locked
workgroup agent certificate based authentication RRS feed

  • Question

  • Hi guys,

    I'm having troubles with the certificate based authentication on my non-domain joined server.

    The certificate (client and server authenticaion) is installed with momcertimport.exe. The root-ca is trusted on my workgroup server, tcp port 5723 to the opsmgr server is open, and still I get the error

     
    OpsMgr was unable to set up a communications channel to server.domain.tld and there are no failover hosts. Communication will resume when server.domain.tld is available and communication from this computer is allowed.


    The agent is able to communiate with the second management group (where the gateway server is in the same subnet as the agent).

    What am I missing?

    Cheers

    Sebastian


    Sebastian Bammer

    Wednesday, June 27, 2012 8:32 AM

Answers

  • Sorry guys, it was completely my fault, I did not run the momcertimport tool on my management server, I just executed it on my clients. The case is solved now. Thanks again to all of you for your time.

    Cheers


    Sebastian Bammer


    Wednesday, June 27, 2012 1:37 PM

All replies

  • Hi

    If I understand correctly, you have multihomed the agent that has the certificate?

    In the Management Group 1, have you allowed manual agent installs and approved the agent?

    The health service can only load one certificate so have you used the same CA \ certificate for each management group? This is sort of explained here (albeit with a different slant):

    http://blogs.technet.com/b/momteam/archive/2009/12/08/how-to-link-multiple-gateway-servers-together.aspx - "A healthservice can only load and use a single auth certificate"

    Cheers

    Graham


    Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

    • Proposed as answer by Donald Dsouza Wednesday, June 27, 2012 9:06 AM
    Wednesday, June 27, 2012 8:55 AM
  • Hi Sebatian

    As Graham said please check you have approved the agent in SCOM . The above said error will normally appear when the agent is not approved. In case still you have issues restart the system center management service then if you see any error send us the error that will help to troubleshot further.


    Donald D'souza (http://donald-scom.blogspot.com/)

    Wednesday, June 27, 2012 9:09 AM
  • Hi guys,

    I'm using the same certificate for both MGs (the root-ca is trusted on both of the RMS servers). The problem is that in my MG I cannot approve the agent because it does not show under pending management (my MG is configured to review new manual agent installations. They are not approved autimatically).

    In the event log of my RMS server I can see the following event:

    The OpsMgr Connector negotiated the use of mutual authentication with 195.64.1.2:43767, but Active Directory is not available and no certificate is installed. A connection cannot be established

    I don't get why it's saying that no certificate is installed. It is clearly working with my second MG :(

    Cheers

    Sebastian


    Sebastian Bammer

    Wednesday, June 27, 2012 9:31 AM
  • You just need to install certificates on all management servers which will be to monitor your Work Group servers.
    Wednesday, June 27, 2012 9:39 AM
  • I'll just quickly check with my network guy as I can see that the agent is showing up with its public IP and I don't know if the route back to the agent could be a problem...


    Sebastian Bammer

    Wednesday, June 27, 2012 9:59 AM
  • Hi Sebastian

    If you are able to, can you restart the health service on the agent and check for the following informational events (they aren't warnings ro critical although 20052 should be!) :

    1) Event id 20052 on the agent stating that the “Specified certificate could not be loaded because the subject name on the certificate does not match the local computer name”.

    Or

    2) Event id 20053 after running MomCertImport – this indicates the cert was loaded properly.

    As you say, routing and also DNS could also be the issue.

    Cheers

    Graham


    Regards Graham New System Center 2012 Blog! - http://www.systemcentersolutions.co.uk
    View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

    Wednesday, June 27, 2012 10:42 AM
  • Hi Graham,

    EventID 20052 does not show up, but 20053 does (and as I said, the config is already working for my second management group).

    We just verified DNS and routing and both work fine. I've already reinstalled the agent as well

    Cheers

    Sebastian


    Sebastian Bammer

    Wednesday, June 27, 2012 1:10 PM
  • Sorry guys, it was completely my fault, I did not run the momcertimport tool on my management server, I just executed it on my clients. The case is solved now. Thanks again to all of you for your time.

    Cheers


    Sebastian Bammer


    Wednesday, June 27, 2012 1:37 PM