We recently had a request to monitor our first DMZ-based W2K8R2 servers. We are running SCOM 2007 SP1 on W2K3; we have a W2K3 Stand-Alone CA. I had a heck of a time even performing the web-based enrollment from the W2K8 servers to the W2K3 CA, but I got that worked out. Once I completed importing the certificates and exporting them to SCOM, I restared the OpsMgr agents on the W2K8 servers and noticed the event log throw out Event ID 20050, which reads: "Log Name: Operations Manager Source: OpsMgr Connector Date: 3/18/2011 6:52:12 AM Event ID: 20050 Task Category: None Level: Error Keywords: Classic User: N/A Computer: AUSREMSWS101 Description: The specified certificate could not be loaded because the Enhanced Key Usage specified does not meet OpsMgr requirements. The certificate must have the following usage types: Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2)" The SCOM agent will not communicate with the Management Server, hence, no monitoring at this time. When I entered the OID during certificate creationg and submission, I entered the OID as: 1.3.1.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2, which works fine for all DMZ-based W2K3 and W2K servers/scom agents we are currently monitoring. Any ideas on what I'm missing here? Thanks, Sven

Anyone know how to get this resolved?

Hi Given the lack of response I'll give the following option where I had one server that refused to work with certificates while all around it were happy. It was also a windows 2003 standalone certificate server although the DMZ server was windows 2003 and not windows 2008 R2. http://systemcentersolutions.wordpress.com/2010/07/20/windows-2003-stand-alone-certificate-server/ Not sure if you have been using certreq for your other certificates but basically the above approach required the following. 1. Create a setup information file to use with the CertReq command-line utility – do this on the workgroup machine. 2. Create a request file – do this on the workgroup machine and then copy file to a server that has access to the certificate server 3. Submit a request to the CA using the request file from a server that has access to the certificate server 4. Approve the pending certificate request – from the certificate server 5. Retrieve the certificate from the CA – from a machine that has access to the certificate server 6. Import the certificate into the certificate store – copy certificate to workgroup computer 7. Import the certificate into Operations Manager using MOMCertImport – on workgroup computer. If you haven't used certreq before then let us know if you have any problems following the above and I'll try out dig out some more details. Regards GrahamView OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Anyone have any ideas or clues about this? As stated, we have a W2K3 Stand-alone CA, not Enterprise, so we cannot use Certificate Templates. SCOM 2007 SP1 running on W2K3. Two new W28Kr2 servers in DMZ, which will require certificates. Usual process for installing/exporting certificates does not appear to be working and is experiencing the error/event listed above. Thanks, Sven

Hi Graham, Thanks for responding. I'm basically a certreq novice so I'll need a little more handholding. I've created a .req file. What syntax do I use to submit this certificate request to our W2K3 Stand-Alone CA?

Hi I've cut and pasted this together from a few resources so hopefully it makes sense. 1. Create a text file containing the following: [Version] Signature= “$Windows NT$” [NewRequest] Subject = “CN=agent.contoso.com,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US” KeySpec= 1 KeyLength = 1024 KeyUsage = 0xa0 ProviderName = “Microsoft RSA Schannel Cryptographic Provider” ProviderType = 12 RequestType = PKCS10 Exportable = TRUE MachineKeySet = TRUE UseExistingKeySet = FALSE [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 OID = 1.3.6.1.5.5.7.3.2 2. Save the file with an .inf file name extension; for example, c:\certs\RequestConfig.inf. 3. In a command window, type CertReq –New –f c:\certs\RequestConfig.inf c:\certs\CertRequest.req, and then press ENTER. 4. Using Notepad, open the resulting file (for example, CertRequest.req), and copy the contents of this file into the clipboard. 5. From the DMZ server, Using Internet Explorer Connect to the certificate server (http://servername/certsrv) 6. click Request a certificate. 7. On the Request a Certificate page, click advanced certificate request. 8. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 9. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure, and then click Submit. 10. Approve the Certificate on the Certificate server 11. From the DMZ server, fire up Internet Explorer and go to http://<servername>/certsrv 12. Click View the status of a pending certificate request. 13. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 14. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 15. In the File Download – Security Warning dialog box, click Save, and save the certificate; for example, as c:\certs\NewCertificate.cer. 16. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. 17. To import the certificate into the certificate store - on the DMZ server, in the command window, type CertReq –Accept c:\certs\NewCertifiate.cer, and then press ENTER. 18. Then run MOMCertImport It is a long shot ... but it will be interesting to hear if it works (or if it doesn't, what the error is). Just hope that we can get a less complex solution to monitoring DMZ servers in future releases ;-) Good Luck Graham View OpsMgr tips and tricks at http://systemcentersolutions.wordpress.com/

