SCSM.SE

• Create function app (or other resource) that will be sending the mail.

• Create a managed identity to the resource.

• Run the following code to give the managed identity permission to send mail via Graph API:

Connect-Azaccount -AuthScope MicrosoftGraphEndpointResourceId

$ManagedIdentityId = 'faca44fa-870f-4a2b-a120-e38e2f71d9f3'
$PermissionName = "Mail.Send"
$GraphAppId = "00000003-0000-0000-c000-000000000000"

$ManagedIdentity = Get-AzADServicePrincipal -ObjectId $ManagedIdentityId

$GraphServicePrincipal = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$AppRole = $GraphServicePrincipal.AppRole | Where-Object { $_.Value -eq $PermissionName }

New-AzADServicePrincipalAppRoleAssignment -ServicePrincipalId $ManagedIdentity.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id

This will give the identity permission to send mail as ALL mailboxes in the organization. To restrict this, a role assignment will be created in M365 between the identity, graph role and a resource scope. The resource scope is a scoped number of mailboxes.

• To connect to M365, download the Powershell module: Exchange Online Management module. Note that some of these commands are unavailable in powershell until you have connected to M365.

Connect-ExchangeOnline
 
New-ServicePrincipal -AppId 4e91ac94-b9bf-47e0-a11a-f342938b97a6 -ObjectId faca44fa-870f-4a2b-a120-e38e2f71d9f3 -DisplayName "MI-Mail Function"

Use application id and object id for the managed identity, in Entra. This will create a service principal in M365 that acts as a link between M365 and the identity in Entra ID.

• Now we need to create a management scope which acts as a filter for the mailboxes that should be included:

New-ManagementScope -Name "MySharedMailbox" -RecipientRestrictionFilter "UserPrincipalName -eq 'sharedmailbox@mydomain.com'"

• To connect the management scope to the Graph role, create a role assignment:

New-ManagementRoleAssignment -App 876e190f-e540-422c-8f15-3342b851acd3 -Role "Application Mail.Send" -CustomResourceScope "MySharedMailbox"

• Now verify that the identity only has access to send mail as the specific mailbox:

Test-ServicePrincipalAuthorization -Identity 4e91ac94-b9bf-47e0-a11a-f342938b97a6 -Resource MySharedMailbox

Instead of creating a role assignment to a management scope, an administrative unit och entra group can be used, see more at:

https://janbakker.tech/a-love-story-about-role-based-access-control-for-applications-in-exchange-online-managed-identities-entra-id-admin-units-and-graph-api/

If you look at the private endpoint for the RSV, it has automatically added more IP addresses to it when it enables SQL backup feature. These IPs will not be registered in DNS automatically by policy since they do not trigger a new creation of a private endpoint. It’s only an update of an existing one.

Add DNS configurations manually to the new IPs so all of them are registered in the private zone DNS. Then all should work as expected.

The installation tries to add the BUILTIN\BUILTIN access inside SSRS but fails, due to it might already be there.

Solution:
Enable inheritance on the folder: System Center\Service Manager inside SSRS before running installation. This should remove BUILTIN\BUILTIN and will be readded by the installation.
See blog post:https://blog.jhnr.ch/2016/11/08/error-when-installing-service-manager-data-warehouse-management-server-the-user-or-group-name-builtinbuiltin-is-not-recognized/

Installation failes with error like “SQL Connection terminated by host”.
This can be due to TLS hardening on the management server, since the installation wizard cannot handle TLS 1.2.
Enable TLS 1.0 and 1.1 in the registry on the management server before starting the installation:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1

These two paths should contain a key called Server and another one called Client for each version.
And in each Server\Client key, two DWORDS:
DisabledByDefault=0
Enabled=1

There could also be an issue with the SQL it self, that it only accepts TLS 1.2.

Reinstallation (disaster recovery) of Data Warehouse management server failed on the stage _RunSMScripts with the following details in the log:
Calling custom action CAManaged!Microsoft.MOMv3.Setup.MOMv3ManagedCAs.RunSMScripts
RunSMSCripts: Error: Requested registry access is not allowed.

Solution:
In the registry, check the permissions on the folder: HKLM\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins,
this is where the encryptionkey to the databases are stored. In my case the inheritance was turned off. After comparing to a working management server I reenabled inheritance in the ACL and restarted the installation.

When installing a brand new management server on a brand new machine, the installation fails on the step when adding new performance counters to windows with the following error: InstallServerPerfCountersForSDK.62894CB9_4320_40DB_B4E4_C0347FAB97B6

SCSMInstall.log also shows this:

MOMPerformanceCounterInstaller: adding perf dll C:\Program Files\Microsoft System Center\Service Manager\Microsoft.EnterpriseManagement.DataAccessService.Core.dll
MOMPerformanceCounterInstaller: Called for Installation of per counters
MOMPerformanceCounterInstaller: Error: The installation failed, and the rollback has been performed.
StackTrace: at System.Configuration.Install.TransactedInstaller.Install(IDictionary savedState)
at Microsoft.MOMv3.Setup.MOMv3ManagedCAs.MOMPerformanceCounterInstaller(Session session, Boolean bInstall)
CustomAction _InstallServerPerfCountersForSDK.62894CB9_4320_40DB_B4E4_C0347FAB97B6 returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Assembly Install: Failing with hr=80070005 at RemoveDirectoryAndChildren, line 393

MOMPerfCtrsInstall.log shows this:

An exception occurred during the Install phase.
System.InvalidOperationException: Invalid performance counter data with type ‘PERF_OBJECT_TYPE’.

