Problem using Certificates for Mutual Authentication
Megan Kielman
I am trying to configure certificates for mutual authentication between
the Management server and agents in an untrusted domain. I will not be
using a Gateway server. I have followed the document put together by
Neale and Pete and these are the steps I used:
1. imported Root CA to both systems
2. generated certificate for both systems
3. imported certificate using the following on both systems
momcertimport.exe /SubjectName FQDN
4. I have verified that the registry key exists and is populated, I did
notice that the value for the ChannelCertificateSerialNumber does not
match the actual serial number of the certificate though.
5. Installed agent on DMZ system manually and am getting the following
errors in the OpsMgmt log:
event ID 21007: The OpsMgr Connector cannot create a mutually
authenticated connection to 'servername' because it is not in a trusted
domain.
What did I miss?
Pete Zerger
Here are some questions to ask yourself and some suggestions. Definitely
look at errors in the Operations Manager Event Log after starting the Health
Service, as this is where errors are logged.
The serial number mismatch is a problem. This is what the Health Service
uses to determine which cert to use. You may consider deleting the value
in the registry key where this is stored (HKLM\Software\Microsoft\Microsoft
Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber) and
re-running the momcertimport tool to ensure the right value is imported.
Name resolution is also critical. Can the mgmt server and the potential agent-managed
machine reach resolve the name of the other? If you can ping successfully
by FQDN of each server from the other, then certificate-based authorization
will fail.
Do the name on the certificates match the local FQDN of each server? If the
name on the cert does not match the name the server reports as it's FQDN,
mutual authentication will fail.
Is the Ops Mgr Health Service running as LocalSystem on the agent-managed
computer? I've also seen on one occasion where someone claimed that changing
the RunAs account to a local user on the workgroup machine resolved the issue....LocalSystem
would be just fine, as it is the equivalent of administrator.
Also, make sure you have imported the Root Certificate from your Root CA
into the certificate store on each server.
Regards,
Pete Zerger, MCSE(Messaging) | MCTS(SQL 2005) | MVP - MOM
Founder, SystemCenterForum.org
URL:http://www.systemcenterforum.org
mailto:pete.zerger AT gmail.com
GD
Pete has given a lot of useful info in his response on troubleshooting which
is definitely worth going through. One point I did notice is that you
mentioned using MOMcertimport on the DMZ computer before installing the
agent onto the DMZ computer. I don't know if this would cause the issue.
Have you tried re-running momcertimport on the dmz computer again and
restarting the health service?
I generally always install the agent on the DMZ machine first and wait for
the failure event - this event will tell me if it is a connectivity issue to
the MS or if it is an authentication problem with the MS. If it is a
connectivity issue then I know I have other problems before I even start
looking at the certificates. Assuming I get an authentication error I then
import the certificate, restart the health service on the target computer
and start watching for a success event ...
Hope it helps
Graham
"Megan Kielman" <megan.kielman@gmaildotcom> wrote in message
news:uoPaiHBx...@TK2MSFTNGP03.phx.gbl...
Neale Brown
can succesfully load the certificate and this can be verified in the OpsMgr
log. I apologize that i don't have the event information handy but when you
look at the Ops Mgr event log on both servers, it will be obvious if the
cert loaded.
--
Neale Brown, MCSA(Messaging)
Contributor, SystemCenterForum.org
URL:http://www.systemcenterforum.org
mailto : nealeb AT gmail.com
"Megan Kielman" <megan.kielman@gmaildotcom> wrote in message
news:uoPaiHBx...@TK2MSFTNGP03.phx.gbl...
Megan Kielman
I uninstalled the agent and verified that the registry keys were gone. I
then reinstalled the agent and checked the logs. I have not imported the
certificate yet but I am getting the following errors in the event log:
event 21016 - unable to set up a communications channel to omserver
event 21007 - cannot create a mutually authenticated connection
Does this mean I am having an authentication AND communication problem?
I have verified that the agent can connect to the Mgmt server via port 5723
Megan
Megan Kielman
GD,
I uninstalled the agent and verified that the registry keys were gone. I
then reinstalled the agent and checked the logs. I have not imported the
certificate yet but I am getting the following errors in the event log:
event 21016 - unable to set up a communications channel to omserver
event 21007 - cannot create a mutually authenticated connection
Does this mean I am having an authentication AND communication problem?
I have verified that the agent can connect to the Mgmt server via port 5723
Megan
Megan Kielman
1. I have confirmed that the nodes can ping each other. The agent can
ping teh Mgmt Server using its FQDN and the mgmt server can ping the
agent using its hostname (agent is in a workgroup and it doesn't have a
FQDN)
2. the agent is running as the Local System Acct.
