none
SCOM Certification issue RRS feed

  • Question

  • Hi

    I want to monitor the one of the server in another domain. I have done the below steps

    1. Generate the certificate for the server.

    2. Exported and imported the trusted root certificate to new server.

    3. using MOMcertimport utility i have imported the certificate.

    4. Installed the agent

    5. Checked the security setting and it is showing review manual agent installation in pending management

    6. But when i checked the newlly installed serevr is not showing.

    I am getting the below errors

    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    21006
    Date:        5/20/2010
    Time:        9:47:17 AM
    User:        N/A
    Computer:    XXX
    Description:
    The OpsMgr Connector could not connect to RMS:5723.  The error code is 11001L(No such host is known.
    ).  Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    21016
    Date:        5/20/2010
    Time:        10:18:28 AM
    User:        N/A
    Computer:    XXXX
    Description:
    OpsMgr was unable to set up a communications channel to RMS and there are no failover hosts.  Communication will resume when RMS is both available and allows communication from this computer.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    I have tried couple of time generating and importing the cert.

     

    I can also see the below error in SCOM RMS server

    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    20066
    Date:        5/20/2010
    Time:        10:26:32 AM
    User:        N/A
    Computer:    RMS
    Description:
    A Certificate for use with Mutual Authentication was specified, but that certificate could not be found.  The ability for this Health Service to communicate will likely be impacted.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Please help me to resolve this issue.

    Regards

    Donald D'souza

    Thursday, May 20, 2010 5:26 PM

Answers

  • Hi Donald,

    ======================================================================

    I want to monitor the one of the server in another domain. I have done the below steps

    1. Generate the certificate for the server.

    2. Exported and imported the trusted root certificate to new server.

    3. using MOMcertimport utility i have imported the certificate.

    4. Installed the agent

    5. Checked the security setting and it is showing review manual agent installation in pending management

    6. But when i checked the newlly installed serevr is not showing.

    ======================================================================

    Hi Donald,

    From the steps above, and the error you are getting, the certificate is not registering correctly on your non-domain ("workgroup") server.

    So steps 1 & 2 are fine. But you also need to import the certificate for the workgroup server.

    Then under Personal Certificates you should see the new cert and be able to open it and see that the Root cert is also part of the Certification path.

    So the steps are:

    Generate Root Cert (only needs to be done once). Generate Workgroup server cert for each Workgrp server..

    Export the certs.

    On the workgrp server, import the certs.

    The Trusted Root cert to the Trusted Root Certification Authorities pool of the Local Computer, and the Workgroup cert to the Personal Certificates pool of the Local computer. Double-click the new persoanl cert and under the Certification Path tab it should also include the root cert.

    Install the OpsMgr Agent on the workgrp server including any updates like CU2.

    Then run momcertimport.exe      e.g.      D:\Cert\MOMCertImport.exe D:\Cert\MyWorkgroupServer.pfx

    You will then see an Event in Opsmgr EventVwr Event ID 20053: The OpsMgr Connector has loaded the specified authentication certificate successfully.

     

     

     

    Then after a min, the server will appear in pending Mgmt for you to approve.

    If u have any troubles pls feel free to email me at jDOTbradshawATunswDOTeduDOTau

    Sometimes screenshots can explain things a lot better....at least they do for me.

    Cheers,

    John Bradshaw

     


    • Marked as answer by Donald Dsouza Wednesday, June 2, 2010 8:54 PM
    Friday, May 21, 2010 12:16 AM

All replies

  • Hi Donald

    Somewhere along the line you've made a configuration error. Could you confirm whether the certificate server is windows 2003 or windows 2008 and whether it is an enterprise or stand-alone CA. The actual process (the detail) is different depending on what the underlying CA is:

    http://technet.microsoft.com/en-us/library/bb735413.aspx

    http://technet.microsoft.com/en-us/library/bb735417.aspx

    http://technet.microsoft.com/en-us/library/dd362553.aspx

    http://technet.microsoft.com/en-us/library/dd362655.aspx

    And the devil here is in the detail.

