The last couple of weeks I have been working a lot with certificates in Operations Manager 2012 – agents and gateways in workgroup. I have worked so much with this that it feels like I have seen all the possible issues one can meet when configuring this. Both for helping you guys, and as a notepad for myself, here’s the issues (and solution) I met on my way:

First of all, make sure no firewall is blocking the communication. You can test this by telnetting port 5723 both ways.

 

Issue: no certificates available in the certificates dropdown list when requesting a certificate

Explanation: unless you grant anonymous access to CertSrv, you will get access denied/it won’t work

Solution: in IIS, disable Anonymous Authentication and enable Windows Authentication for the CertSrv website

clip_image002     clip_image004

 

Issue: MOMCertImport.exe fails with:

 

The certificate is valid, but importing is to certificate store failed.

Error description: Catastrophic failure

Error Code:8000FFFF

 

clip_image005

 

Solution:

When exporting the OpsMgr/server certificate, make sure the “Include all certificates in the certification path if possible” box is not marked. This one is marked as default in Server 2012.

I haven’t done a thorough test, but I am pretty sure the other two can be checked without problems.

clip_image006

 

Issue:

 

Event 21016

OpsMgr was unable to set up a communications channel to MS and there are no failover hosts.  Communication will resume when opsmgr.company.com is available and communication from this computer is allowed.

 

Event 20070

The OpsMgr Connector connected to MS1, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

 

Event 20071

The OpsMgr Connector connected to MS1, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server.  Check the event log on the server and on the agent for events which indicate a failure to authenticate.

 

Explanation:

This can happen if you don’t use the FQDN of the management server, when installing the agent manually:

clip_image008

 

Solution:

 

Either reinstall the agent and use the FQDN, or change the registry keys:

Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\MGM Group Name\Parent Health Services\0 and edit AuthenticationName and NetworkName so they have the FQDN:

clip_image010

 

Issue: the manually installed agent does not appear in Pending Management

clip_image011

 

Resolution: go to Administration, Settings and Security. Change the setting to “Review new manual agent installations in pending management”.

Issue: Failed to initialize security context for target MSOMHSvc/DKASCOM-M08.corp.lego.com The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
EventID: 20057

Issue: Failed to initialize security context for target MSOMHSvc/ms1.hq.com. The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.
EventID: 20057

Explanation: This is normally because the FQDN of the agent is incorrect.

Resolution: Go to System Properties and copy the Full computer name and request the server certificate Again.

 

Issue: you have done all this and it’s still not working

Explanation: this can also be a DNS issue. I have experienced that even though the DMZ server has a DNS entry, it still can’t communicate with the management server/gateway server.

 

Resolution:

Edit the hosts file of the agent, by browsing to C:\Windows\System32\drivers\etc and open hosts in Notepad. Add the entries marked – one with the hostname and one with the FQDN.

clip_image013