3. On the MgmtServer I deleted the registry key and reimported the
certificate using both methods (providing exported certificate and
providing subject name) and they bot resulted in the registry entry
which has the Serial number backwards. For example, the serial number on
the certificate is 123456 and the serial number in the registry is
654321. Is this the way it is supposed to be?
4. I have confirmed that the the FQDN on the Mgmt Server certificate
matches what it thinks is its FQDN. The Agent computer is in a
workgroup, so it doesn't have FQDN. I install a new certificate with
just the hostname and reinstalled the agent software. I am now getting
two events:
event 21016 - unable to set up a communications channel to omserver
event 21007 - cannot create a mutually authenticated connection
So then I imported the certificate using the subject parameter and
again, the serial number was listed backwards from what it shows on the
certificate. I restarted the agent and after a few minutes it showed up
in the pending agents!!!!
Thank you!!!
mayckelgouma
Megan Kielman wrote:
Problem using Certificates for Mutual Authentication
11-Jul-07
All,
What did I miss?
Previous Posts In This Thread:
On Wednesday, July 11, 2007 7:19 PM
Megan Kielman wrote:
Problem using Certificates for Mutual Authentication
All,
What did I miss?
On Thursday, July 12, 2007 6:16 AM
GD wrote:
Hi MeganPete has given a lot of useful info in his response on troubleshooting
Hi Megan
Pete has given a lot of useful info in his response on troubleshooting which
is definitely worth going through. One point I did notice is that you
mentioned using MOMcertimport on the DMZ computer before installing the
agent onto the DMZ computer. I don't know if this would cause the issue.
Have you tried re-running momcertimport on the dmz computer again and
restarting the health service?
I generally always install the agent on the DMZ machine first and wait for
the failure event - this event will tell me if it is a connectivity issue to
the MS or if it is an authentication problem with the MS. If it is a
connectivity issue then I know I have other problems before I even start
looking at the certificates. Assuming I get an authentication error I then
import the certificate, restart the health service on the target computer
and start watching for a success event ...
Hope it helps
Graham
"Megan Kielman" <megan.kielman@gmaildotcom> wrote in message
news:uoPaiHBx...@TK2MSFTNGP03.phx.gbl...
On Thursday, July 12, 2007 4:24 PM
Neale Brown wrote:
It sounds like have certificate issues.
It sounds like have certificate issues. Make sure that each Health Service
can succesfully load the certificate and this can be verified in the OpsMgr
log. I apologize that i don't have the event information handy but when you
look at the Ops Mgr event log on both servers, it will be obvious if the
cert loaded.
--
Neale Brown, MCSA(Messaging)
Contributor, SystemCenterForum.org
URL:http://www.systemcenterforum.org
mailto : nealeb AT gmail.com
"Megan Kielman" <megan.kielman@gmaildotcom> wrote in message
news:uoPaiHBx...@TK2MSFTNGP03.phx.gbl...
On Thursday, July 12, 2007 5:58 PM
Megan Kielman wrote:
GD,I uninstalled the agent and verified that the registry keys were gone.
GD,
I uninstalled the agent and verified that the registry keys were gone. I
then reinstalled the agent and checked the logs. I have not imported the
certificate yet but I am getting the following errors in the event log:
event 21016 - unable to set up a communications channel to omserver
event 21007 - cannot create a mutually authenticated connection
Does this mean I am having an authentication AND communication problem?
I have verified that the agent can connect to the Mgmt server via port 5723
Megan
GD wrote:
On Thursday, July 12, 2007 6:02 PM
Megan Kielman wrote:
GD,I uninstalled the agent and verified that the registry keys were gone.
GD,
I uninstalled the agent and verified that the registry keys were gone. I
then reinstalled the agent and checked the logs. I have not imported the
certificate yet but I am getting the following errors in the event log:
event 21016 - unable to set up a communications channel to omserver
event 21007 - cannot create a mutually authenticated connection
Does this mean I am having an authentication AND communication problem?
I have verified that the agent can connect to the Mgmt server via port 5723
Megan
GD wrote:
On Thursday, July 12, 2007 6:14 PM
Megan Kielman wrote:
It worked for me!!!
Thank you!!!
Pete Zerger (MVP) wrote:
On Sunday, July 15, 2007 3:26 AM
Pete Zerger (MVP) wrote:
Hello Megan,Here are some questions to ask yourself and some suggestions.
Hello Megan,
Regards,
Submitted via EggHeadCafe - Software Developer Portal of Choice
BizTalk: Incorporating conditional If / Else Functoid Logic in a map.
http://www.eggheadcafe.com/tutorials/aspnet/f6fc20ab-5c6a-4f04-8a0b-bba39e4bbcf0/biztalk-incorporating-co.aspx