Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Network Performance Monitor (NPM) > Unable to deploy QoE Agents - Unable to get provision certificate bytes for agent deployment

Unable to deploy QoE Agents - Unable to get provision certificate bytes for agent deployment

Created by Justin Wyllys, last modified by MindTouch on Jun 23, 2016

Views: 31 Votes: 1 Revisions: 6

Overview

While attempting to deploy an agent the credentials test works, but the agent deployment fails with the message:

 

Unable to deploy agent. Unable to get provision certificate bytes for agent deployment.

 

The following errors are seen in C:\ProgramData\Solarwinds\Logs\AgentManagement\AgentManagement.Service.log

 

2015-11-18 10:43:44,872 [6] ERROR SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateManager - Error generating provisioning certificate. Agents will not be provisioned.
System.ComponentModel.Win32Exception (0x80004005): certmgmt::createsignedcertandexporttopfxfile failed
at SolarWindsAgentCLR.Core.CertificateManagement.certmgmt.createsignedcertandexporttopfxfile(String msubjectName, String missuername, String missuerstore, String mpfxfqpath, SecureString mss, Boolean dontsavetostore, String maccounttoaddtoprivatekeyacl)
at SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateGenerator.GenerateProvisioningCertificateToFile(X509Certificate2 caCertificate, String pathToSaveCertificate)
at SolarWinds.AgentManagement.ServiceCore.CertificateManagement.CertificateManager.GenerateProvisioningCertificate(IAgentManagementDbContext db)
-------------------------------------
2015-11-18 10:43:44,872 [6] ERROR SolarWinds.AgentManagement.ServiceCore.Services.AgentProvisioningService - Provisioning certificate for agents does not exist and can't be generated. Agents provisioning may not work.

 

Environment

  • NPM 11.5 and later
  • QoE 1.0 and later

Cause 

The agent fails to deploy because the Agent Management Service does not have an Agent provisioning certificate, which is used to encrypt data sent from the agent to the server.

 

The error logged during certificate creation is NTE_BAD_KEYSET (0x80090016). This can have three most common reasons:

  • The Protected Storage Service is not running (most likely).
  • You do not have access to the key container (very likely).
  • Key container does not exist (unlikely).

Resolution

First, confirm that the permissions are correctly set and that the Protected Storage service is running:

  1. Navigate to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ .
  2. Right-click this folder, select properties, and then select the Security tab.
  3. Add EVERYONE and grant Full Control.
  4. Save and restart all Orion services.
  5. Check that the "Protected storage" service is enabled and running (in services.msc). Start it if stopped and set the startup mode to Automatic.
  6. Restart Orion services again.

 

Then, check to see if the SolarWinds Agent Provisioning certificate was created:

  1. Start > Run > MMC.
  2. File > Add/remove Snap-in > Certs > Local Computer > Personal > Certificates.
  3. Look for a certificate by the name of SolarWinds Agent Provisioning.
  4. If it exists, you were successful.

 

Finally, try to deploy the agent from the web again (Settings > Manage Agents > Add Agent). If you followed the steps above, you should no longer see the error in the log.

Last modified
23:50, 22 Jun 2016

Tags

Classifications

Public