locked
Service Provider Mode SPN Errors RRS feed

  • Question

  • The setup here is one remote management server running SCOM 2007 that has about 15 SCE servers configured for service provider mode reporting to them.

    I am setting up a new connection and everything is going as planned however I am getting these errors on the SCE side when it tries to talk to the remote SCOM 2007 server.


    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    20057
    Date:        8/26/2008
    Time:        10:37:21 AM
    User:        N/A
    Computer:    CWH-SCE
    Description:
    Failed to initialize security context for target MSOMHSvc/winxrom.winxcenter.local The error returned is 0x80090303(The specified target is unknown or unreachable
    ).  This error can apply to either the Kerberos or the SChannel package.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    21001
    Date:        8/26/2008
    Time:        10:37:21 AM
    User:        N/A
    Computer:    CWH-SCE
    Description:
    The OpsMgr Connector could not connect to MSOMHSvc/winxrom.winxcenter.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




    I have seen this before in our environment but the previous issue was that we changed root management servers and did not have the correct certificate imported.

    Anyone have any insight? The other threads on here that were close to this issue have been of no help.

    Note, all other SCE 2007 Installations using service provider mode are configured exactly the same way and functioning properly.



    Tuesday, August 26, 2008 5:52 PM

Answers

  • Hi,


    Is there a name resolution issue in your network? Can SCE server connect to the SCOM with FQDN? 

     
    If the above is not your scenario, check if duplicate SPNs cause this issue, use following query command:

     

    ldifde -f C:\*.txt -t 3268 -d dc=domain,dc=com -l serviceprincipalname -r (serviceprincipalname=*) -p subtree

     

    In the above command, replace DC=domain,DC=com with the DN of the domain

     

    If you find and remove duplicate SPNs, use setspn -D to delete all of the HealthService SPNs. Then restart OpsMgr Health Service on the management server and let it register its SPNs with the correct logon account. For example:

     

    Using the example above, the setspn -D commands would be as follow:

     

    setspn -D MSOMHSvc/OPSMGRFA opsmgrfa
    setspn -D MSOMHSvc/OPSMGRFA.ChildDomainA.ForestA.local opsmgrfa
     

    Note: you can find setspn.exe from Windows Server 2003 support tools.

     

     

    More information:

     

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1725806&SiteID=17

     

    Hope this helps.

    Thursday, August 28, 2008 10:51 AM