Secure Reference Override Failure - Alerts are coming back every x minutes - Related to Lync MP ?
-
Friday, March 04, 2011 5:19 PM
Dear Guys,
My environement is composed of 5 MS, 5 GW, 2000 Windows Agents, 300 Linux, Nworks Mp and etc.....
This afternoon, I added the Lync 2010 management pack
Log for a MS :
Event Type: Information
Event Source: HealthService
Event Category: Health Service
Event ID: 1201
Date: 3/4/2011
Time: 3:22:40 PM
User: N/A
Computer: CENMOMMS001
Description:
New Management Pack with id:"Microsoft.LS.2010.Monitoring", version:"4.0.7577.0" received.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
And just after that, I have a lot of
Event Type: ErrorEvent Source: HealthServiceEvent Category: Health ServiceEvent ID: 1107Date: 3/4/2011Time: 3:22:55 PMUser: N/AComputer: CENMOMMS001Description:Account for RunAs profile in workflow "Microsoft.Linux.RHEL.5.LogicalDisk.PercentFreeSpace.Collection", running for instance "/boot" with id:"{6B3EFA56-5A31-91EA-F51B-E4F2C27FE305}" is not defined. Workflow will not be loaded. Please associate an account with the profile. Management group "UCBOM2007"
Event Type: ErrorEvent Source: HealthServiceEvent Category: Health ServiceEvent ID: 1107Date: 3/4/2011Time: 6:03:26 PMUser: N/AComputer: CENMOMMS001Description:Account for RunAs profile in workflow "Microsoft.Linux.RHEL.5.NetworkAdapter.BytesReceivedPerSec.Collection", running for instance "eth0" with id:"{03663EF9-28DE-8F50-2EDA-A0BB5C680E3F}" is not defined. Workflow will not be loaded. Please associate an account with the profile. Management group "UCBOM2007"
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
That is coming back every x minutes and that creates a tons of alerts in the SCOM console. I'll check all the event viewer of my ms, and I never had this event id before installing the Lync MP. I don't see any relation between the Lync mp and that Secure Reference Override error.
I don't do any modification to my environement, so I don't understand why this alert is coming now, and how to solve it ? All the accounts and profiles are well assigned and distributed (more than 1,5 years withouth doing any modification to that part).
So, I need some help.Thank youRegardsChristopher
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be
Answers
-
Friday, May 20, 2011 12:12 PM
For the one who are still interested by the problem, here the last news from MS support :
A fix will be available in the CU5 or CU6.A problem was found within the way that OpsMgr calculates overrides targeted at System.Entity in this scenario. While we could correct the problem by changing the Lync MP there would be no guarantee that this problem would not turn up in a future release of another MP, so we have decided to fix the underlying problem within the OpsMgr code rather than just change the MP.
Christopher Keyaert - My OpsMgr / SCOM & Opalis blog : http://www.vnext.be- Marked As Answer by Blake MengottoMicrosoft Community Contributor, Moderator Tuesday, May 24, 2011 7:38 PM
All Replies
-
Friday, March 04, 2011 7:26 PM
I uninstalled the Lync management pack and the problem disappeared...... I must admit that I don't the relation between lync mp and Linux Run As Account / Profiles.... Any idea on how to solve that ? on Monday, I will contact Microsoft Premier Support.
not the same problem, but not so far :
http://thoughtsonopsmgr.blogspot.com/2009/08/alert-secure-reference-override-is-it.html
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be -
Monday, March 07, 2011 5:42 AMModeratorThat's interesting. Do you have x-plat in your environment? Did you read the guide for the Lync MP (wonder if there was any "special" set up for this). Keep us posted Christopher.
Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/ -
Monday, March 07, 2011 8:15 AM
Yes, I've got around 300 Linux RedHat 4/5 and 1 Solaris. I read the Lync Mp guide more than once ;) I also blogged on the Lync mp configuration for Synthetic transactions http://www.vnext.be/2011/03/06/scom-opsmgr-lync-2010-management-pack-deploying-synthetic-transactions-sts/
But I didn't find anything concerning a relation between the Lync MP and the Linux Run As Account. I confirm that I don't have this problem in my Dev environment, I just re-checked. I will re-try it now the installation of the mp in production... a Friday is never a got day for going in production with a new product.
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be -
Monday, March 07, 2011 8:32 AM
I confirm, my MS received the Lync MP and just after Secure Reference Override error arrives.