Solution:

Disable 4 perfomance counters in Windows by adding the followin registry keys, and inside each of them create a “Dword (32Bit) value” named “Disable Performance Counters” with a value of 1.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Intercept CSM Filters\Performance]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Intercept Injector\Performance]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Intercept SyncAction Processing\Performance]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InterceptCountersManager\Performance]

Source: https://learn.microsoft.com/en-us/answers/questions/2202869/how-to-resolve-service-manager-datawarehouse-insta

Source: https://techcommunity.microsoft.com/discussions/systemcenter/system-center-orchestrator-2022-web-console-issues/4021500

Issue 1: Runbooks not visible in the Web Console.

In this issue the left hand pane where the runbook structure should be populated is blank.

Solution 1: Ran this query on the Orchestrator DB

GRANT CONTROL ON ASYMMETRIC KEY::[ORCHESTRATOR_ASYM_KEY] TO [Microsoft.SystemCenter.Orchestrator.Admins]

GRANT CONTROL ON SYMMETRIC KEY::[ORCHESTRATOR_SYM_KEY] TO [Microsoft.SystemCenter.Orchestrator.Admins]

GRANT EXECUTE ON object::[Microsoft.SystemCenter.Orchestrator].[GetSecurityToken] TO [Microsoft.SystemCenter.Orchestrator.Operators]

GRANT SELECT ON object::[Microsoft.SystemCenter.Orchestrator.Internal].[Settings] TO [Microsoft.SystemCenter.Orchestrator.Operators]

GRANT SELECT ON object::[Microsoft.SystemCenter.Orchestrator.Internal].[AuthorizationCache] TO [Microsoft.SystemCenter.Orchestrator.Admins]

Issue 2: Unable to delete stale or orphaned runbook server instances

I decommissioned some older runbook servers but was unable to delete them from any of the orchestrator consoles.

Solution: Run these sql queries against the orchestartor database

DELETE FROM [Orchestrator].[dbo].[CLIENTCONNECTIONS]

WHERE [ClientMachine] = ‘SCORCHRB’

— Here SCORCHRB is my Runbook Server Name.

DELETE  FROM [Orchestrator].[dbo].[ACTIONSERVERS]

  WHERE [Computer] = ‘SCORCHRBServer’

— Here SCORCHRBServer is my Runbook Server Name.

DELETE FROM dbo.OBJECTS

where Name = ‘SCORCHRBServer’

— Here SCORCHRBServer is my Runbook Server Name.

Issue 3: Runbooks remain in the checked out state in the web console

I have run into an issue where no matter how many times i check in a runbook, the runbook in the web console remains checked out.

Solution 3: Run this sql query against the orchestrator database

use Orchestrator

GO Truncate table [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

DECLARE @secToken INT

DECLARE tokenCursor CURSOR FOR

SELECT Id FROM [Microsoft.SystemCenter.Orchestrator.Internal].SecurityTokens

where ExpirationTime >= GETUTCDATE() OPEN tokenCursor

FETCH NEXT FROM tokenCursor

INTO @secToken

WHILE @@FETCH_STATUS = 0

BEGIN PRINT ‘Computing Authorization Cache for Security Token: ‘ + Convert(Nvarchar, @secToken) exec [Microsoft.SystemCenter.Orchestrator].ComputeAuthorizationCache @TokenId = @secToken FETCH NEXT FROM tokenCursor

INTO @secToken END CLOSE tokenCursor DEALLOCATE tokenCursor

$scsmMgmtServer = "scsmMGMTServerHere"
$emg = New-Object Microsoft.EnterpriseManagement.EnterpriseManagementGroup $scsmMgmtServer

#MONSTER WORKFLOW LIST
$wfSubs = $emg.Subscription.GetSubscriptionsByCriteria("Name LIKE '%'")

foreach ($wfSub in $wfSubs)
{
    $wfSubFailedInstances = $emg.Subscription.GetFailedSubscriptionStatusById($wfSub.id) | ?{$_.status -eq "Failed"}
    foreach ($subFailedInstance in $wfSubFailedInstances)
    {
        #Ignore
        $emg.Subscription.IgnoreFailedSubscription($subFailedInstance)
    }
}

Source: https://community.cireson.com/discussion/2581/workflows-arent-getting-created-run-and-scsm-console-administration-workflows-status-is-slow

If the portal is using a HTTPS binding, and you need to update that certificate, you also need to update the PlatformCache service since it sets the certificate in the binding in IIS.
If PlatformCache is not updated, it will automatically wipe the link to the certificate in the binding.

1. Update the certificate in windows, in the computer cert. store.
2. Copy the thumbprint of the newly installed certificate.
3. Open the file Ciresonportal\Platform\Platform_cache.config and paste the thumbprint at: SslCertificateThumbprint
4. Restart the Platformcache service.

Microsoft has started to reject connections to ExchangeOnline webaccess unless you use at least TLS 1.2, during this week. This can cause your Exchange Connector to stop connecting to it’s mailbox, if you use M365.

To correct this, you need to add some registry keys to make .NET and Windows to use a higher TLS version as default.

More about this on these posts:

https://tdemeul.bunnybesties.org/2021/06/troubleshooting-scsm-exchange-connector.html

https://support.microsoft.com/en-us/topic/tls-1-2-protocol-support-deployment-guide-for-system-center-2016-58f3daa8-655e-e9e7-dafe-cbbd28203118