    Cheers

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, May 20, 2010 6:22 PM
    Moderator
  • judging from the first error, there also might be a connection problem or dns problem.

    make sure you can "telnet rms.fqdn 5723". You might need to add the rms fqdn to that server's host file.


    Rob Korving
    http://jama00.wordpress.com/
    Thursday, May 20, 2010 7:04 PM
  • Hi Graham

    We are using stand-alone CA and the certificate server is Windows 2003 server.

    The certification server and SCOM installed in one server.

    One question

    I am generating the certification for the new client server and importing using certimport utility.

    Is any other certificate needs to be imported in the client pc.

    Regards

    Donald D'souza

    Thursday, May 20, 2010 7:12 PM
  • Hi Donald

    Then it is this url to follow:

    http://technet.microsoft.com/en-us/library/bb735417.aspx

    There are certainly no problems having the CA on the RMS.

    Step 1 - on agent and RMS - download and import Trusted CA (as per above url) under the sections To download the Trusted Root (CA) certificate and To import the Trusted Root (CA) Certificate

    Step 2 - on agent and RMS - follow the steps under To request a certificate from a stand-alone CA .. at step 6, make sure you specify the RMS FQDN for the certificate for the RMS server and the agent FQDN for the certificate for the agent

    Step 3 - on the CA, follow the steps under approve the pending certificate requests

    Step 4 - on the agent and the RMS - follow the steps under To retrieve the certificate

    Step 5 - on the agent and RMS - follow the steps under To import certificates using MOMCertImport 

    As you already have the agent installed on the remote server, bounce the system center management service (the opsmgr service) and check the operationsmanager event log on the agent to see if the certificate loads successfully (the initial events are only informational so don't just check warnings and errors).

    Good Luck

    Graham


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Thursday, May 20, 2010 7:27 PM
    Moderator
  • Hi

    I have added RMS FQDN to the hostfile. After restarting the health service i am seeing the below errros

    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    20057
    Date:        5/20/2010
    Time:        1:30:28 PM
    User:        N/A
    Computer:    XXXX
    Description:
    Failed to initialize security context for target MSOMHSvc/RMS The error returned is 0x80090303(The specified target is unknown or unreachable
    ).  This error can apply to either the Kerberos or the SChannel package.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    21001
    Date:        5/20/2010
    Time:        1:30:28 PM
    User:        N/A
    Computer:    XXXX
    Description:
    The OpsMgr Connector could not connect to MSOMHSvc/RMS because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type:    Error
    Event Source:    OpsMgr Connector
    Event Category:    None
    Event ID:    20070
    Date:        5/20/2010
    Time:        1:30:28 PM
    User:        N/A
    Computer:    XXXX
    Description:
    The OpsMgr Connector connected to RMS, but the connection was closed immediately after authentication occured.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.  Check the event log on the server for the presence of 20000 events, indicating that agents which are not approved are attempting to connect.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Thursday, May 20, 2010 8:34 PM
  • hi

    did you recheck the pending management to see if the machine now appears so you can approve it?

    Also if it did not appear you can run th whole process again following the steps Graham listed.

    Hope this helps!

    Thursday, May 20, 2010 10:45 PM
  • Hi Donald,

    ======================================================================

    I want to monitor the one of the server in another domain. I have done the below steps

    1. Generate the certificate for the server.

    2. Exported and imported the trusted root certificate to new server.

    3. using MOMcertimport utility i have imported the certificate.

    4. Installed the agent

    5. Checked the security setting and it is showing review manual agent installation in pending management

    6. But when i checked the newlly installed serevr is not showing.

    ======================================================================

    Hi Donald,

    From the steps above, and the error you are getting, the certificate is not registering correctly on your non-domain ("workgroup") server.

