SQL or ODBC-problem when trying to update to ConfigMgr 2309

Question

When running the update to ConfigMgr 2309, we get the following errors in "ConfigMgrPrereq.log":

*** [08001][-2146893022][Microsoft][ODBC Driver 18 for SQL Server]SSL Provider: The target principal name is incorrect.~~ $$<Configuration Manager Prereq><11-03-2023 12:17:13.236-60><thread=4556 (0x11CC)> *** [08001][-2146893022][Microsoft][ODBC Driver 18 for SQL Server]Client unable to establish connection $$<Configuration Manager Prereq><11-03-2023 12:17:13.237-60><thread=4556 (0x11CC)> *** Failed to connect to the SQL Server, connection type: SMS Master. $$<Configuration Manager Prereq><11-03-2023 12:17:13.246-60><thread=4556 (0x11CC)>

It also adds error messages to the Windows System event log:

The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is (local). The TLS connection request has failed. The attached data contains the server certificate. The SSPI client process is cmupdate (PID: 15836).

The SQL-server is on the same server as the site server, and runs under a Group Managed Service account, which has the following SPNs added to it:

MSSQLSvc/%HOSTFQDN%
MSSQLSvc/%HOSTFQDN%:1433

The SQL-server is bound to a server certificate which has the FQDN of the server in CN and DNS SAN, and the service account has "Read" permission on the certificates private key. It is set to require encryption.

ODBC driver 18 is version 18.3.2.1

ODBC driver 17 is version 17.10.5.1

The update checker keeps looping, and we can't really stop it. It keeps generating error messages and prints false pre-requisite errors and warnings in the status window.

Any ideas how to fix this?

Answer 1

Hi, @rogergh

Thank you for posting in Microsoft Q&A forum.

The error message "The target principal name is incorrect" suggests that the SQL Server certificate is not valid or does not match the FQDN of the SQL Server.

Please verify that the certificate is valid and has the correct FQDN in the CN and DNS SAN. Also, make sure that the FQDN specified in the Site System properties matches the FQDN specified in the certificate.

If the certificate is valid and the FQDNs match, try adding the SQL Server FQDN to the hosts file on the site server and see if that resolves the issue.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".

Answer 2

Turning off "Force encryption" in SQL Server Configuration Manager seems to allow the process to continue, but the pre-requisite checks still show false warnings and fails. This seems to confirm something is wrong with how the update\installer connects to the SQL-server with the new ODBC, as it references "(local)" for certificate subject name when encryption is forced.

One example for pre-requisite false fail condition is this:

INFO: Did not detect MP Replica that could block upgrade. $$<Configuration Manager Prereq><11-07-2023 13:07:13.146-60><thread=5472 (0x1560)> REDACTED; Active Replica MP; Passed $$<Configuration Manager Prereq><11-07-2023 13:07:13.152-60><thread=5472 (0x1560)>

Another is this:

INFO: Checking current installed version $$<Configuration Manager Prereq><11-07-2023 13:07:13.085-60><thread=5472 (0x1560)> INFO: Detected current installed build version [9106] for sitecode [REDACTED]. $$<Configuration Manager Prereq><11-07-2023 13:07:13.097-60><thread=5472 (0x1560)> INFO: Current installed build does not block upgrade $$<Configuration Manager Prereq><11-07-2023 13:07:13.106-60><thread=5472 (0x1560)> REDACTED; Unsupported upgrade path; Passed $$<Configuration Manager Prereq><11-07-2023 13:07:13.117-60><thread=5472 (0x1560)>

When visually, the check inside the console says this:

Answer 3

Hi Rogergh,

Did you manage to upgrade your SCCM? I have exactly the same issues.... :-(