Hi all,

I have an untrusted domain which I am deploying Gateway Servers into. I have built two servers so that I have Gateway failover for Agents. One of the gateways is working just fine but the other is refusing to accept the certificates and keeps trying to use Kerberos authentication to authenticate to the MS which isn't ever going to work.

I've got the SCOM MS and the PKI in Domain A, Gateway Server in Domain B.

1. Created SCOM Certificate Template in Domain A PKI.
2. Created Certificates using Certreq for the Domain B Gateways.
3. Installed Root CA .cer and Issued Certificate .pfx Files on Domain B Gateways.
4. Ran Gateway Approval Tool on Domain A SCOM MS.
5. Installed Gateway Software on Gateways in Domain B.

As I say, one of the two is working just fine and I have agents reporting through it, but the second will not work. I have tried unapproving the Gateway and reapproving it, deleting all the certificates and re-creating them from the template fresh and as a last resort, I have deleted the second Gateway VM and re-created it.

The errors in the Operations Manager log are as follows:

Could not connect to MSOMHSvc/MSNAME.domaina.com because mutual authentication failed.
The OpsMgr Connector connected to MSNAME.domaina.com but the connection was closed immeadiately without authentication taking place.

Anyone have any ideas because as you can see, I've gone as far as to delete the VM and start everything again to no avail and given that I've built these two side-by-side and one is working and the other is not, it's clear that I know it does work and it's not ju

Hi Richard,

Please refer Graham / Stefan's answers for a similar issue below:

https://social.technet.microsoft.com/Forums/systemcenter/en-US/5368cceb-f1d8-4ea7-b04e-b82e508c846d/deploying-gateway-between-untrusted-domains

Please check the following
1) Make sure that port 5723 is open between Gateway server and Management server
2) the subject of the gateway certificate is the FQDN of gateway server
3) make sure that Gateway server and managment server can resolve IP address from their FQDN name

Roger

Hi Richard,

I had a similar experience these days, with the same event displayed. I had this with 2 of 8 Gateway servers in the environment and the causes were like follow:

1. On the one GBW server, while running the GW approval tool, I accidently made a typo with the domain name. SO the server appeared not as a GW server, but as a managed server with panding management agent.
2. On the second server I imported the wrong certificate.

If you have checked the ports, the certificates with their chains and have properly imported the certificates with MOMCertImport your GW should Appear under Administration. From that point you can check the Health of it from the Monitoring pane and narrow down the possible causes.

Regards,

Hi Richard,

I had a similar experience these days, with the same event displayed. I had this with 2 of 8 Gateway servers in the environment and the causes were like follow:

1. On the one MS server, while running the GW approval tool, I accidently made a typo with the domain name. So the server appeared not as a GW server, but as a managed server with pending management agent.
2. On the second server I imported the wrong certificate.

If you have checked the ports, the certificates with their chains and have properly imported the certificates with MOMCertImport your GW should Appear under Administration. From that point you can check the Health of it from the Monitoring pane and narrow down the possible causes.

Re

Hi there,

Thanks for the replies.

• Port 5723 is open for TCP and UDP and I have verified this with Telnet from the Gateway.
• DNS resolution is working fine and I can resolve the name of the Gateway from the MS and the MS from the Gateway.
• Running the Gateway Approval Tool has the Gateway Server appearing in the Management Servers view, not the Managed Agents view in the console. There is nothing in Pending Management currently.
• The certificate has the correct CN and also has a SAN for the DNS name of the Gateway. This was created using the same certificate template that is working on another gateway.

Hi There,

Can you refer the below and let me know if it solves the issue.

http://blog.coretech.dk/msk/common-issues-when-working-with-certificates-in-opsmgr/

1) You has two gateway servers, name Gateway1 and Gateway2
2) gateway1 and Gateway2 use same procedure for creating gateway and certificate
3) One of the gateway, let said it is Gaterway1, is properly
4) Problematic Gateway, Gateway2, recevice error
Could not connect to MSOMHSvc/MSNAME.domaina.com because mutual authentication failed.
 The OpsMgr Connector connected to MSNAME.domaina.com but the connection was closed immeadiately without authentication taking place.
5) Gateway2 port is open, DNS can resolve the servers name, both management server and gateway server.
6) Both gateways appear in the Management Servers view in Administration workspace.
7) One is healthy and other is unmonitored
8) Remove SCOM installation in gateway2
for deatil, pls. refer to
https://technet.microsoft.com/en-us/library/hh456430.aspx?f=255&MSPPError=-2147217396
pay attention to: In the Operations console, in the Administration view, under Device Management, Management Servers, select the gateway server, right-click it, and then click Delete.
9) Reinstall Gateway server
Fro detail, pls. refer to
https://marthijnvanrheenen.wordpress.com/2012/03/28/scom-2012-connecting-a-gateway-server-using-certificates/
http://blogs.technet.com/b/pfesweplat/archive/2012/10/15/step-by-step-walkthrough-installing-an-operations-manager-2012-gateway.aspx
Roger

Hi,

"Could not connect to MSOMHSvc/MSNAME.domaina.com because mutual authentication failed.
The OpsMgr Connector connected to MSNAME.domaina.com but the connection was closed immeadiately without authentication taking place."

when your certificate is mismatching. If MS belong to Domain A, the certificate for GW (with OPS Manager template) should be imported from the same Domain A. Once it is imported into Personal folder, under Local Computer Account. Try MOMCertImport without giving any parameters, it will show you all certificates in the Personal folder.

Try the following steps:

1. Open mmc, and go to Certificate, Local Computer.

2. Go to Operations Manager --> Certificates, and delete the existing one.

3. Run MOMCertImport tool and select the certificate which you recently imported from Domain A (OPS Manager template).

4. On the Gateway, open regedit and go to Local -> Software -> Microsoft -> Operations Manager -> Machine or Agent -> and check the Gateway Server is listed as FQDN (as per certificate).

5. Under the Machine folder, you will see CertificateHash or Algorith, compare that with the "Thumbprint" of Gateway Certificate under Personal folder. Both should be same.