Is it possible to use a Domain Alias for Management Server to which a Gateway is connecting?

I have a management server called SCOM01.mydomain.local.

I want to use a public NS for this server so lets say SCOM01.mydomain.com

I create a cert from my internal CA using the SCOM01.mydomain.com.

At my gateway, I am receiving errors.

20057  Failed to initialize security context for target MSOMHSvc/SCOM01.mydomain.com The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

21001 The OpsMgr Connector could not connect to MSOMHSvc/SCOM01.mydomain.com because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

20071  The OpsMgr Connector connected to SCOM01.mydomain.com , but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.

I even tried adding a SPN even though I would not think it would need this since we are performing cert authentication.  Anyone know if this is possible?

Thanks,

Jason


  • Edited by JasonLev Monday, July 20, 2015 12:18 PM
July 20th, 2015 12:18pm

Thank you both for your information.  Yes this is what I have found also.

So at the end of the Day, if you want an Agent or a Gateway to communicate with a Management server using a Public NS lookup, then you need to make sure your AD domain is reflecting this name.  

So for me I am too deep at this point to switch from my current .LOCAL AD domain to a .COM so I will go with the Host Entry Work around.  

I know somewhere else on the forums somebody mentioned adding an additional Workgroup based Gateway as a work around to the domain aliasing.  However, this does not work because we must create a Certificate which only includes the Hostname and NOT the remaining Domain portion like a Domain server member.

-Jason


  • Marked as answer by JasonLev 13 hours 54 minutes ago
  • Unmarked as answer by JasonLev 13 hours 54 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2015 1:20pm

Thank you both for your information.  Yes this is what I have found also.

So at the end of the Day, if you want an Agent or a Gateway to communicate with a Management server using a Public NS lookup, then you need to make sure your AD domain is reflecting this name.  

So for me I am too deep at this point to switch from my current .LOCAL AD domain to a .COM so I will go with the Host Entry Work around.  

I know somewhere else on the forums somebody mentioned adding an additional Workgroup based Gateway as a work around to the domain aliasing.  However, this does not work because we must create a Certificate which only includes the Hostname and NOT the remaining Domain portion like a Domain server member.

-Jason


  • Marked as answer by JasonLev Tuesday, July 21, 2015 5:18 PM
  • Unmarked as answer by JasonLev Tuesday, July 21, 2015 5:18 PM
July 21st, 2015 5:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics