Symptoms
Consider the following scenario:
-
You install Description of the security update for SharePoint Server Subscription Edition: March 12, 2024 (KB5002564).
-
You have a SharePoint farm that contains a certificate that's managed by the Certificate Management feature.
-
You try to add an additional server to the farm.
In this scenario, you receive the following error message:
An exception of type System.InvalidOperationException was thrown. Additional exception information: This operation uses the SharePoint Administration service (spadminv4), which could not be contacted. If the service is stopped or disabled, start it and try the operation again.
Cause
The KB 5002564 security update changed the Certificate Management feature to always use the SharePoint Timer Service (SPTimerv4) to deploy certificates to the servers in the SharePoint farm. However, when the Certificate Management feature tries to deploy certificates to a server that is being added to the SharePoint farm, the SharePoint Timer Service isn't available. Therefore, the server isn't added to the farm.
Workaround
To work around this issue, temporarily remove all certificates from the Certificate Management feature before you add a server to the SharePoint farm.
Caution: This action will prevent users from accessing web applications and other resources that are protected by the certificates until the certificates are re-imported to Certificate Management and re-assigned to their resources.
To do this, you should first export all certificates by using the Certificate Management page in SharePoint Central Administration or the Export-SPCertificate cmdlet. If a certificate contains a private key, make sure that you export the private key together with the certificate by selecting the Export certificate private key check box on the Export Certificate page in SharePoint Central Administration or by specifying the -Password parameter with the Export-SPCertificate cmdlet.
After you export all certificates from Certificate Management, note which certificates are assigned to which SharePoint resource (such as web applications). You can determine this assignment from the Certificate Management page.
Next, remove each certificate from Certificate Management by selecting the certificate and selecting the Delete button on the Certificate Management page in SharePoint Central Administration or by running the Remove-SPCertificate cmdlet. If the certificate is currently in use, you will have to select the Delete this certificate even though it's currently in use check box or add the -Force parameter to the Remove-SPCertificate cmdlet.
After you remove all certificates from Certificate Management, you can add servers to the SharePoint farm.
After the servers are added to the farm, you can re-import certificates to the Certificate Management feature by using the Certificate Management page or the Import-SPCertificate cmdlet. The imported certificates can then be re-assigned to their web applications by following these steps:
-
On the SharePoint Central Administration website, in the Application Management section, select Manage web applications.
-
Select the web application for which you want to re-assign the certificate.
-
Select the Edit button for the selected web application.
-
Within the web application settings, find the relevant zone.
-
In the Server Certificate list, select the appropriate certificate that you want to assign to this web application.
-
Select Save to apply the changes.
Status
Microsoft is researching this issue and will update this article when a fix is available.