I followed the instruction in the ops guide to discover and manage a workgroup computer. The instructions were a little vague in some places. Anyway, after some experimentation I got the workgroup computer to load the certs and attempt server contact without error. Now the problem lies with the Essentials server. I see the following alert on the server:
Computer verification failure for Machine Name: devr2sql01.qsl.pri is 0x80070005. Access is denied.
The Essentials server ops log gives:
The OpsMgr Connector negotiated the use of mutual authentication with 192.168.5.13:54268, but Active Directory is not available and no certificate is installed. A connection cannot be established.
On the client ops log:
The OpsMgr Connector connected to QSLSCE01.qsl.pri, but the connection was closed immediately after authentication occurred. The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration. Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.
The instructions are not really clear as to what exactly is needed on the Essentials server. The Essentials server is a domain member so it should already have all the certificates it needs (I would assume).
Can we do a step-by-step for the server?
Yes I tried to follow the steps but they are vague. My comments in italics:
How to Import Certificates in System Center Essentials 2010
You can use certificates as an alternative to the Kerberos protocol for mutual authentication in System Center Essentials 2010. Certificates provide encryption between an agent and the Essentials management server.
Use the MOMCertImport tool to import and configure certificates when needed on the Essentials management server, the agent on a managed computer, or on an Essentials console-only installation.
The problem with these instructions is that we don't know which certificates need to be imported. The Essentials server is a domain server so most certificates are issued automatically by AD. Which certificate is supposed to be imported here?
To import certificates
1. Log on to the computer with an account that is a member of the Administrators group.
2. On the Windows desktop, click Start, and then click Run.
3. In the Run dialog box, type cmd and then click OK.
4. At the command prompt, type <drive_letter>: (where <drive_letter> is the drive where the Essentials 2010 installation media is located) and then press ENTER.
5. Type cd\SupportTools\i386 and then press ENTER.
On 64-bit computers, type cd\SupportTools\amd64.
6. Type MOMCertImport and then press ENTER.
7. In the Select Certificate dialog box, click the certificate you want to import, and then click OK.
You need a Client Server Authentication Certificate to be imported. While requesting the certificate, make sure to give a friendly name to differentiate the requested certificate.
Once certificate if imported, from Certificates Console, Go to Personal and double client the certificate you requested in the previoue step.
Click the Details and high light the Enhanced Key Usage in the Fields and confirm you have the Server/Client Authentication Certificate.
Server Authentication (188.8.131.52.184.108.40.206.1)
Client Authentication (220.127.116.11.18.104.22.168.2)'
And Confirm the Root CA certificate under the Trusted Root CA folder.
Then double click the MOMcertimport.exe. On the momcertimport tool, browse to import the Server/Client Auth certificate. ( Differentiate with friendly given while requesting the certificate).
After this step,
Open Regedit and confirm the below registry key is present.
Path = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings
The value of the "ChannelCertificateSerialNumber" will be the serial number of the above certificate in reverse order.
If all the above steps are done correctly, you can find the event 20053 saying The OpsMgr connector had loaded the specified authenticaton certificate successfully.
Also,. you can refer to following document for step by step. It is for SCOM, but also appliable for SCE:
Jie-Feng Ren - MSFT
Now that you can manage workgroup-joined systems with SCE, have you tried designating any of them as a virtual host? We currently have a case open with Microsoft because we have not been able to do this. The "Designate Virtual Host" wizard hangs and then fails, even though we can manage the workgroup-joined server.