none
SCOM 2016 Monitor WorkGroup Server RRS feed

  • Question

  • Hello Everyone,

    I have SCOM 2016 Trying to Monitor work group server, generated self signed certificate using IIS, then imported the certificate to trusted root certificates in both servers, installed the agent on work group server manually using CMD, it is installed and the service is running, but the agent doesn't appear in pending management tab (the management server security setting changed to review manual installation in pending management).

    I'm not sure if creating trust between management server and work group server  using IIS certificate applicable or not.

    Any Help With This?, Thanks in Advance

     

    Thursday, February 22, 2018 2:09 PM

Answers

  • Hello,

    As far as I know, we need to use CA to create certificates for both the management server and the agent. IIS self singed certificate for SCOM management server do not work for this. 

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Yan Li_Moderator Monday, March 5, 2018 7:50 AM
    • Marked as answer by islam mhmd Tuesday, August 14, 2018 10:01 AM
    Friday, February 23, 2018 3:13 AM
    Moderator
  • Hi,

    "I'm not sure if creating trust between management server and work group server  using IIS certificate applicable or not."

    you are right. There are particular procedures to follow when you want to establish a certificate based trust and also you must use particular certs. A self signed IIS cert will not do the job. In order to make this easier for you I have selected some articles,  where the process is described in details:

    Monitoring non-domain members with OM 2012

    Monitor Workgroup / DMZ servers in SCOM using Certificates

    Monitoring OpsMgr workgroup clients – Part 2: Installing certificates and final configuration

    Hope this helps you out. 

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov





    Thursday, February 22, 2018 2:46 PM
    Moderator
  • Communication among Operations Manager features begins with mutual authentication. If certificates are present on both ends of the communications channel, then certificates will be used for mutual authentication; otherwise, the Kerberos version 5 protocol is used. If any two features are separated across an untrusted domain, mutual authentication must be performed using certificates.

    In using certificate based authentication, the certificate must fullfill some requirement. There are many blog or post which detail the way of generate certificate. You may refer Stoyan Chalakov link for implement certificate.

    For more detail on Authentication and Data Encryption in Operations Manager, pls. refer to
    https://docs.microsoft.com/en-us/system-center/scom/plan-security-authentication-data-encryption?view=sc-om-1801

    Roger

    • Proposed as answer by Yan Li_Moderator Monday, March 5, 2018 7:51 AM
    • Marked as answer by islam mhmd Tuesday, August 14, 2018 10:01 AM
    Friday, February 23, 2018 2:40 AM
  • It was solved, Provide Work group Server FQDN under Name field
    Thanks for your support
    • Marked as answer by islam mhmd Tuesday, August 14, 2018 10:01 AM
    Tuesday, August 14, 2018 10:00 AM

All replies

  • Hi,

    "I'm not sure if creating trust between management server and work group server  using IIS certificate applicable or not."

    you are right. There are particular procedures to follow when you want to establish a certificate based trust and also you must use particular certs. A self signed IIS cert will not do the job. In order to make this easier for you I have selected some articles,  where the process is described in details:

    Monitoring non-domain members with OM 2012

    Monitor Workgroup / DMZ servers in SCOM using Certificates

    Monitoring OpsMgr workgroup clients – Part 2: Installing certificates and final configuration

    Hope this helps you out. 

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov





    Thursday, February 22, 2018 2:46 PM
    Moderator
  • Communication among Operations Manager features begins with mutual authentication. If certificates are present on both ends of the communications channel, then certificates will be used for mutual authentication; otherwise, the Kerberos version 5 protocol is used. If any two features are separated across an untrusted domain, mutual authentication must be performed using certificates.

    In using certificate based authentication, the certificate must fullfill some requirement. There are many blog or post which detail the way of generate certificate. You may refer Stoyan Chalakov link for implement certificate.

    For more detail on Authentication and Data Encryption in Operations Manager, pls. refer to
    https://docs.microsoft.com/en-us/system-center/scom/plan-security-authentication-data-encryption?view=sc-om-1801

    Roger

    • Proposed as answer by Yan Li_Moderator Monday, March 5, 2018 7:51 AM
    • Marked as answer by islam mhmd Tuesday, August 14, 2018 10:01 AM
    Friday, February 23, 2018 2:40 AM
  • Hello,

    As far as I know, we need to use CA to create certificates for both the management server and the agent. IIS self singed certificate for SCOM management server do not work for this. 

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Yan Li_Moderator Monday, March 5, 2018 7:50 AM
    • Marked as answer by islam mhmd Tuesday, August 14, 2018 10:01 AM
    Friday, February 23, 2018 3:13 AM
    Moderator
  • Hi All,

    Could you suggested any link where i this query will be answered in high level ......

