Common issues when working with certificates in OpsMgr

The last couple of weeks I have been working a lot with certificates in Operations Manager 2012 – agents and gateways in workgroup. I have worked so much with this that it feels like I have seen all the possible issues one can meet when configuring this. Both for helping you guys, and as a notepad for myself, here’s the issues (and solution) I met on my way:

First of all, make sure no firewall is blocking the communication. You can test this by telnetting port 5723 both ways.

 

Issue: no certificates available in the certificates dropdown list when requesting a certificate

Explanation: unless you grant anonymous access to CertSrv, you will get access denied/it won’t work

Solution: in IIS, disable Anonymous Authentication and enable Windows Authentication for the CertSrv website

clip_image002     clip_image004

 

Issue: MOMCertImport.exe fails with:

 

The certificate is valid, but importing is to certificate store failed.

Error description: Catastrophic failure

Error Code:8000FFFF

 

clip_image005

 

Solution:

When exporting the OpsMgr/server certificate, make sure the “Include all certificates in the certification path if possible” box is not marked. This one is marked as default in Server 2012.

I haven’t done a thorough test, but I am pretty sure the other two can be checked without problems.

clip_image006

 

Issue:

 

Event 21016

OpsMgr was unable to set up a communications channel to MS and there are no failover hosts.  Communication will resume when opsmgr.company.com is available and communication from this computer is allowed.

 

Event 20070

The OpsMgr Connector connected to MS1, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

 

Event 20071

The OpsMgr Connector connected to MS1, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server.  Check the event log on the server and on the agent for events which indicate a failure to authenticate.

 

Explanation:

This can happen if you don’t use the FQDN of the management server, when installing the agent manually:

clip_image008

 

Solution:

 

Either reinstall the agent and use the FQDN, or change the registry keys:

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\MGM Group Name\Parent Health Services\0 and edit AuthenticationName and NetworkName so they have the FQDN:

clip_image010

 

Issue: the manually installed agent does not appear in Pending Management

clip_image011

 

Resolution: go to Administration, Settings and Security. Change the setting to “Review new manual agent installations in pending management”.

Issue: Failed to initialize security context for target MSOMHSvc/DKASCOM-M08.corp.lego.com The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
EventID: 20057

Issue: Failed to initialize security context for target MSOMHSvc/ms1.hq.com. The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
EventID: 20057

Explanation: This is normally because the FQDN of the agent is incorrect.

Resolution: Go to System Properties and copy the Full computer name and request the server certificate Again.

 

Issue: you have done all this and it’s still not working

Explanation: this can also be a DNS issue. I have experienced that even though the DMZ server has a DNS entry, it still can’t communicate with the management server/gateway server.

 

Resolution:

Edit the hosts file of the agent, by browsing to C:\Windows\System32\drivers\etc and open hosts in Notepad. Add the entries marked – one with the hostname and one with the FQDN.

clip_image013

By | 2013-01-14T16:22:31+00:00 January 14th, 2013|Operations Manager (SCOM)|13 Comments

About the Author:

Michael Skov
Yet another guy loving the System Center products. My primary focus is on Operations Manager, which i have worked with for some years now - still loving it.Certifications:Microsoft Certified Solution Expert Private Cloud (MCSE)Microsoft Certified Solutions Associate Windows Server 2008 (MCSA)Microsoft Certified Technology Specialist Windows Server 2008 R2, Server Virtualization

13 Comments

  1. Shahin June 10, 2013 at 18:09 - Reply

    Hi,

    I am trying to point an existing gateway server to the secondary SCOM management server. I have already got that server to trust our Root CA. The gateway server already trusts our SCOM management group and can speak to the primary management server. However it gives the above 21016, 20057 and 20071 error codes when I fail the gateway to the secondary SCOM management server via a Powershell script.

    I have checked the gateway server’s registry and it does have the FQDN of our secondary SCOM management server there.

    I am not sure what else I can do to troubleshoot this problem.

    Shahin

  2. Michael Skov
    Michael Skov June 11, 2013 at 8:43 - Reply

    Have you imported the SCOM certificate and used MomCertImport.exe?

  3. Shahin June 12, 2013 at 10:33 - Reply

    Michael,

    Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server. It appeared I also had to enroll the SCOM certificate to our secondary management server. The below link was also useful.

    http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx

    I appreciate your help.

    Thank you very much,

    Muhammad Shahin

  4. Karthick June 18, 2013 at 11:50 - Reply

    Michael,

    I’ve done the Personal and Root certificate installation in the GW server, and ran the Momcertimport.exe.But the GW is not monitored mode in the console.I’m getting the event 20057,21001,20071.

    Please help me fix this.

    Thanks in advance.

  5. Michael Skov June 18, 2013 at 12:02 - Reply

    Hi Karthick
    Are you able to telnet to the management server from the gateway server?

  6. Geert Baeten July 8, 2013 at 16:24 - Reply

    If you get problems adding Windows 2012 servers to SCOM 2012 SP1 then you might also want to check the following article I wrote. There’s a (currently undocumented) issue with TLS:

    http://geertbaeten.wordpress.com/2013/07/08/scom-agent-or-gateway-certificate-issue/

    Best regards,
    Geert

  7. Michael Skov July 8, 2013 at 16:30 - Reply

    Hi Geert
    Thank you very much for the link, I will surely remember that if I run out of ideas!

  8. […] Common issues when working with certificates in OpsMgr – Michael, Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server…. […]

  9. […] Common issues when working with certificates in OpsMgr – Michael, Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server…. […]

  10. Vivek December 15, 2014 at 12:54 - Reply

    Hi Michael,

    I am still getting below events in agent machine. Server name was properly given during installation and it is verified.
    My agent machine resides in a different domain that of MGT server. Do you have any clue on this ?
    21016
    20070
    20071

  11. salman September 1, 2016 at 14:09 - Reply

    Hi,

    Am facing below mention error in event log,kindly tell me how to solve this issue

    Event Log:-

    ‘opsmgr has no configuration for management group xxxxxx(management server of scom )and is requesting configuration from the configuration service “

  12. […] Common issues when working with certificates in. – Michael, Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server. […]

Leave A Comment