Hi,

We are currently having an issue with one of Gateway servers which is not able to connect to RMS server. We had tried re-issuing the Root certificate and the other client certificates as per http://www.definit.co.uk/2012/01/troublewithscom2007r2certificates/ 

But still we have the same issue. PSB the events being triggered on the G/W server.

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          6/4/2014 8:21:07 AM
Event ID:      20067
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXXXX
Description:
A device at IP RMS IP:5723 attempted to connect but the certificate presented by the device was invalid.  The connection from the device has been rejected.  The failure code on the certificate was 0x800B010A (A certificate chain could not be built to a trusted root authority.).

Log Name:      Operations Manager
Source:        OpsMgr Connector
Date:          6/4/2014 8:21:07 AM
Event ID:      21002
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXXXX
Description:
The OpsMgr Connector could not accept a connection from RMS IP:5723 because mutual authentication failed

Hi,

My first guess would be that the root certificate is missing. You can check this via the certificates mmc.
When it comes to using certificates many mistakes can be made. For this reason i created a blog about this which can be found here:

http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/

Hope this helps you out.

Best regards,

Marthijn.

• Edited by Marthijn van Rheenen 20 hours 39 minutes ago

Hi,

Thanks for the blog..I had followed the blog and have imported the root certificates. But still get the same error.

Followed by 21019 which says returned to communicating with its primary host, then connection gets closed with a 20070 and 21016 error.

Port to the SCOM server is open.

Hi,

I also have a blog post with common certificate errors: http://blog.coretech.dk/msk/common-issues-when-working-with-certificates-in-opsmgr/ for troubleshooting.

Regards

Michael

Hi,

My first guess would be that the root certificate is missing. You can check this via the certificates mmc.
When it comes to using certificates many mistakes can be made. For this reason i created a blog about this which can be found here:

http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/

Hope this helps you out.

Best regards,

Marthijn.

• Edited by Marthijn van Rheenen Thursday, June 05, 2014 1:56 PM

Hi,

My first guess would be that the root certificate is missing. You can check this via the certificates mmc.
When it comes to using certificates many mistakes can be made. For this reason i created a blog about this which can be found here:

http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/

Hope this helps you out.

Best regards,

Marthijn.

• Edited by Marthijn van Rheenen Thursday, June 05, 2014 1:56 PM

Hi,

My first guess would be that the root certificate is missing. You can check this via the certificates mmc.
When it comes to using certificates many mistakes can be made. For this reason i created a blog about this which can be found here:

http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/

Hope this helps you out.

Best regards,

Marthijn.

• Edited by Marthijn van Rheenen Thursday, June 05, 2014 1:56 PM

Hi,

My first guess would be that the root certificate is missing. You can check this via the certificates mmc.
When it comes to using certificates many mistakes can be made. For this reason i created a blog about this which can be found here:

http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/

Hope this helps you out.

Best regards,

Marthijn.

• Edited by Marthijn van Rheenen Thursday, June 05, 2014 1:56 PM

Hi,

My first guess would be that the root certificate is missing. You can check this via the certificates mmc.
When it comes to using certificates many mistakes can be made. For this reason i created a blog about this which can be found here:

http://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/

Hope this helps you out.

Best regards,

Marthijn.

• Edited by Marthijn van Rheenen Thursday, June 05, 2014 1:56 PM

Steps to solve issue:

1. Check for eventids (20067, 20070,  21016)
2. Export certificate from Local\Computer\Personal\Certificate Folder
   Save as DER encoded binary X.509 (.CER) file.
3. Run certutil -urlfetch -verify <cert.cer> tool on cer file exported in step 2.
4. Search certutil output for errors, like retrieving URL: The server name or address could not be resolved 0x80072ee7 (WIN32: 12007)
5. Open Internet Explorer and copy URL that cannot be resolved. If you cannot download the *.crt file look at your proxy settings. These should be empty of correct.
6. Correct proxy settings.
7. [not sure if step 7 is really needed] Remove certificates from Local\Computer\Personal\Certificate Folder and Local\Computer\Operations Manager\Certificate folder
8. Import certificate again in Local\Computer\Personal\Certificate folder
   You can run certutil -urlfetch -verify <cert.cer> tool again to see if there are still any errors.
9. Run MomCertImport <nameofcertexport>.pfx again.
10. Check eventlog for restart of HealthService (will be restarted after running MOMCertImport) and if everything is ok now.

Also refer below link

http://blogs.technet.com/b/stefan_stranger/archive/2009/06/21/the-failure-code-on-the-certificate-was-0x800b010a-a-certificate-chain-could-not-be-built-to-a-trusted-root-authority.aspx

Hi,

I have done the steps mentioned in the blog but unable to download the crt file. the proxy on the IE seems to be blank. 

PSB the error i receive while running the Certutil command

  Failed "AIA" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://URLname%20Internal%20Issuing%20CA%20QA%20XX01.crt


  Failed "AIA" Time: 0
    Error retrieving URL: Error 0x80190194 (-2145844844)
    http://URLname%20Internal%20Issuing%20CA%20QA%20XX01.crt

Hi,

The server must be able to reach the URL configured in the certificate to check if it's valid.

I think you found the problem here.

Regards,

Marthijn.

Hi Marthijin,

What could be done to resolve this issue? Any suggestion?

Hi Jesty,

Are you able to resolve the URL for the Root Authority server to an IP?

Marthijn

Hi,

Could you please explain how i could resolve the URL for Root CA to an IP?

can you resolve the name of the server in the url by using nslookup?

http://ROOT.CERT.SERVERNAME/URLJUNK.BLA

nslookup ROOT.CERT.SERVERNAME

Hi Scott,

Could be a silly qn in this forum. But i am unable to find any such url .

When i do a lookup with nslookup root.cert.servername i get local cant find root.cert.servername: non-existant domain

Note : I have only changed the servername to the Gateway server name.

Hi Scott,

Request your help in this issue. I did a nslookup on the G/W servername and could resolve the Group policy server name and IP.

Any help??

Hi,

OpsMgr Connector warning events20067,21002 followed by 20070& 21016 critical error. Soon returns to the Primary MS event ID 21019 and soon the connection gets closed.(20070 and 21016).

What could be the issue?