SMS_REST_PROVIDER : Connection to administration service is unsuccessful PKI

Vid3al 96

Hello everyone,

Current our version and configuration : MECM 2303 No Hotfix. (Site Configuration : Enhanced HTTP)

We have noticed daily errors, but we do not understand the cause, and why they are present :

Component : SMS_REST_PROVIDER
Source : SMS Server
Message ID : 11610
Severity : Error
Description : Connection to administration service is unsuccessful. Error info: "Error status: TrustFailure, Error message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."

Component : SMS_REST_PROVIDER
Source : SMS Server
Message ID : 11615
Severity : Error
Description : Connection to administration service is unsuccessful because of PKI certificate issue.

In our MECM configuration, we are not aware that we are using PKI certificates.

User's image

Why do we have these errors?

How can we solve them?

We would like to fix them before upgrading to version 2403.

Thank you for your patience and support.

2 answers

Simon Ren-MSFT 35,546 Microsoft Vendor

Hi,

Thank you for posting in Microsoft Q&A forum.

1,Where do you see these errors? Is the SMS_REST_PROVIDER shown green under Monitoring\System Status\Component Status?

2,Please reboot of the server to have a try. If possible, we can also try a site reset and see if it repairs the provider.

3,Message ID 11610 usually occurs when there is a trust failure: "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel." This error is due to the fact that the connection to the administration service is being made over an SSL/TLS secure channel, but the certificate presented by the server while establishing the connection is not trusted by the client. The SSL/TLS certificate presented by the server could be invalid, self-signed or the certificate chain is incomplete.

On the other hand, Message ID 11615 occurs due to a PKI certificate issue while connecting to the administration service. It could mean that there is a problem with the PKI certificate being used.

Based on the information you have provided, I would suggest the following troubleshooting steps:

Check the validity of your SSL/TLS certificate and ensure that it is trusted by the client.

Check for the completeness of the certificate chain.

Check the validity of the PKI certificate being used.

Check the time and date on your server and ensure that they are correct.

4,For more information, please refer to:

How to set up the administration service in Configuration Manager

Thanks for your time. Have a nice day!

Best regards,

Simon

If the response is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Vid3al 96

Hi Simon, Thank you for your helpfulness and patience.

Yes, in Console, going to see : "\Monitoring\Overview\System Status\Component Status\SMS_REST_PROVIDER" .
We performed the reboot, but nothing changed. It is not possible to reset the site. Out of curiosity, what do you mean by “try to reset the site” ?
We use the “Enhanced HTTP” mode for communications, and certificates should be automatically managed and renewed by MECM itself. What is the certificate you suggest we verify? Where do we verify it from?

Additional Notes

In the Log "SMS_REST_PROVIDER.log" :

ERROR: Service is not healthy. Error status: TrustFailure, Error message: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

In "\Monitoring\Overview\System Status\Component Status\SMS_REST_PROVIDER", the two error events repeating each day, after 10 seconds the following information events occur :

Component Status Summarizer detected that component "SMS_REST_PROVIDER", running on computer "MCM01.Domain.Local", has reported 1 or more Error status messages during the Component Status Threshold Period.
Possible cause: The count equals or exceeds the Component Status Warning Threshold (1 status messages) for Error status messages for the component.
Solution: If the component's status is not already set to Warning, Component Status Summarizer will set the component's status to Warning in the Component Status summary in the Configuration Manager Console.

Component Status Summarizer set the status of component "SMS_REST_PROVIDER" running on computer "MCM01.Domain.Local" to Warning.
Possible cause: The component is experiencing a problem.
Solution: Diagnose and fix the problem by:
1. Examine the status messages that the component reports.
2. Correcting the problem.
3. Instructing Component Status Summarizer to reset the counts of Error, Warning, and/or Informational status messages reported by the component. To reset the counts, right-click Reset Counts on the component in the Component Status summary in the Configuration Manager Console. When the counts are reset, Component Status Summarizer will change the status of the component to OK. This might take some time if site "XYZ" is a child site.
4. Deleting any unwanted status messages from the site database, if necessary.
5. Monitor the component occasionally to verify the problem does not reoccur.
Possible cause: The component is OK and you were unnecessarily alerted because the Component Status Thresholds are set too low for the component.
Solution: Increase the Component Status Thresholds for the component using the Thresholds tab of the Component Status Summarizer Properties dialog box in the Configuration Manager Console.
Possible cause: The component is "flooding" the status system by rapidly reporting the same message repeatedly.
Solution: Diagnose and control the flood of status messages by:
1. Verifying that the component is actually flooding the status system. View the status messages reported by the component, and verify that the same message is continually reported every several minutes or seconds.
2. Noting the Message ID of the flooded status message.
3. Creating a Status Filter Rule for site "XYX" that instructs Status Manager to discard the flooded status message when component "SMS_REST_PROVIDER" on computer "MCM01.Domain.Local" reports it. 
4. Verifying that your sites' databases were not filled up by the flooded status message.  Delete any duplicate  status messages from the site database, if necessary.
5. Refer to the Microsoft Knowledge Base for further troubleshooting information.

Component Status Summarizer reset the status of component "SMS_REST_PROVIDER", running on computer "MCM01.Domain.Local", to OK.
Component Status Summarizer will automatically reset a component's status to OK every time the Component Status Threshold Period elapses and a new Threshold Period begins. For example, if the Threshold Period is "Since 12:00:00 AM", Component Status Summarizer will reset the component's status to OK every 24 hours at midnight. At this time, the counts of status messages reported by the component for the Threshold Period will be reset to zero.
Solution: Component Status Summarizer will also reset a component's status to OK when an administrator manually resets the counts of status messages reported by the component for the Threshold Period.
Solution: Component Status Summarizer will also reset a component's status to OK when an administrator adjusts the Component Status Thresholds to be higher than the current counts of status messages reported by the component.

We would like to fix them before upgrading to version 2403.

We are concerned that these problems, block or compromise the upgrade properly.

Thank you for your patience and support.

Vid3al 96 Reputation points

2024-10-25T14:35:00.54+00:00

We solved this by requiring a new https 443 Binding certificate for the Default Site in IIS.

So the events mentioned above have disappeared.

(Site Configuration : Enhanced HTTP)

Thank you for your support.
Please sign in to rate this answer.
a m 0 Reputation points

2024-10-30T20:23:30.37+00:00

Can you share how you did it? I am having a similar issue on 2403.

I tried, it works on the server but on the console on other computers it isn't working.

Thanks.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

SMS_REST_PROVIDER : Connection to administration service is unsuccessful PKI

2 answers

Your answer