included in with Configuration Manager 2012 R2 expired on May 29th 2015.  See https://support.microsoft.com/en-us/kb/3060648 for the hotfix to update this. If you're using 2007 or 2012 previous to (SP2 / R2 SP1) the file to download just has a PFX in it that needs to be added to the console. 2012 SP2 / 2012 R2 SP1 environments have a separate file that updates binaries and restarts the AI Sync point role.

I had 2012 R2 when I applied this, and found that contrary to the KB article, I had to restart the AI Sync service to get this working (I couldn't trigger another Sync as suggested because I was within 12 hours of my previous manual sync attempt).

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 5:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics