Event i.d’s for troubleshooting when using certificates for authentication

Any server outwith the domain i.e in a workgroup or DMZ [e.g. ISA server ] needs to authenticate to the SCOM management servers using certificate based authentication. Below is a list of Event i.d’s you may see in the Operations Manager log which may be useful when troubleshooting this type of setup

Event ID Description Explanation
20050 Enhanced key usage error Wrong OID specified on the certificate
20057 The OpsMgr Connector could not connect to MSOMHSvc/rms01.local because mutual authentication failed.  Verify the SPN is properly registered  Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication.
20070 The OpsMgr Connector connected to <server> but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.

 

This and 21016 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.
21001 The OpsMgr Connector could not connect to MSOMHSvc/rmsxxx.domain.com because  mutual authentication failed. Verify the SPN is properly registered Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication can succeed.
21005 DNS resolution failed Check DNS name resolution on the agent and upstream  gateway or mgmt server.
21006 TCP Connection failed (at TCP level) The OpsMgr Connector could not connect to <server>. The error code is 10061L… Often indicates you have a firewall in the path blocking communication. Try telnet to 5723 from both nodes attempting to communicate.
21007 Not in a trusted domain Cannot establish a security communication channel to the management server because the correct certificates are not available. Retrace your steps on certificate Configuration (see KB947691)
21008 Untrusted target (usually means untrusted domain or failure to reach DC) Check name resolution and network connectivity.
21016 OpsMgr was unable to set up a communications channel to server and there are no failover hosts. This and 20070 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.
21035 SPN registration failed; Kerberos authentication will not work Often associated with SPN registration failures. Make sure SPNs are registered so Kerberos authentication.
21036 The certificate specified in the registry at cannot be used for authentication. Private key is missing from the certificate. Usually see this on export and CLI registration OR when certificate is copied between stores in Certificates snap-in.
20068 Certificates has unusable / no private key Also indication of private key missing
20069 Wrong type of certificate (KEY_SPEC) Wrong OIDs on certificate
20072 Remote certificate not trusted The certificate of the CA (CA chain, root to issuer) of the remote servers certificate must be in the “Trusted Root Certification Authorities” store of the local computer account in the Certificates snap-in
20075 Unable to obtain subject or issuer from certificate Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate
20076 Unable to obtain subject or issuer from remote certificate Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate presented by the other system
20077 Certificates cannot be queried for property info This typically means that no private key was included with

the certificate.

 

Advertisements
This entry was posted in Misc Stuff. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s