I was adding a secondary web front-end to their already existing Production MOSS 2007 Farm for one of my clients. The MOSS 2007 RTM software was installed using the "Complete" option ("Web Front-end" only option was tried as well with the same results) on a newly created server.
Each time I attempted to run the "SharePoint Products & Technology Configuration (SPTC)", I received the an error stating to the server could not be added and that I should review the PSC_Diagnostics.log file. The actual error is shown below.
1: 05/04/2007 10:49:42 8 INF Creating connection string for config db SharePoint_Config server [ACTUAL SERVER NAME]
2: 05/04/2007 10:49:42 8 INF Creating connection string for admin content db SharePoint_AdminContent_4d2a35e9-b8a6-4562-a7f6-e6064a78cb59 server[ACTUAL SERVER NAME]
3: 05/04/2007 10:49:42 8 INF Using NTLM for sql connection string
4: 05/04/2007 10:49:42 8 INF Openning configdb so that I can join it at server [ACTUAL SERVER NAME] database SharePoint_Config in farm mode
5: 05/04/2007 10:49:42 8 INF Now joining to farm at server [ACTUAL SERVER NAME] database SharePoint_Config
6: 05/04/2007 10:49:59 8 ERR Task configdb has failed with an unknown exception
7: 05/04/2007 10:49:59 8 ERR Exception: System.ArgumentException: Error during encryption or decryption. System error code 997.
8: at Microsoft.SharePoint.Administration.SPCredentialManager.DecryptWithMasterKey(Byte[] rgbEncryptedPassphrase)
9: at Microsoft.SharePoint.Administration.SPEncryptedString.GetSecureStringValue()
10: at Microsoft.SharePoint.Administration.SPEncryptedString.get_SecureStringValue()
11: at Microsoft.SharePoint.Administration.SPProcessIdentity.get_SecurePassword()
12: at Microsoft.SharePoint.Administration.SPApplicationPool.Provision()
13: at Microsoft.SharePoint.Administration.SPWebServiceInstance.Provision()
14: at Microsoft.SharePoint.Administration.SPFarm.Join()
15: at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.CreateOrConnectConfigDb()
16: at Microsoft.SharePoint.PostSetupConfiguration.ConfigurationDatabaseTask.Run()
17: at Microsoft.SharePoint.PostSetupConfiguration.TaskThread.ExecuteTask()
Most Common Advice is not always the "Best Advice"
The error code (997), as well as a number of SharePoint professionals, pointed me to a Knowledge Base Article (http://support.microsoft.com/kb/927156)
This article simply says to recreate you configuration database, using the following command line.
psconfig -cmd configdb -create -server ServerName -database ConfigDBName -user Domain\User -password Password
Expected Outcome
By doing this, expect to loose time and everything but content. You will have to do the following to properly recover:
- Recreate each web application and reattach the existing content database.
- Recreate the Shared Services Provider web application and reattach that database.
- Re-add each web front-end and application server to the farm.
Research Found
Jukka Paajanen [MSFT] on EggheadCafe associates the error code (997) with a few other issues and provides the problem. He says the issues are:
- the error number is 997
- have standalone install (or have configured your farm with account that has no password or the account password changed)
- one of the SharePoint services used an account that has password (web app, services)
- are reinstalling,
The Problem, he states is "the existing configdb has old references to passwords that it cannot decrypt."
His Solution was to do the same as above.
Better Solution
Well, my problem is fixed and I did not recreate my configdb. It is much simpler. At the time this article was written no one other than Jukka had made the association between changing passwords and the error code (997). This lead me to look into resetting farm credentials, which led me this article by Joel Oleson
Joel Oleson outlines the process in detail:
----------------------------
If you know the password before the password change, you can do the following to your machine with WSS on it:
- Ensure the WSS Administration and WSS Timer services are running on all machines.
- On machine with central admin (WFE1)
- stsadm -o updatefarmcredentials -userlogin "domain user" -password "newPassword"
- iisreset /noforce (optional)
- On any machine after this completes (wait for the "Administration Application Pool Credential Deployment" job definition to go away on the Timer Job Definitions central admin page)
- stsadm -o updateaccountpassword -userlogin "domain user" -password "newpassword" -noadmin
Otherwise, after a password change:
- Go to the server central admin box:
- run the command stsadm –o updatefarmcredentials –userlogin <domain\name> -password <newpassword>
- User must run IISReset /noforce to complete the action.
- Delete the updatefarmcredentials timer job on central admin page->operations->job definitions page
- Go to each other server in the farm, and run the command:
- stsadm –o updatefarmcredentials –userlogin <domain\name> -password <newpassword> -local.
- If –local isn’t supplied, it will fail because step (4) created a timer job that locks creating OTHER timer jobs.
- On any machine after this completes (wait for the "Administration Application Pool Credential Deployment" job definition to go away on the Timer Job Definitions central admin page)
- stsadm -o updateaccountpassword -userlogin "domain user" -password "newpassword" -noadmin
More verbose Instructions from MSIT. Note these are not really polished, but a have some integrated tips that should be of value.
Password Changes
WSS WFEs
Central Admin AppPool (First)
Stsadm –o updatefarmcredentials –userlogin <domain\name> -password <password>
Other AppPools
Stsadm –o updateaccountpassword –userlogin <domain\name> -password <password> [-noadmin]
Use –noadmin if the Central Admin AppPool is the same account as other Web AppPools
Articles Referenced
Jukka Paajanen [MSFT]
http://www.eggheadcafe.com/software/aspnet/28909545/re-cryptographyexception.aspx
Microsoft Knowledge Base Article
http://support.microsoft.com/kb/927156
Joel Oleson
http://blogs.msdn.com/joelo/archive/2006/08/22/712945.aspx