SCOM Console deployed in an untrusted domain and through a firewall.
I have a client that has a SCOM console thick client in another domain, and he cannot connect to the RMS getting the error:
<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-alt:"Calisto MT"; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683
0 0 159 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-alt:"Times New Roman"; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style
Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif";
mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in
1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} -->
Date: 10/5/2010 1:36:27 PM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Warning
Message: Failed to connect to server 'xxxxxxxxxxx'. Insufficient privileges
Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user does not have sufficient permission to perform the operation. ---> System.ServiceModel.Security.SecurityNegotiationException:
The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
--- End of inner exception stack trace ---
He is a member of Operations Manager Operators. Not sure what else to do..
October 5th, 2010 9:15pm
The other user cannot use windows integrated authentication because it is another domain.
When he opens the console he needs to enter the user name and password and domain information. These credentials should be of the domain where SCOM is.
Also, in the console - administration --> Security --> User roles - the specified account should be part of one of the profiles listed. Based on the privileges you want to provide that user.
--
Regards,
Vik Singh
--------------------------------------------------------------------------------
Please remember to click ??Mark as Answer? on the post that helps you, and to click ??Unmark as Answer? if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
"bryanburns" wrote in message
news:e305b4ff-db51-4459-9a76-44cf65f42a5f@communitybridge.codeplex.com...
I have a client that has a SCOM console thick client in another domain, and he cannot connect to the RMS getting the error:
<!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-alt:"Calisto MT"; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;}
@font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-alt:"Times New Roman"; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal,
li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin;}
.MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in; mso-header-margin:.5in; mso-footer-margin:.5in;
mso-paper-source:0;} div.WordSection1 {page:WordSection1;} -->
Date: 10/5/2010 1:36:27 PM
Application: System Center Operations Manager 2007 R2
Application Version: 6.1.7221.0
Severity: Warning
Message: Failed to connect to server 'xxxxxxxxxxx'. Insufficient privileges
Microsoft.EnterpriseManagement.Common.UnauthorizedAccessMonitoringException: The user does not have sufficient permission to perform the operation. ---> System.ServiceModel.Security.SecurityNegotiationException:
The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
--- End of inner exception stack trace ---
He is a member of Operations Manager Operators. Not sure what else to do..
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2010 9:48pm
Do you have a gateway server? Or have you configured certificates?
http://technet.microsoft.com/en-us/library/bb735408.aspxCheers Graham View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
October 5th, 2010 10:15pm
Graham - as far as I know, we don??t need certificates for remote console access. Only if a client is untrusted we need it.
if we are just using the console and we use the appropriate credentials, it should work. If not, let me know.
--
Regards,
Vik Singh
--------------------------------------------------------------------------------
Please remember to click ??Mark as Answer? on the post that helps you, and to click ??Unmark as Answer? if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
"Graham Davies [MVP]" wrote in message
news:45058534-b8e2-4c67-945b-7a3643228799@communitybridge.codeplex.com...
Do you have a gateway server? Or have you configured certificates?
http://technet.microsoft.com/en-us/library/bb735408.aspx
Cheers Graham View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
October 5th, 2010 10:17pm
Hi
Sorry - my mistake totally - I thought you \ they were looking to deploy agents from the console. Classic case of not reading closely enough.
For use of the console then you are correct. The user needs rights in that domain which they don't appear to have.
Cheers
Graham
Cheers Graham View OpsMgr tips and tricks at
http://systemcentersolutions.wordpress.com/
October 5th, 2010 10:24pm