Two Screenshots :
http://img339.imageshack.us/i/capturealc.jpg/
http://img855.imageshack.us/i/capture2e.jpg/
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be -
Monday, March 07, 2011 9:46 PMModeratorI have a repro of this same behavior.... with a Unix machine being monitored in my environment....
Kevin Holman http://blogs.technet.com/b/kevinholman -
Tuesday, March 08, 2011 8:21 AM
Hello Kevin,
Ah, I'm not alone in the same situation, that's already good to know, so it really seems that there is a bug in that mp.
I opened a bug on the connect portal:
I also contacted Microsoft Premier Support yesterday, and with Christian Lageron from Microsoft, we may be have a lead. In the Profiles, you have the Microsoft Lync Server 2010 Profile, and this profile is composed of the Network Service Windows Account, and this is targeted to "All targeted objects".So, my idea is that must be targeted only to the group "Computer Group consisting of LS Synthetic Transaction Watcher Node machines" and not to the "All targeted objects". Now it's impossible to change that, when I tried, I always received the following message (I suppose that's because the mp is sealed).
http://img710.imageshack.us/i/capture3lu.jpg/
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be -
Tuesday, March 08, 2011 11:17 AMModerator
So - theoretically - "all targeted objects" should be fine. In my mind anyway. Because saying "all targeted objects" simply means use the run as account for any workflow that references that Lync Profile in their XML, as long as the Profile is associated with an account.
Using "All targeted objects" should only throw an issue if the run as account isnt distributed to specific health services, or if agents running the Lync workflows cannot resolve the run-as account due to a configuration issue, rights, etc...
The Unix workflows should not be throwing an error on the management server.... but clearly, there is some strange relationship here, because my management server that is managing a linux server is throwing these same errors for each linux workflow. I'll be interested in how the case goes.
Kevin Holman http://blogs.technet.com/b/kevinholman -
Tuesday, March 08, 2011 2:38 PM
Hello Kevin,
With Christian, this morning, we found a work around that seems to work quite well. In some words, I exported the mp with powershell, deleted the official one, imported the xml mp, and change the lync profile from "All targeted objects" to Class "Windows Computer".
I posted the details of all that in my blog
What do you think about this workaround ? Do you see a better work around ? Do you have an idea of how many time that will take for having a reaction of the Lync team on that ?
Thank you
Christopher
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be- Marked As Answer by Vivian XingModerator Friday, March 11, 2011 9:15 AM
- Unmarked As Answer by Christopher KeyaertMVP Friday, March 11, 2011 9:24 AM
-
Tuesday, March 08, 2011 5:15 PMModerator
Well - sure - that solves the immediate issue. However.... that isnt supportable, as your Lync MP will not be upgradeable to the next version, nor will your overrides work for the next Lync MP.
I am searching for a more simple workaround.
Kevin Holman http://blogs.technet.com/b/kevinholman -
Thursday, March 10, 2011 8:40 AM
Yes, It's totally true, however, that's allow me to not block the go live of the Lync 201 project, which is a really sensitive one for my customer.
I'll closely follow your discoveries.
Thank you
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be -
Friday, March 11, 2011 9:26 AM
Vivian Xing > The problem is not fixed, what we have is just a non supported work around. I would like to keep that thread open until we found a real solution.
Thank you
Chritopher
Christopher Keyaert - My OpsMgr/SCOM blog : http://www.vnext.be -
Friday, May 20, 2011 12:12 PM
For the one who are still interested by the problem, here the last news from MS support :
A fix will be available in the CU5 or CU6.A problem was found within the way that OpsMgr calculates overrides targeted at System.Entity in this scenario. While we could correct the problem by changing the Lync MP there would be no guarantee that this problem would not turn up in a future release of another MP, so we have decided to fix the underlying problem within the OpsMgr code rather than just change the MP.
Christopher Keyaert - My OpsMgr / SCOM & Opalis blog : http://www.vnext.be- Marked As Answer by Blake MengottoMicrosoft Community Contributor, Moderator Tuesday, May 24, 2011 7:38 PM
-
Tuesday, May 24, 2011 7:38 PMModeratorThanks for that update.
Regards, Blake Email: mengotto<at>hotmail.com Blog: http://discussitnow.wordpress.com/
.png){kind=spacer}
