OpsMgr Connector gateway error
Monkey
using certificates but I keep getting event id 20057 and 21001.
The OpsMgr Connector could not connect to MSOMHSvc/management_server_name
because mutual authentication failed. Verify the SPN is properly
registered....
It is not a firewall issue as the remote domain is connected via a VPN and
communication works to its FQDN. I put the FQDN into the host file and it can
communicate, also TELNET 5723 works. I have re-done the certificate
instructions several times and even removed Operations Manager and
reinstalled. I then started looking at the SPN and when running setspn -L
management_server_name it returns 'FindDomainForAccount:
DsGetDcNameWithAccountW failed! Cannot find account management_server_name'
So I ran ldifde -f C:\domain.txt and found the MSOMHSvc registered to an
incorrect server name. I then ran setspn -D MSOMHSvc/incorrect_server_name
and removed all entries.
I then tried to register the correct management server name 'setspn -A
MSOMHSvc/management_server_name management_server_name' using the FQDN as
this is the only way the remote gateway server can resolve the name. But it
always fails 'FindDomainForAccount: DsGetDcNameWithAccountW failed! Unable to
locate account with management_server_name'
Not sure where to go from here? Is it something to do with the name
resolution of the management server? The hosts file just has IP - FQDN.
Thanks
Lincoln Atkinson [MSFT]
wrong. Both the gateway and the management server it reports to have
certificates installed, and they each trusts the root CA from which those
certificates were issued?
Monkey
I have a standalone certificate authority installed on the Management Server
which is on our domain and the gateway operations manager component on a
server in our remote domain (not trusted) but connected via VPN. Resolution
only works by FQDN as thats what in Hosts file. I have checked the management
server and under Trusted Root Certification Authorities I can see 3
certificates named as just the management_server_name (not FQDN) with 'Root
Certification Authority' under Certificate template and another certificate
with not this but named as the FQDN. Under Operations Manager I can see the
FQDN named certificate and it looks ok. The gateway server shows management
server FQDN in Personal certificates but in Trusted Root Certification
Authority shows the just the management_server_name (not FQDN) and in
Operations Manager shows the name of this server, the gateway server? Not
sure if thats correct.
I redone the certificate process on the gateway server but all looks the
same. Still getting errors and management server saying gateway server as
'Not monitored'. I can PING the servers each way only by using FQDN. NSLOOKUP
does not work though.
Any suggestions?
GD
You might want to take a look at this doc - in my opinion it provides more
detailed configuration info than the standard documentation and, more
importantly, it seems to work!
http://systemcenterforum.org/wp-content/uploads/OpsMgr2007_Gateway_Config_v1.2.zip
Good Luck
Graham
"Monkey" <Mon...@discussions.microsoft.com> wrote in message
news:DECF6FE6-1CCB-49A3...@microsoft.com...
Lincoln Atkinson [MSFT]
the subjectname, and a CA cert from the CA (in your case the management
server) in the Trusted Root Authorities store.
Your management server needs a cert in its Personal store with the
management server's FQDN as the subjectname, and a CA cert from the CA
(itself in your case) in the Trusted Root Authorities store.
The Operations Manager cert store is NOT related to cert-based authentication.
Thanks,
-Lincoln
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm