Event ID : 20057 - No authority could be contacted for authentication
Hi,
Most of the agents in a trusted forest (forest trust) don't connect anymore and qive this error :
Event ID : 20057
Failed to initialize security context for target MSOMHSvc/rms_fqdn The error returned is 0x80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.
And also this one less frequently:
Event ID : 21016
OpsMgr was unable to set up a communications channel to rms_fqdn and there are no failover hosts. Communication will resume when rms_fqdn is available and communication from this computer is allowed.
------------------
Both Forests have been upgraded this year in Windows 2008R2
SCOM 2007 R2 - CU4 , Windows 2008 SP2
------------------
After applying February 2012 MS securty hotfixes to them and to my RMS, this error appears after a reboot (agents and RMS).
I try to stop/start Health Service service (agent/RMS), Repair agent, remotely remove and re-install the agent. Restarted Config service. Allowed the server to authenticate to the RMS. Still the same.
Some servers that have been patched last week and haven't rebooted this week don't have the issue.
Kerberos seems to be ok. tcp/udp 88 ok. SPNs are still there.
Agents in the same domain as the RMS are ok.
However and this is strange, for one server in this trusted domain, the error came 2 days before. Nothing has been done or changed at that time (no reboot, not patch).
Help will be appreciate.
Thanks
Alain
February 25th, 2012 12:24pm
I believe there is no authentication provider available in the other domain for the SCOM agents..
- Is there any firewall between the agents and the DC's?
- Do you have enough domain controllers in the agents domain?
- Do you have Gateway in place? if yes, did you check its certificate?
Regards,
Mazen
Free Windows Admin Tool Kit Click here and download it now
February 25th, 2012 2:22pm
All ports are opened between these two domains.
I do not manage these DCs but as it has worked until this week for many months... . This trusted domain has been updated to Win2K8 R2 in January. DCs for those clients are not managed by SCOM and I'm not a domain admin for this domain.
There is no Gateway. Bi-dir forest trust.
However, I saw this event on one of the DCs that is in the same domain as the RMS :
Event ID Schannel 36886
"No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications
that manage their own credentials, such as the internet information server, are not affected by this."
This happened the same day (but some hours before) that the first agent got the issue. Not sure if it is related. This event is still coming regularly.
Thanks,
Alain
February 25th, 2012 4:37pm
Is there any certificate used for the DC's?
Did you changed anything regarding certificates??
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 5:08am
I think there's an issue with the domain you trying to monitor and probably not because of the patches, but bc of the domain upgrade. They've made some changes to the security settings from a win2k8r2 dc, maybe this applies:
http://support.microsoft.com/kb/977321/en-usRob Korving
http://jama00.wordpress.com/
February 26th, 2012 7:16am
No certificat used.
Excepted for the event id 36886, no other event (error or warning) appear on DCs for both forests.
Thanks again for you input.
Alain
Free Windows Admin Tool Kit Click here and download it now
February 26th, 2012 4:42pm
Hi,
Firstly, I think you need to ensure the connectivity between the management server and the agents works fine.
Please also check the firewall settings.
Using a Firewall with Operations Manager 2007
http://technet.microsoft.com/en-us/library/cc540431(en-us).aspx
Hope this helps.
Thanks.
Nicholas Li
TechNet Community Support
February 28th, 2012 1:15am
Hi,
I've setup a netmon trace on the agent.
What I see is a "KerberosV5:KRB_ERROR - KRB_ERR_RESPONSE_TOO_BIG (52)" message just after started the Health Service service on the agent.
(Souce : Agent's DC , Dest : Agent)
The guy in the network team told me that no port is blocked between forests.
What can I do for this Kerberos error ?
One other thing I see in traces is that the agent seems to try to communicate with one of the DCs (where the RMS is located) that hab been removed last week. This DC was added to perform the 2008 to 2008R2 domain update.
Thanks,
Alain
Free Windows Admin Tool Kit Click here and download it now
February 28th, 2012 8:01am
Hi,
Regarding the error, please check it referring to the methods below:
Authentication Using UDP Causes Errors
http://technet.microsoft.com/en-us/library/cc779511(v=ws.10).aspx
Kerberos for the Busy Admin
http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx
If the error persists, considering this is about Windows Server, it is also recommended that you go to the corresponding forum for further investigation:
Windows Server Forum
http://social.technet.microsoft.com/Forums/en/category/windowsserver/
Hope this helps.
Thanks.Nicholas Li
TechNet Community Support
February 28th, 2012 11:52pm
Hi,
Just to let you know that the problem has been solved.
There were a DC in the same domain as the agent that was still in Win2003 (all others are Win2008R2). When the DC has been removed, communication with the RMS was back.
Thanks to all.
Alain
Free Windows Admin Tool Kit Click here and download it now
May 14th, 2012 8:00am