The last couple of weeks I have been working a lot with certificates in Operations Manager 2012 – agents and gateways in workgroup. I have worked so much with this that it feels like I have seen all the possible issues one can meet when configuring this. Both for helping you guys, and as a notepad for myself, here’s the issues (and solution) I met on my way:
First of all, make sure no firewall is blocking the communication. You can test this by telnetting port 5723 both ways.
Issue: no certificates available in the certificates dropdown list when requesting a certificate
Explanation: unless you grant anonymous access to CertSrv, you will get access denied/it won’t work
Solution: in IIS, disable Anonymous Authentication and enable Windows Authentication for the CertSrv website
Issue: MOMCertImport.exe fails with:
The certificate is valid, but importing is to certificate store failed.
Error description: Catastrophic failure
When exporting the OpsMgr/server certificate, make sure the “Include all certificates in the certification path if possible” box is not marked. This one is marked as default in Server 2012.
I haven’t done a thorough test, but I am pretty sure the other two can be checked without problems.
OpsMgr was unable to set up a communications channel to MS and there are no failover hosts. Communication will resume when opsmgr.company.com is available and communication from this computer is allowed.
The OpsMgr Connector connected to MS1, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
The OpsMgr Connector connected to MS1, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server. Check the event log on the server and on the agent for events which indicate a failure to authenticate.
This can happen if you don’t use the FQDN of the management server, when installing the agent manually:
Either reinstall the agent and use the FQDN, or change the registry keys:
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Agent Management Groups\MGM Group Name\Parent Health Services\0 and edit AuthenticationName and NetworkName so they have the FQDN:
Issue: the manually installed agent does not appear in Pending Management
Resolution: go to Administration, Settings and Security. Change the setting to “Review new manual agent installations in pending management”.
Issue: Failed to initialize security context for target MSOMHSvc/DKASCOM-M08.corp.lego.com The error returned is 0x80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.
Issue: Failed to initialize security context for target MSOMHSvc/ms1.hq.com. The error returned is 0x80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.
Explanation: This is normally because the FQDN of the agent is incorrect.
Resolution: Go to System Properties and copy the Full computer name and request the server certificate Again.
Issue: you have done all this and it’s still not working
Explanation: this can also be a DNS issue. I have experienced that even though the DMZ server has a DNS entry, it still can’t communicate with the management server/gateway server.
Edit the hosts file of the agent, by browsing to C:\Windows\System32\drivers\etc and open hosts in Notepad. Add the entries marked – one with the hostname and one with the FQDN.