    So steps 1 & 2 are fine. But you also need to import the certificate for the workgroup server.

    Then under Personal Certificates you should see the new cert and be able to open it and see that the Root cert is also part of the Certification path.

    So the steps are:

    Generate Root Cert (only needs to be done once). Generate Workgroup server cert for each Workgrp server..

    Export the certs.

    On the workgrp server, import the certs.

    The Trusted Root cert to the Trusted Root Certification Authorities pool of the Local Computer, and the Workgroup cert to the Personal Certificates pool of the Local computer. Double-click the new persoanl cert and under the Certification Path tab it should also include the root cert.

    Install the OpsMgr Agent on the workgrp server including any updates like CU2.

    Then run momcertimport.exe      e.g.      D:\Cert\MOMCertImport.exe D:\Cert\MyWorkgroupServer.pfx

    You will then see an Event in Opsmgr EventVwr Event ID 20053: The OpsMgr Connector has loaded the specified authentication certificate successfully.

     

     

     

    Then after a min, the server will appear in pending Mgmt for you to approve.

    If u have any troubles pls feel free to email me at jDOTbradshawATunswDOTeduDOTau

    Sometimes screenshots can explain things a lot better....at least they do for me.

    Cheers,

    John Bradshaw

     


    • Marked as answer by Donald Dsouza Wednesday, June 2, 2010 8:54 PM
    Friday, May 21, 2010 12:16 AM
  • Hi,

     

    Regarding the error message, please also try the following methods:

     

    OpsMgr 2007: Agents stuck in Pending Management with Event ID 21016

    http://blogs.technet.com/smsandmom/archive/2008/03/13/opsmgr-2007-agents-stuck-in-pending-management-with-event-id-21016.aspx

     

    Event ID 21001 and 20057 on SCOM agents - duplicate SPN

    http://blogs.technet.com/csstwplatform/archive/2009/11/04/event-id-21001-and-20057-on-scom-agents-duplicate-spn.aspx

     

    Hope this helps.

     

    Thanks.


    Nicholas Li - MSFT
    Monday, May 24, 2010 6:31 AM
    Moderator
  • As addition, did MOMCertImport actually work? Make sure you use the correct platform version - 64 bit or 32 bit version depending on the server Operating System.

    From here - http://thoughtsonopsmgr.blogspot.com/2009/09/momcertimportexe-tool-error-application.html - also check on the agent that the certificate has successfully loaded:

    Process 1: Finding out the serial number of the certificate:

    1. Open the MMC, add a snap-in. Select Certificates for the Computer Account. Go to Personal, expand it and select the certificate OpsMgr will use.
    2. Double click it and go to the second tab, ‘Details'.
    3. The second entry has the field name ‘Serial Number’. Write it down or use the button ‘Copy To File’. The latter is the best option since no errors will be made with the serial number.

    Process 2: Adding the found serial number in REVERSE order in the registry:

    1. Open the registry
    2. Go to HKLM\Software\Microsoft\Microsoft OperationsManager\3.0\Machine Settings
    3. Check to see if there is a ChannelCertificateSerialNumber key - if so, check the value against the value above. If not, Create here a new sub-regkey with a Binary Value, named ChannelCertificateSerialNumber

    NOTE - The serial number of the Certificate in step 1 is entered in reverse order in step 2. Do not use spaces, these will be added automatically. Example: suppose the serial number is 34 56 85, you must enter it as 85 56 34. DO NOT REVERSE THE ORDER OF THE DIGITS IN THE PAIRS!

    Thanks to Marnix for that ... it has got me out of jail on a couple of occassions.

    Cheers

    Graham

     


    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/
    Monday, May 24, 2010 7:24 AM
    Moderator
  • I had the same issue and did all the steps required. I had done this on another server just before it without issue. Found that I had to run the MomCertImport.exe elevated (Run As Admin).

    Paul

    Thursday, July 9, 2020 12:27 PM