OpsMgr: Master List of Mutual Authentication Related Errors for OpsMgr 2007

Mutual Authentication takes one of two forms in Operations Manager – 1) Kerberos or 2) Certificate Authentication.  This is a list of authentication failures compiled by Pete Zerger based on field experience and his MMS 2008 presentation on Gateway Scenarios in OpsMgr 2007 SP1, which can be downloaded HERE. Having helped many dozens (perhaps hundreds) of OpsMgr administrators troubleshoot mutual authentication issues, I have encountered many different scenarios. Here is a list of event IDs and potential explanations you may find helpful.

 

The following is a list of mutual authentication-related error messages and some general indicators of source cause. Some errors are Kerberos-related issues (like SPN problems) and some are related to certificate authentication. These errors are are also applicable to System Center Essentials 2007

Event ID Description Explanation
20050 Enhanced key usage error Wrong OID specified on the certificate
20057 The OpsMgr Connector could not connect to MSOMHSvc/rms01.local because mutual authentication failed.  Verify the SPN is properly registered Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication.
20070 The OpsMgr Connector connected to <server> but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.

This and 21016 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.
21001 The OpsMgr Connector could not connect to MSOMHSvc/rmsxxx.domain.com because  mutual authentication failed. Verify the SPN is properly registered Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication can succeed.
21005 DNS resolution failed Check DNS name resolution on the agent and upstream  gateway or mgmt server.
21006 TCP Connection failed (at TCP level) The OpsMgr Connector could not connect to <server>. The error code is 10061L… Often indicates you have a firewall in the path blocking communication. Try telnet to 5723 from both nodes attempting to communicate.

 

The other instance where I occasionally see this is when the wrong management group name AND management server are entered.

 

21007 Not in a trusted domain Cannot establish a security communication channel to the management server because the correct certificates are not available. Retrace your steps on certificate Configuration (see KB947691)
21008 Untrusted target (usually means untrusted domain or failure to reach DC) Check name resolution and network connectivity.
21016 OpsMgr was unable to set up a communications channel to server and there are no failover hosts. This and 20070 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.
21035 SPN registration failed; Kerberos authentication will not work Often associated with SPN registration failures. Make sure SPNs are registered so Kerberos authentication.
21036 The certificate specified in the registry at cannot be used for authentication. Private key is missing from the certificate. Usually see this on export and CLI registration OR when certificate is copied between stores in Certificates snap-in.
20068 Certificates has unusable / no private key Also indication of private key missing
20069 Wrong type of certificate (KEY_SPEC) Wrong OIDs on certificate
20072 Remote certificate not trusted The certificate of the CA (CA chain, root to issuer) of the remote servers certificate must be in the “Trusted Root Certification Authorities” store of the local computer account in the Certificates snap-in
20075 Unable to obtain subject or issuer from certificate Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate
20076 Unable to obtain subject or issuer from remote certificate Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate presented by the other system
20077 Certificates cannot be queried for property info This typically means that no private key was included with the certificate.

Responder

Introduce tus datos o haz clic en un icono para iniciar sesión:

Logo de WordPress.com

Estás comentando usando tu cuenta de WordPress.com. Cerrar sesión / Cambiar )

Imagen de Twitter

Estás comentando usando tu cuenta de Twitter. Cerrar sesión / Cambiar )

Foto de Facebook

Estás comentando usando tu cuenta de Facebook. Cerrar sesión / Cambiar )

Google+ photo

Estás comentando usando tu cuenta de Google+. Cerrar sesión / Cambiar )

Conectando a %s