Attaching a central administration site to a stand-alone primary site fails when two-factor authentication is enabled

System Center Configuration Manager (current branch - version 1810)

Symptom


You have a Configuration Manager version 1810 stand-alone primary site. Two-factor authentication is enabled in the hierarchy settings.

When you try to expand the stand-alone primary site by installing a central administration site, the central administration site setup fails. The following errors are logged in the ConfigMgrSetup.log file:

Cause


This issue occurs because the Authentication global property can only be replicated by using the Data Replication Service (DRS). If the global property is updated directly without using DRS, the tr_vSMS_SC_GlobalProperty_ins trigger raises the error. 

Resolution


To fix this issue, update the stand-alone primary site to Update Rollup 2 for Configuration Manager version 1810 or Configuration Manager version 1902, and then reattach the central administration site.

To work around this issue in Configuration Manager version 1810:

  1. Change the authentication level to disable two-factor authentication:
     
    1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Sites node.
    2. Select Hierarchy Settings in the ribbon.
    3. Switch to the Authentication tab.
    4. Select an authentication level other than Windows Hello for Business authentication, and then select OK.
  2. To delete the Authentication property, run the following SQL query on the primary site database:

    DELETE p
    FROM SC_GlobalProperty p
    INNER JOIN SC_GlobalProperty_Property gp ON p.ID = gp.GlobalPropertyID AND gp.Name=N'{3B1F3900-A186-11d0-BDA9-00A0C909FDD7} Authentication'
  3. Reattach the central administration site.