none
Gateway-Management Server Communication issues : Event ID 20057,21001, 20071, 21016

    Question

  • I am getting the below errors on the Gateways servers (123.abc.com) and 456.def.com

    890.xyz.com is the management server of the SCOM Mgmt Group –XYZ

    My Envmt : windows 2012, sCOM 2012 SP1

    Error ID :20057 : Failed to initialize security context for target MSOMHSvc/890.xyz.com The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package

    Error ID : 21001: The OpsMgr Connector could not connect to MSOMHSvc/890.xyz.com because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

    Error ID: 20071 : The OpsMgr Connector connected to 890.xyz.com, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.

    Error ID : 21016    : OpsMgr was unable to set up a communications channel to 890.xyz.com and there are no failover hosts.  Communication will resume when 890.xyz.com is available and communication from this computer is allowed.

    I have ensured the below

    Connectivity between the servers (Mgmt. to Gateways) : Able to ping by name and IP, telnet on 5723 was successful.

    Certificates were issued from the same root CA, the template numbers are the same. They were successfully imported using momcertimport.exe. The Cert serial # matches with the reg key HKLM\Software\Microsoft\Microsoft Operation Manager\Machine Settings\ChannelCertificateSerialNumber  (only that it appears reverse , not sure if that is the problem) This is the case in both the gateway servers.

    Verified that HKLM\Software\ Microsoft\Microsoft Operation Manager\Server Management Group\XYZ\Parent Health Services\0 the AuthenticationName and the NetworkName  match and is 890.xyz.com

    I did go thorough the previous postings as well with title SCOM 2012 Gateway Server issues (20057, 21001, 20071 ids) :did not help. With respect to the LPD mentioned in that article, I was not able to run that tool on windows server 2012.

    I am currently out of options.

    The 456.def.com was working fine until 9/9/2013 (we had a DC issue, which was then rebooted, it stopped completely reporting today, at around the same time I was implementing the new gateway server 123.abc.com)

    Any pointers of where to look can be really helpful

    Friday, September 13, 2013 11:24 PM

Answers

  • Hi Alex,

    Thanks for the response. I was able to solve the issue.

    It was Certificate issue on the management server. The Cert ID on the cert did not match with the reg key

    HKLM>Software>Microsoft>Microsoft Operation Manager>Machine Settings > ChannelCertificateSerialNumber

    reimported the system certificate using momcertimport tool and it fixed the issue.

    I was checking this on the gateway and was not on the Operation manager.

    • Marked as answer by pri007 Tuesday, September 17, 2013 5:45 PM
    Tuesday, September 17, 2013 5:45 PM
  • Hi,

    Check the Kerberos and LDAP ports in effected server, maybe the ports are blocked on the firewall.


    Alex Zhao
    TechNet Community Support

    Tuesday, September 17, 2013 4:21 PM
    Moderator

All replies

  • Hi,

    Check the Kerberos and LDAP ports in effected server, maybe the ports are blocked on the firewall.


    Alex Zhao
    TechNet Community Support

    Tuesday, September 17, 2013 4:21 PM
    Moderator
  • Hi Alex,

    Thanks for the response. I was able to solve the issue.

    It was Certificate issue on the management server. The Cert ID on the cert did not match with the reg key

    HKLM>Software>Microsoft>Microsoft Operation Manager>Machine Settings > ChannelCertificateSerialNumber

    reimported the system certificate using momcertimport tool and it fixed the issue.

    I was checking this on the gateway and was not on the Operation manager.

    • Marked as answer by pri007 Tuesday, September 17, 2013 5:45 PM
    Tuesday, September 17, 2013 5:45 PM