SCOM Certificate Issue

Dear All

 

As I am new in SCOM and don't know much about CA, I would like to ask some question about certificate in Gateway server.

 

For our environment, we have:

1 x RMS (with standalone CA) e.g I name it RMS1.ABC.COM

2 x Gateway servers (each in different domain so that they can monitor client in different domains) and I name them GS1.XYZ.COM & GS2.XXX.COM

 

We are going to implement another gateway server and did it wrongly and causing problems and the other Gateway server (let's forget about the new one first as we need to fix the problem first).

For GS1.XYZ.COM, the RMS server can monitor the clients under this domain successfully.

For GS2.XYZ.COM, this gateway server is grey (under Management Group) and of course all the client under this domain.

How can we fix this issue, we have search many articles and may be their is confusion with which server such do which steps and this may be the reason of creating the problem.

 

Can somebody help me to solve this issue, please if possible, state clearly which steps should be done in the server name (like gs1, gs2, rms, etc).

 

Thanks.

 

Alex

 

 

 

January 9th, 2012 2:54pm

Sorry

 

GS2 should be in another domain (i.e. GS2.XXX.COM)....

 

Thanks again.

 

Alex

Free Windows Admin Tool Kit Click here and download it now
January 9th, 2012 2:55pm

Hello,

What does it say in the operations manager log, on RMS and GS2, any errors or warnings?

Ragards,

January 9th, 2012 4:54pm

This is in the GS2 Operations Manager Log:

 

The OpsMgr Connector could not connect to MSOMHSvc/RMS1.ABC.COM because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

Event ID: 21001

======================================

 

Thanks

Free Windows Admin Tool Kit Click here and download it now
January 9th, 2012 7:10pm

One more

 

The OpsMgr Connector could not connect to MSOMHSvc/RMS1.ABC.COM because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.

 

Event ID: 20057

January 9th, 2012 7:11pm

The event about 'mutual authentication failed' is normal when using certificates.

You should see this event in the Operations Manager log of the gateway server:

Log Name:      Operations Manager
Source:        OpsMgr Connector
Event ID:      20053
Task Category: None
Level:         Information
Description:
The OpsMgr Connector has loaded the specified authentication certificate successfully.

Do you see that event about the certificate loading successfully? Restart the System Center Management service on the gateway and see what events in the Operations Manager log there are from source OpsMgr Connector.

John Joyner
MVP-OpsMgr

 


Free Windows Admin Tool Kit Click here and download it now
January 9th, 2012 9:09pm

After you have restarted System Center Management service on the gateway with problems, check first couple of error events that are raised after the events with source "Health Service ESE store". They tell the problem like John told.

Did the GW work earlier on? Your description suggests that it did. If the GW was working before and if there are no errors on the gateway (within ~30 events after Health Service ESE store events) after restarting the service, you can try to remove the temporary files from GW by deleting Health Service Store folder on GW under Program files\System Center Operations Manager installation folder.

-Tero

January 10th, 2012 1:14am

The GW is working before, but after working on some certificate issue, it failed.

 

After checking, the computer certificate in GW is missing now and this caused the gw cannot communicate with the RMS.

 

Can somebody provide a detail information about how to install the certificate in the GW. As I saw from various articles, it is stated not so clearly about which steps should be done in which server and this make confusion.

 

Thanks

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2012 7:09pm

Hi acbee:

High-level steps I use to install certificate on gateway:

1. Obtain the certificate with the .pfx entenstion that was saved with private key and password.
2. Copy the certificate to the gateway, to the SCOM program files folder.
3. Copy the MOMCertImport.exe that is the correct processer type from the support tools folder on the SCOM install media to the SCOM program files folder on the gateway.
4. Open an elevated command prompt and CD to the SCOM program files folder.
5. Run the command MOMCertImport.exe <NameofCertFile>.pfx /Password <password>

The SCOM service will automatically restart and try and load the certificate.

John Joyner
MVP-OpsMgr

 

January 10th, 2012 7:21pm

With SCOM 2007 R2 you can also start the MOMcertimport.exe as administrator from explorer and it will give you graphical interface where you can select the appropriate certificate.

-Tero

Free Windows Admin Tool Kit Click here and download it now
January 10th, 2012 10:29pm

Just FYI if anyone gets across this problem: in SCOM 2012 SP1 there's a (currently undocumented) issue when trying to add a Windows 2012 server to SCOM. The secure connection somehow fails while the certificate is trusted and all other certificate related settings are OK.

The issue is with the standard TLS settings in Windows 2012. For more info see

https://geertbaeten.wordpress.com/2013/07/08/scom-agent-or-gateway-certificate-issue/

Best regards,
Geert


July 8th, 2013 10:35am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics