Friday, August 30, 2024

System Center Orchestrator 2022 - sync with System Center Service Manager 2022 fails with RsaProtectedConfigurationProvider problem after installing the 2019 web service

 after upgrading System Center Orchestrator from 2019 to 2022, orchestrator itself was working fine.

however, SCSM failed to synchronize after the upgrade. it turns out that SCSM (2019 AND 2022) do NOT work with the 2022 orchestrator web API....
The current solution is to install the orchestrator 2019 console and web service - alongside the orchestrator 2022 install - pointing to the orchestrator 2022 database. and because the standard orchestrator install uses port 81 and 82, I installed the 2019 webservice with port 5001 and 5002 for the console.

sidenote: this was in my DEV environment. I exported my production orchestrator database to the DEV environment, and when upgrading to orchestrator 2022 - pointed to the DB from my production environment. obviously also make sure the service master key is exported and imported into the DEV SQL environment. So the orchestrator console was working fine at this point.


but then I was confronted with a sync error - SCSM could still not talk to the orchestrator webservice.

Unable to decrypt Orchestrator config file. Failed to decrypt using provider RsaProtectedConfigurationProvider Error message from the provider The parameter is incorrect.

the way to test is using aspnet_regiis.exe:

first create a copy of the web.config - as the following command will decrypt the connectionStrings section

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" /pdf "connectionStrings" "C:\Program Files (x86)\Microsoft System Center\Orchestrator\Web Service\Orchestrator2012"

that command failed with the same error.

so - the connectionStrings section is encrypted/decrypted using the key stored in NetFrameworkConfigurationKey.

using a utility keypal (project can be downloaded via github) you can list the keys
https://github.com/doggy8088/KeyPal

ultimately the solution was to export the NetFrameworkConfigurationKey from my production system and then restore it on my DEV server.


so on both prod and dev I ran this command to export:
aspnet_regiis.exe /px "NetFrameworkConfigurationKey" "c:\temp\NetFrameworkConfigurationKey_pcname.xml"

then on the DEV system delete the original key:
aspnet_regiis.exe /pz "NetFrameworkConfigurationKey" 

and import the key from the PROD environment:

aspnet_regiis.exe /pi "NetFrameworkConfigurationKey" "c:\temp\NetFrameworkConfigurationKey_prodpcname.xml"



it puzzles me that it shows 1024 here...?!? but it does not seem to be a problem

I ran the iisreset command and also later restarted the server, but now when I open the webpage of the web service I get a correct response.





and the web api via port 81 is still working too - you can use this powershell script

https://techcommunity.microsoft.com/t5/system-center-blog/a-brand-new-web-console-for-orchestrator-2019/bc-p/3256805/highlight/true#M3526
$OrchURI = 'http://OrchServerFQDN:5001' #Replace 5001 by the WebService port
$JobID = '00000000-0000-0000-0000-000000000000' # Correct job ID of course, you can list all jobs to search by name later on or maybe there can be filtered...

# To list all Runbook Servers
$RunbookServers = @(Invoke-RestMethod -Uri ('{0}/api/RunbookServers' -f $OrchURI) -UseDefaultCredentials | Select -ExpandProperty value | Select -ExpandProperty Name)

# To list all Jobs currently running
$CurrentJobs = Invoke-RestMethod -Uri ('{0}/api/Jobs?$filter=Status%20in%20(%27Running%27,%27Pending%27)&$expand=Runbook($select=Name),RunbookInstances' -f $OrchURI) -UseDefaultCredentials | Select -ExpandProperty value
this works fine !

so you can use the 2022 web api via powershell to kick off a runbook.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)