locked
Remote SCE console RRS feed

  • Question

  • Hi I have set up Remote Operations Manager succesfully and can monitor my customer. I have no problem to connect to the customers SCE with the SCE console I installed at the ROM server but as soon as I try to connect with another user than the Ops admin user or from a differend computer I get the following error.

     

    I can ping the fqdn of the remote sce server.

     

    Please help.

     

    ----------------------------------------------------------------------------------------------------

    Failed to connect to server'<FQDN>SCE server'. Insufficient privileges

    The user does not have sufficient permission to perform the operation

     

    Date: 2008-09-08 13:51:39
    Application: System Center Essentials
    Application Version: 6.0.1885.0
    Severity: Warning
    Message: Failed to connect to server '<FQDN>SCE server.  Insufficient privileges

    Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user does not have sufficient permission to perform the operation. ---> System.ServiceModel.Security.SecurityNegotiationException: Anroparen autentiserades inte av tjänsten. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
       vid System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
       vid System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
       --- *** på stackspårning för interna undantag ---

    Server stack trace:
       vid System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       vid System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
       vid System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       vid System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
       vid System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessageAtInitiator(Message& message, String actor, TimeSpan timeout)
       vid System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout)
       vid System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityOutputChannel.Send(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.TransactionDuplexChannelGeneric`1.Send(Message message, TimeSpan timeout)
       vid System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       vid System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
       vid System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       vid System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       vid System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       vid System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       vid Microsoft.EnterpriseManagement.Common.ISessionManager.Connect(Boolean useCache)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
       --- *** på stackspårning för interna undantag ---
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.HandleIndigoExceptions(Exception ex)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.Connect(ManagementGroupConnectionSettings connectionSettings)
       vid Microsoft.EnterpriseManagement.ManagementGroup..ctor(String serverName)
       vid Microsoft.EnterpriseManagement.ManagementGroup.Connect(String serverName)
       vid Microsoft.EnterpriseManagement.Mom.Internal.UI.Common.ManagementGroupSessionManager.Connect(String server)
       vid Microsoft.EnterpriseManagement.SCE.Internal.UI.Console.EssentialsConsoleWindow.ConnectToManagementGroupJob(Object sender, ConsoleJobEventArgs args)
    System.ServiceModel.Security.SecurityNegotiationException: Anroparen autentiserades inte av tjänsten. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
       vid System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
       vid System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
       --- *** på stackspårning för interna undantag ---

    Server stack trace:
       vid System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
       vid System.ServiceModel.Security.IssuanceTokenProviderBase`1.GetTokenCore(TimeSpan timeout)
       vid System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
       vid System.ServiceModel.Security.SecurityProtocol.TryGetSupportingTokens(SecurityProtocolFactory factory, EndpointAddress target, Uri via, Message message, TimeSpan timeout, Boolean isBlockingCall, IList`1& supportingTokens)
       vid System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessageAtInitiator(Message& message, String actor, TimeSpan timeout)
       vid System.ServiceModel.Security.TransportSecurityProtocol.SecureOutgoingMessage(Message& message, TimeSpan timeout)
       vid System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityOutputChannel.Send(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.TransactionDuplexChannelGeneric`1.Send(Message message, TimeSpan timeout)
       vid System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
       vid System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       vid System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
       vid System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       vid System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       vid System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       vid System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       vid Microsoft.EnterpriseManagement.Common.ISessionManager.Connect(Boolean useCache)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateChannel(TieredManagementGroupConnectionSettings managementGroupTier)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer..ctor(DuplexChannelFactory`1 channelFactory, TieredManagementGroupConnectionSettings managementGroupTier, IClientDataAccess callback, CacheMode cacheMode)
       vid Microsoft.EnterpriseManagement.DataAbstractionLayer.SdkDataAbstractionLayer.CreateEndpoint(ManagementGroupConnectionSettings connectionSettings, IClientDataAccess clientCallback)
    System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
       vid System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
       vid System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

    Monday, September 8, 2008 12:04 PM

Answers

  • Hi Morgan,

     

    In order for the remote Essentials console to connect to the Essentials server at the customer site,  the SSL and WSUS Code Signing certificate used by the Essentials server must be imported on the remote console computer.  To do so:

     

    1. On the Essential 2007 server, browse to the System Center Essentials 2007\Certificate directory and copy the two certificates (WSUSCodeSigningCert.cer and WSUSSSLCert.cer) to the console computer.

     

    2. Open the Certificates MMC on the workstation for the Computer account.

     

    3. Import both certificates into to the Trusted Root Certification Authority Store. Import only the WSUSCodeSigningCert.cer into the Third Party Publishers and Trusted Publishers stores.

     

    4. Also, for each account that will launch the Essentials console from the service provider site, an account with a matching logon name and password must be created as a local user on the Essentials 2007 server and be added to the local Administrators group on the Essentials 2007 server.

     

    5. On the Essentials 2007 server, open the Local Users and Groups MMC.

     

    6. Create a new user with an account and password that is the same as the one that is used when using the Operations Manager console on the Operations Manager server.

     

    7. Add this account to the local Administrator group on the Essentials 2007 server.


    Hope this helps.

    Wednesday, September 10, 2008 11:10 AM

All replies

  • you need to setup a action account against the domain/ machine you want to monitor.

     

    First setup a run as profile -> create a profile and add the pc with FQDN in

    then create an action account to use with profile.

     

    This way you should get pass Insufficient privileges...

     

     

    Monday, September 8, 2008 10:47 PM
  • Hi Morgan,

     

    In order for the remote Essentials console to connect to the Essentials server at the customer site,  the SSL and WSUS Code Signing certificate used by the Essentials server must be imported on the remote console computer.  To do so:

     

    1. On the Essential 2007 server, browse to the System Center Essentials 2007\Certificate directory and copy the two certificates (WSUSCodeSigningCert.cer and WSUSSSLCert.cer) to the console computer.

     

    2. Open the Certificates MMC on the workstation for the Computer account.

     

    3. Import both certificates into to the Trusted Root Certification Authority Store. Import only the WSUSCodeSigningCert.cer into the Third Party Publishers and Trusted Publishers stores.

     

    4. Also, for each account that will launch the Essentials console from the service provider site, an account with a matching logon name and password must be created as a local user on the Essentials 2007 server and be added to the local Administrators group on the Essentials 2007 server.

     

    5. On the Essentials 2007 server, open the Local Users and Groups MMC.

     

    6. Create a new user with an account and password that is the same as the one that is used when using the Operations Manager console on the Operations Manager server.

     

    7. Add this account to the local Administrator group on the Essentials 2007 server.


    Hope this helps.

    Wednesday, September 10, 2008 11:10 AM