Hi I've cut and pasted this together from a few resources so hopefully it makes sense. 1. Create a text file containing the following: [Version] Signature= “$Windows NT$” [NewRequest] Subject = “CN=agent.contoso.com,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US” KeySpec= 1 KeyLength = 1024 KeyUsage = 0xa0 ProviderName = “Microsoft RSA Schannel Cryptographic Provider” ProviderType = 12 RequestType = PKCS10 Exportable = TRUE MachineKeySet = TRUE UseExistingKeySet = FALSE [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 OID = 1.3.6.1.5.5.7.3.2 2. Save the file with an .inf file name extension; for example, c:\certs\RequestConfig.inf. 3. In a command window, type CertReq –New –f c:\certs\RequestConfig.inf c:\certs\CertRequest.req, and then press ENTER. 4. Using Notepad, open the resulting file (for example, CertRequest.req), and copy the contents of this file into the clipboard. 5. From the DMZ server, Using Internet Explorer Connect to the certificate server (http://servername/certsrv) 6. click Request a certificate. 7. On the Request a Certificate page, click advanced certificate request. 8. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 9. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure, and then click Submit. 10. Approve the Certificate on the Certificate server 11. From the DMZ server, fire up Internet Explorer and go to http://<servername>/certsrv 12. Click View the status of a pending certificate request. 13. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 14. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 15. In the File Download – Security Warning dialog box, click Save, and save the certificate; for example, as c:\certs\NewCertificate.cer. 16. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. 17. To import the certificate into the certificate store - on the DMZ server, in the command window, type CertReq –Accept c:\certs\NewCertifiate.cer, and then press ENTER. 18. Then run MOMCertImport It is a long shot ... but it will be interesting to hear if it works (or if it doesn't, what the error is). Just hope that we can get a less complex solution to monitoring DMZ servers in future releases ;-) Good Luck Graham PS Should have highlighted that this line needs updating for your server - for a DMZ server the following: Subject = “CN=<<NetbiosComputerName>,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US” If the above information request file doesn't work then try the following: [NewRequest] Subject="CN=<NetBios Name of DMZ Server>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 View OpsMgr tips and tricks at http://systemcentersolutio

Hi I've cut and pasted this together from a few resources so hopefully it makes sense. 1. Create a text file containing the following: [Version] Signature= “$Windows NT$” [NewRequest] Subject = “CN=agent.contoso.com,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US” KeySpec= 1 KeyLength = 1024 KeyUsage = 0xa0 ProviderName = “Microsoft RSA Schannel Cryptographic Provider” ProviderType = 12 RequestType = PKCS10 Exportable = TRUE MachineKeySet = TRUE UseExistingKeySet = FALSE [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 OID = 1.3.6.1.5.5.7.3.2 2. Save the file with an .inf file name extension; for example, c:\certs\RequestConfig.inf. 3. In a command window, type CertReq –New –f c:\certs\RequestConfig.inf c:\certs\CertRequest.req, and then press ENTER. 4. Using Notepad, open the resulting file (for example, CertRequest.req), and copy the contents of this file into the clipboard. 5. From the DMZ server, Using Internet Explorer Connect to the certificate server (http://servername/certsrv) 6. click Request a certificate. 7. On the Request a Certificate page, click advanced certificate request. 8. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. 9. On the Submit a Certificate Request or Renewal Request page, in the Saved Request text box, paste the contents of the CertRequest.req file that you copied in step 4 in the previous procedure, and then click Submit. 10. Approve the Certificate on the Certificate server 11. From the DMZ server, fire up Internet Explorer and go to http://<servername>/certsrv 12. Click View the status of a pending certificate request. 13. On the View the Status of a Pending Certificate Request page, click the certificate you requested. 14. On the Certificate Issued page, select Base 64 encoded, and then click Download certificate. 15. In the File Download – Security Warning dialog box, click Save, and save the certificate; for example, as c:\certs\NewCertificate.cer. 16. On the Certificate Installed page, after you see the message that Your new certificate has been successfully installed, close the browser. 17. To import the certificate into the certificate store - on the DMZ server, in the command window, type CertReq –Accept c:\certs\NewCertifiate.cer, and then press ENTER. 18. Then run MOMCertImport It is a long shot ... but it will be interesting to hear if it works (or if it doesn't, what the error is). Just hope that we can get a less complex solution to monitoring DMZ servers in future releases ;-) Good Luck Graham PS Should have highlighted that this line needs updating for your server - for a DMZ server the following: Subject = “CN=<<NetbiosComputerName>,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US” If the above information request file doesn't work then try the following: [NewRequest] Subject="CN=<NetBios Name of DMZ Server>" Exportable=TRUE KeyLength=2048 KeySpec=1 KeyUsage=0xf0 MachineKeySet=TRUE [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 View OpsMgr tips and tricks at http://systemcentersolutio

Hi, Please try the methods in the following documents and posts: How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 http://technet.microsoft.com/en-us/library/bb735417.aspx Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server http://blogs.technet.com/b/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx Obtaining Certificates for Ops Mgr via Command Line or Script http://blogs.technet.com/b/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Please try the methods in the following documents and posts: How to Obtain a Certificate Using Windows Server 2003 Stand-Alone CA in Operations Manager 2007 http://technet.microsoft.com/en-us/library/bb735417.aspx Step by Step for using Certificates to communicate between agents and the OpsMgr 2007 server http://blogs.technet.com/b/operationsmgr/archive/2009/09/10/step-by-step-for-using-certificates-to-communicate-between-agents-and-the-opsmgr-2007-server.aspx Obtaining Certificates for Ops Mgr via Command Line or Script http://blogs.technet.com/b/momteam/archive/2008/06/02/obtaining-certificates-for-ops-mgr.aspx Hope this helps. Thanks. Nicholas Li - MSFT Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.