Hello SCOM Guru's

I wonder if someone out there may be able to help.

I have two (non-trusted) domains - both hosted in Azure. See graphic below (a picture paints a thousand words!)

Just to put some context around the diagram - I have a two domains, the left-hand side contains the SCOM MS and the right-hand side is a non-trusted domain hosting the SCOM GW. The idea is that I want computers (agents) from the right-hand side domain to be able to talk back to the SCOM MS vai the SCOM GW.

In a nutshell I have followed some great 'how to' guides - for instance:

http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx

After hours of messing around I still cannot get my Gateway Server to talk successfully back to the SCOM Management Server in the other domain. I have deployed my own Certificate Authority and followed documentation to put the relevant Certs on both servers. I have checked all Certs and they report 'The certificate is OK'.

Also I can confirm that the MOMCertImport tool was run on both the SCOM MS and SCOM GW server (I did the MS 1st and GW 2nd) - both returned a 'Success' cmd prompt. I have also rebooted both servers - to restart all relevant SCOM Services.

On the Azure VMs I have allowed TCP 5723 on both servers. Additionally, the SCOM MS can resolve the SCOM GW server in the other domain via a HOSTS file entry (and vice-versa). I have tested connectivity using telnet <FQDN> 5723 (both ends seem to connect). No internal Windows Firewalls are enabled on any servers.

The cluster of errors reported by the SCOM Gateway server are (first to last):

20057: Failed to initialize security context for target MSOMHSvc/SCOM-01.DOMAIN.local The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.

21001: The OpsMgr Connector could not connect to MSOMHSvc/SCOM-01.DOMAIN.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains

20071: The OpsMgr Connector connected to SCOM-01.DOMAIN.local, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.

The same events repeat every 15 mins in the Operations Manager event log - and thus the SCOM Gateway remains 'Not Monitored'.

I don't get any relevant Events logged from the SCOM MS side - I guess cos it's not even got that far / authenticated?

I'm sure this is a Certificate type of problem but I'm really not sure where I go from here - any suggestions?

Many thanks

Darren

• Edited by ChallengeLogic 20 hours 1 minutes ago

Check the following
1) Can gateway sever can resolve the ip address of FQDN of Management server
2) Make sure that port 5723 is enabled between Gateway server and Management Server
3) Make sure that your has run  Microsoft.EnterpriseManagement.GatewayApprovalTool.exe tool to initiate communication between the management server and the gateway
4) Also check any error log on Management server event log

Roger

Hi,

Check this post:
Solving the Gateway 20071 event
http://michelkamp.wordpress.com/2012/01/05/solving-the-gateway-20071-event/

and this: Event ID 21001 and 20057 on SCOM agents - duplicate SPN:
http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx

Similar answer has been provided by DKTOA Here:
https://social.technet.microsoft.com/forums/systemcenter/en-US/05019b70-73a3-4a37-993b-66b607f3c222/scom-2012-gateway-server-isses-20057-21001-20071-ids

Did it solve your problem?

Regards
Jure

Hi,

In addition, please also go through the link below:

Common issues when working with certificates in OpsMgr

Regards,

Yan Li