The last couple of weeks I have been working a lot with certificates in Operations Manager 2012 – agents and gateways in workgroup. I have worked so much with this that it feels like I have seen all the possible issues one can meet when configuring this. Both for helping you guys, and as a notepad for myself, here’s the issues (and solution) I met on my way:
First of all, make sure no firewall is blocking the communication. You can test this by telnetting port 5723 both ways.
Issue: no certificates available in the certificates dropdown list when requesting a certificate
Explanation: unless you grant anonymous access to CertSrv, you will get access denied/it won’t work
Solution: in IIS, disable Anonymous Authentication and enable Windows Authentication for the CertSrv website
Issue: MOMCertImport.exe fails with:
The certificate is valid, but importing is to certificate store failed.
Error description: Catastrophic failure
Error Code:8000FFFF
Solution:
When exporting the OpsMgr/server certificate, make sure the “Include all certificates in the certification path if possible” box is not marked. This one is marked as default in Server 2012.
I haven’t done a thorough test, but I am pretty sure the other two can be checked without problems.
Issue:
Event 21016
OpsMgr was unable to set up a communications channel to MS and there are no failover hosts. Communication will resume when opsmgr.company.com is available and communication from this computer is allowed.
Event 20070
The OpsMgr Connector connected to MS1, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
Event 20071
The OpsMgr Connector connected to MS1, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server. Check the event log on the server and on the agent for events which indicate a failure to authenticate.
Explanation:
This can happen if you don’t use the FQDN of the management server, when installing the agent manually:
Solution:
Either reinstall the agent and use the FQDN, or change the registry keys:
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\MGM Group Name\Parent Health Services\0 and edit AuthenticationName and NetworkName so they have the FQDN:
Issue: the manually installed agent does not appear in Pending Management
Resolution: go to Administration, Settings and Security. Change the setting to “Review new manual agent installations in pending management”.
Issue: Failed to initialize security context for target MSOMHSvc/DKASCOM-M08.corp.lego.com The error returned is 0x80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.
EventID: 20057
Issue: Failed to initialize security context for target MSOMHSvc/ms1.hq.com. The error returned is 0x80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.
EventID: 20057
Explanation: This is normally because the FQDN of the agent is incorrect.
Resolution: Go to System Properties and copy the Full computer name and request the server certificate Again.
Issue: you have done all this and it’s still not working
Explanation: this can also be a DNS issue. I have experienced that even though the DMZ server has a DNS entry, it still can’t communicate with the management server/gateway server.
Resolution:
Edit the hosts file of the agent, by browsing to C:\Windows\System32\drivers\etc and open hosts in Notepad. Add the entries marked – one with the hostname and one with the FQDN.
Hi,
I am trying to point an existing gateway server to the secondary SCOM management server. I have already got that server to trust our Root CA. The gateway server already trusts our SCOM management group and can speak to the primary management server. However it gives the above 21016, 20057 and 20071 error codes when I fail the gateway to the secondary SCOM management server via a Powershell script.
I have checked the gateway server’s registry and it does have the FQDN of our secondary SCOM management server there.
I am not sure what else I can do to troubleshoot this problem.
Shahin
Have you imported the SCOM certificate and used MomCertImport.exe?
Michael,
Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server. It appeared I also had to enroll the SCOM certificate to our secondary management server. The below link was also useful.
http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx
I appreciate your help.
Thank you very much,
Muhammad Shahin
Michael,
I’ve done the Personal and Root certificate installation in the GW server, and ran the Momcertimport.exe.But the GW is not monitored mode in the console.I’m getting the event 20057,21001,20071.
Please help me fix this.
Thanks in advance.
Hi Karthick
Are you able to telnet to the management server from the gateway server?
If you get problems adding Windows 2012 servers to SCOM 2012 SP1 then you might also want to check the following article I wrote. There’s a (currently undocumented) issue with TLS:
http://geertbaeten.wordpress.com/2013/07/08/scom-agent-or-gateway-certificate-issue/
Best regards,
Geert
Hi Geert
Thank you very much for the link, I will surely remember that if I run out of ideas!
[…] Common issues when working with certificates in OpsMgr – Michael, Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server…. […]
[…] Common issues when working with certificates in OpsMgr – Michael, Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server…. […]
Hi Michael,
I am still getting below events in agent machine. Server name was properly given during installation and it is verified.
My agent machine resides in a different domain that of MGT server. Do you have any clue on this ?
21016
20070
20071
[…] http://blog.coretech.dk/msk/common-issues-when-working-with-certificates-in-opsmgr/ […]
Hi,
Am facing below mention error in event log,kindly tell me how to solve this issue
Event Log:-
‘opsmgr has no configuration for management group xxxxxx(management server of scom )and is requesting configuration from the configuration service “
[…] Common issues when working with certificates in. – Michael, Excellent, I have run the MomCertImport.exe for the SCOM certificate issued by the CA and I got connections working towards our secondary management server. […]