Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Patch Manager > Patch Manager - Knowledgebase Articles > Error when generating a software publishing certificate in Patch Manager

Error when generating a software publishing certificate in Patch Manager

updated Nov 5, 2018

Overview

 

Symptom 1

You have PM and WSUS on two separate servers. And you are trying to create and publish WSUS self-signed certificate from PM console and the following error message displays when the wizard completes:

The provisioning process is complete. Failed to create the signing certificate. Access is denied

OR

Failure Message: Operation on TrustedPublisher failed. Access is denied Operation on root failed. Access is denied

 

And the WSUS self-signed cert is not created on the WSUS server. So, you use this workaround How to create a self-signed WSUS certificate when the Server Publishing Setup Wizard fails

 

The cert is created but PM does will not publish and throws the message "The provisioning process is complete. Failed to create the signing certificate. Access is denied"

You have verified the account running PM application and has local and WSUS admin privileges on WSUS server.

 

Symptom 2:

PM and WSUS installed on the same or separate servers and you get this error when Publishing 3rd Party update packages "The directory name is invalid"

Environment

  • Patch Manager 2.x and above
  • WSUS 6.x and above
  • Windows Server 2012 and higher

Cause

  • Patch Manager is installed on the same server as your Certificate Authority (CA)
  • Adding/updating Certificates Cert Stores is controlled by domain-level GPO Policy and unable to override local policy
  • LocalAccountTokenFilterPolicy was disabled on remote WSUS server
  • Logon as a batch job GPO setting is enabled with Local Admin account excluded

Resolution 

Scenario 1:

Patch Manager is installed on the Same server as your CA: 

  • SolarWinds recommends that you install and configure your CA on its own server, independent of both WSUS and Patch Manager.
  • After Patch Manager is installed on a dedicated server, rerun the Server Publishing Setup Wizard to create and publish the WSUS Self Signed certificate.

 

Scenario 2:

Certificate management controlled via GPO:

 

Scenario 3: PM and WSUS on a separate server with UAC enabled on both and the servers are in either domain or non-domain environments.

  • Enable LocalAccountTokenFilterPolicy and run the Server publishing wizard again. Note, if the problem still exists, you need to double check if the domain policy is not rolling back the changes.

 

For symptom 2 in the overview section above, ensure “Logon as a batch job” GPO setting is configured to include the Local Admins group or the Patch Manager account.

 

 

Last modified

Tags

Classifications

Public