Home > Active Directory, System Center Family, Tips&Tricks > Issue with the SCOM Agent authentication against the SCOM Management Server If you have multi-domain environment

Issue with the SCOM Agent authentication against the SCOM Management Server If you have multi-domain environment

September 13, 2011 Leave a comment Go to comments

You have successfully installed SCOM Agent manually or by discovery wizard on managed computer. However, managed computer doesn’t appear in the Agent Managed or Pending Management list in the Operations Console.

The following event is logged in the Operations Manager event log on Agent-managed computer:

Event Type: Error

Event Source: OpsMgr Connector

Event Category: None

Event ID: 20057

Description: Failed to initialize security context for target MSOMHSvc/ The error returned is 0×80090311(No authority could be contacted for authentication.). This error can apply to either the Kerberos or the SChannel package.

The following event is logged in the Operations Manager event log on SCOM Management Server:

Event Type: Information

Event Source: Health Service Modules

Event Category: None

Event ID: 10616
Description:
The Operations Manager Server successfully completed the operation Agent Install on remote computer doc.contoso.msft.
Install account: CONTOSO\administrator
Error Code: 0
Error Description: The operation completed successfully.

How to confirm the problem?

To troubleshoot the issue, Microsoft Network Monitor can be used:
■Stop HealthService on managed computer to stop the SCOM Agent (open the Command Prompt and type the net stop HealthService).
■Start Microsoft Network Monitor.
■Click on the New capture tab.
■In the Capture Filter, enter the following filter:

KerberosV5
OR KerberosV5_Struct
OR NLMP
OR NLMP_Struct
OR GssAPI
OR SpnegoNegotiationToken
OR GssapiKrb5
OR LDAP

■Click on the Apply button to apply the Capture Filter.
■Click on the Start button to start the new capture.
■Now, quickly start the HealthService to start the SCOM Agent (net start HealthService).
■Wait (usually 10-15 seconds) until event 20057 appears in the Operations Manager event log on the affected computer.
■In Network Monitor, click on the Stop button to stop the capture.
■Now carefully revise capture frames in the Frame Summary window. You should see KerberosV5 and LDAP protocol traffic against the Active Directory Domain Controllers.

NOTE: Above applies in case that you are not using certificate-based authentication.

To resolve this issue, make sure that TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP) is open against the Domain Controllers in your Active Directory environment.

These ports are not documented in the TechNet’s article Using a Firewall with Operations Manager 2007.

What happens under the hub?

kerb

When SCOM Agent Management Server communication starts, authentication takes place (Kerberos). If you have multi-domain environment, things are bit more complicated. Before the authentication protocols can follow the forest/domain trust path, the service principal name (SPN) of the SCOM Management Server must be resolved (LDAP).

When a managed computer (SCOM Agent) in one domain attempts to access resource computer (SCOM Management Server) in another domain, it contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same domain as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows the referral chain until it gets to the domain where the resource is located.

If you have SCOM Management Server in child domain A of the Active Directory Forest infrastructure and the SCOM Agent in child domain B, make sure that SCOM Agent is able to access all DC’s in the referral chain which are required to get to the domain where SCOM Management Server is located.

For more information about the ports required for the System Center Operations Manager, and the authentication in Operations Manager, refer to the following TechNet articles:

Authentication and Data Encryption for Windows Computers in Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/bb735408.aspx

Using a Firewall with Operations Manager 2007, available at the:
http://technet.microsoft.com/en-us/library/cc540431.aspx

Advertisements
  1. April 26, 2013 at 8:00 pm

    Does your site have a contact page? I’m having trouble locating it but, I’d like
    to shoot you an email. I’ve got some recommendations for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it expand over time.

  2. April 29, 2013 at 2:24 am

    Right here is the perfect web site for everyone who really wants to understand this topic.
    You understand a whole lot its almost tough to argue
    with you (not that I personally would want
    to…HaHa). You certainly put a fresh spin on
    a subject that’s been discussed for decades. Excellent stuff, just great!

  3. June 4, 2013 at 8:08 am

    Nice weblog right here! Additionally your website loads up
    very fast! What web host are you the usage of?
    Can I am getting your associate link on your host?
    I wish my website loaded up as fast as yours lol

  4. June 15, 2013 at 2:09 am

    This is a good tip particularly to those fresh to the blogosphere.
    Short but very precise info… Thanks for sharing
    this one. A must read post!

  5. July 16, 2013 at 10:14 pm

    I’m very pleased to find this great site. I need to to thank you for ones time due to this fantastic read!! I definitely enjoyed every bit of it and i also have you saved as a favorite to look at new things in your blog.

  6. September 8, 2013 at 11:29 pm

    In the words of Jack Kerouac: “It is not what you write, it is the way you write it.” And you do it well!I honestly can not decide if I should share your blog with my pals or keep it
    as my very own private secret…

  7. September 14, 2013 at 5:44 am

    I havfe learn several good stuff here. Certainly value bookmarking for revisiting.
    I surprise hhow a lot attempt you put to create
    the sort oof excellent informative web site.

  8. February 12, 2014 at 6:13 am

    I’m not that much of a internet reader to be honest but your sites really nice,
    keep it up! I’ll go ahead and bookmark your website to come back
    in the future. Cheers

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: