locked
Access to Central Administration lost RRS feed

  • Question

  • Hello,

    I have the following architecture:

    ServerAP1 - Application - Central Administration
    ServerAP2 - Application - Central Administration
    ServerIN1 - Index
    ServerFE1 - Front-End
    ServerFE2 - Front-ENd
    ServerSQLA - SQL Database
    ServerSQLB - SQL Database

    Usually I was able to connect to the Central Administration through ServerAP1 but suddenly I could not do it anymore... where to look? How to trace this issue?

    I am still able to get the Central Administration from ServerAP2.

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Wednesday, May 23, 2012 4:57 PM

Answers

  • Apparently copy/paste does not work so all characters have to be typed in.... and it works

    Thanks,

    DOm


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Marked as answer by Felyjos Thursday, May 31, 2012 8:19 PM
    Thursday, May 31, 2012 8:19 PM

All replies

  • Hi,

    Try opening IIS from AP1 server and browsing the central admin.

    It could be a proxy issue or an entry might be missing in the host file. 


    Thanks, Rahul Rashu

    Thursday, May 24, 2012 2:56 AM
  • Do you get any kind of message when trying to browse on AP1?  It's worth checking that the site is actually up and running in IIS and that the application pool is also functioning.

    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    Thursday, May 24, 2012 7:00 AM
  • Hi,

    Try opening IIS from AP1 server and browsing the central admin.

    It could be a proxy issue or an entry might be missing in the host file. 


    Thanks, Rahul Rashu


    Hi,

    Detecting proxy then Website found. Waiting for reply... the Central Administration is opened.. it is working from IIS...

    It from the shortcut menu it asked me to authenticate... I am using the same account I am logged in which works in IIS...ad\dominiqued it just give me back to the loggin screen to input my iser name and password.. it is looping on that screen. (:

    Any other path?

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Thursday, May 24, 2012 4:58 PM
  • Do you get any kind of message when trying to browse on AP1?  It's worth checking that the site is actually up and running in IIS and that the application pool is also functioning.

    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.

    No error on the screen... the application is running as accessible from IIS.

    Application Event Log:

    Log Name:      Application
    Source:        Windows SharePoint Services 3
    Date:          5/24/2012 9:53:46 AM
    Event ID:      8214
    Task Category: Topology
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      AP1.ad
    Description:
    The description for Event ID 8214 from source Windows SharePoint Services 3 cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
    If the event originated on another computer, the display information had to be saved with the event.
    The following information was included with the event: 
    A request was made for a URL, http://localhost:3323, which has not been configured in Alternate Access Mappings.  Some links may point to the Alternate Access URL for the default zone, http://ap1:3323.  Review the Alternate Access mappings for this Web application at http://ap1:3323/_admin/AlternateUrlCollections.aspx and consider adding http://localhost:3323 as a Public Alternate Access URL if it will be used frequently.  Help on this error: http://go.microsoft.com/fwlink/?LinkId=114854
    the message resource is present but the message is not found in the string/message table

    I am not sure it is related but I found this error...

    Thanks,

    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager


    • Edited by Felyjos Thursday, May 24, 2012 5:05 PM
    Thursday, May 24, 2012 5:05 PM
  • Do you get any kind of message when trying to browse on AP1?  It's worth checking that the site is actually up and running in IIS and that the application pool is also functioning.

    Paul Turner http://redmanta.co.uk/blog Twitter: @RedMantaUK MCTS:WSS,MOSS,2010 MCITP:2010.
    Please remember to click "Propose As Answer" if a post solves your problem or "Vote As Helpful" if it was useful.


    Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 5/24/2012 9:57:06 AM Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: AP1.ad Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ap1$. The target name used was HTTP/AP1.ad. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (AD) is different from the client domain (AD), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    and also this error in the System Log which seems more related to an authentication issue as I have...

    Any idea? is it a service account within the Application Pool account which have issues?but which one(s)?

    Thanks,

    Dom



    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    Thursday, May 24, 2012 5:09 PM
  • Hello,

    I am trying to pass the command on a Domain Controller (Windows Server 2003 x64):

    setSPN -A HTTP/AP1 ad\service account and it just give me back the syntax help ....

    Usage: setspn [modifiers switches data] computername
    Where 'computername' can be the name or domain\name
    Modifiers:
    -F = perform the duplicate checking on forestwide level
    -P = do not show progress (useful for redirecting output to file)
    Switches:
    -R = reset HOST ServicePrincipalName
    Usage:   setspn -R computername
    -A = add arbitrary SPN
    Usage:   setspn -A SPN computername
    -D = delete arbitrary SPN
    Usage:   setspn -D SPN computername
    -L = list registered SPNs
    Usage:   setspn [-L] computername
    Examples:
    setspn -R daserver1
    It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}'
    setspn -A http/daserver daserver1
    It will register SPN 'http/daserver' for computer 'daserver1'
    setspn -D http/daserver daserver1
    It will delete SPN 'http/daserver' for computer 'daserver1'

    same for

    setSPN -A HTTP/AP1:3323 ad\service account

    I tried setSPN -L AP1 and it works ...

    any idea?

    Thanks,
    Dom


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager






    • Edited by Felyjos Thursday, May 31, 2012 8:18 PM
    Thursday, May 31, 2012 6:51 PM
  • Apparently copy/paste does not work so all characters have to be typed in.... and it works

    Thanks,

    DOm


    System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

    • Marked as answer by Felyjos Thursday, May 31, 2012 8:19 PM
    Thursday, May 31, 2012 8:19 PM