    Q- self signed IIS cert vs trust certificate

    Or anyone can penned here the answer :)


    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.

    Friday, February 23, 2018 7:22 AM
  • Hi Gourav,

    Sorry but I don't understand your question... can you make it clearer?

    Sunday, February 25, 2018 9:49 AM
  • Sir,

    My question what is the difference between IIS certificate and trust cert. And can i use IIS certificate as a trust cert or trust cert. as a IIS certificate vice-versa. 


    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.

    Sunday, February 25, 2018 1:47 PM
  • "IIS certificate" doesn't really mean anything.

    A certificate is defined by a set of properties (a name, key usages, encryption algorithm etc); and it can be self-signed or created by a certification authority (public or private).

    A certificate for a web server (IIS) will usually use the website url as its name/alternative name, and have a key usage of "server authentication". It can be self signed or come from a certification authority depending on what you need to do.

    But I don't believe this is the place for a tutorial on certificates, you have tons of resources available online!

    Sunday, February 25, 2018 7:19 PM
  • Thanks for highlighting :)

    Cheers, Gourav (Please do take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!) or find my Facebook and LinkedIn link in profile.

    Monday, February 26, 2018 3:33 AM
  • Hi,

    "I'm not sure if creating trust between management server and work group server  using IIS certificate applicable or not."

    you are right. There are particular procedures to follow when you want to establish a certificate based trust and also you must use particular certs. A self signed IIS cert will not do the job. In order to make this easier for you I have selected some articles,  where the process is described in details:

    Monitoring non-domain members with OM 2012

    Monitor Workgroup / DMZ servers in SCOM using Certificates

    Monitoring OpsMgr workgroup clients – Part 2: Installing certificates and final configuration

    Hope this helps you out. 

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov





    Hi Stoyan, Thanks for Your Reply

    I have tried Several Times step by step from the link you sent, but still agent doesn't appear in Pending Management Tab

    Sunday, March 11, 2018 1:35 PM
  • Hello,

    Please post the errors you see in the agent's Operations Manager log.

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Sunday, March 11, 2018 1:41 PM
  • Hello ,

    Here's the SCOM log

    Kindly note that it is test environment, No firewall or antivirus, the client and server can ping using name and IP

    Sunday, March 11, 2018 8:29 PM
  • Hello Sir,

    This is because your client server is not able to communicate with MS that you have given on port 5723.

    • its not about ping, can you telnet MS to client on 5723.

    Cheers, Gourav Please remember to mark the replies as answers if it helped.


    • Edited by GouravIN Monday, March 12, 2018 4:16 AM
    Monday, March 12, 2018 4:03 AM
  • Hey,

    I'd suggest to remove the certificates and re-import again with the proper method.

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Monday, March 12, 2018 1:50 PM
  • No, MS Can't Telnet Client on 5723

    Tuesday, March 13, 2018 2:48 PM
  • Hey,

    The MS doesn't have to telnet the client, the client has to telnet MS on 5723. Does it work?

    Also I'd point you to my last reply again.

    Cheers


    Sam (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" wherever applicable. Thanks!)

    Tuesday, March 13, 2018 2:56 PM
  • Yes, The client can telnet MS on 5723

    I will re-import the certificate again, Hope it work this time

    Tuesday, March 13, 2018 8:00 PM
  • Yes, The client can telnet MS on 5723

    I will re-import the certificate again, Hope it work this time

    Hey,

    if you haven't requested a certificate as described in the articles, then it won't work. Just re-importing the incorrect certificate won't do you any good. You need to ensure your certificate has the following content:

    [NewRequest] 
    Subject="CN=<FQDN of computer you are creating the certificate, for example, the gateway server or management server.>"
    Exportable=TRUE 
    KeyLength=2048 
    KeySpec=1 
    KeyUsage=0xf0 
    MachineKeySet=TRUE 
    [EnhancedKeyUsageExtension] 
    OID=1.3.6.1.5.5.7.3.1 
    OID=1.3.6.1.5.5.7.3.2

    In addition to this don't forget to exchange the certificates and also ensure the certificate chain can is fine. 

    The whole process is depicted here with screenshots:

    Monitor Workgroup / DMZ servers in SCOM using Certificates

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    • Proposed as answer by GouravIN Wednesday, March 14, 2018 9:11 AM
    Wednesday, March 14, 2018 9:04 AM
    Moderator
  • It was solved, Provide Work group Server FQDN under Name field
    Thanks for your support
    • Marked as answer by islam mhmd Tuesday, August 14, 2018 10:01 AM
    Tuesday, August 14, 2018 10:00 AM