Untrusted Domain & Gateway Issue

Forum: Operations Manager4
Viewing 15 posts - 1 through 15 (of 15 total)
  • #220510


    SCOM 2012 R2 SU2 on 2012 R2 servers
    I have two domains that are untrusted, with one being in an isolated DMZ. (Domain L and Domain A)
    Gateway server (Domain L) is in a corresponding DMZ with port 5723/TCP open in the firewall.
    Servers that are in the same domain (L) as the Gateway are successfully sending data to it, and inturn up to the management servers.
    Reading through all the documentation, I proceeded to attempt to add a single server from the untrusted domain (A) to the gateway server with no success.
    Steps done to get untrusted client connected:
    Downloaded CA Chain from Domain L and loaded on server in Domain A
    Created Request including Domain A Server fqdn, and Client/Server Authentication OID’s
    Created certificate from base-64-encode using the correct template on gateway server in Domain L
    Exported new certificate with key.
    On new server, verified connectivity to gateway server on port 5723
    On new server, Imported CA Chain to Trusted Root
    On new server, Ran MOMCertImport with the new certificate, Received Successfully installed response.
    On new server, Verified new certificate was in Local Machine\Personal
    On new server, Installed Agent point to gateway server fqdn

    Looking in the Operations Manager log I see:
    Error 20057: Failed to initialize security context for target MSOMHSvc/gateway.domain.l The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
    Error 21001: The OpsMgr Connector could not connect to MSOMHSvc/gateway.domain.l because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
    Error 20071: The OpsMgr Connector connected to gateway.domain.l, but the connection was closed immediately without authentication taking place.  The most likely cause of this error is a failure to authenticate either this agent or the server .  Check the event log on the server and on the agent for events which indicate a failure to authenticate.

    When I look in the Local Computer (Domain A) Certificates, I do see the imported certificate as well as the root certificate, with no errors about trusts. There is a new local certificate in the Operations Manager container that appears to have been created during the MOMCertImport, but this certificate is showing as no Root and not trusted. Is this supposed to be like this?
    What else should I look at to trouble shoot this?




    Wilson W.

    You mentioned that you imported the cert into your system’s personal store?  It should be in the computer account store, not personal.



    It is the Computer Account Store / Local Computer / Personal / Certificates



    Just for clarification on the last post:
    Computer Account Store / Local Computer (Domain A)/ Personal / Certificates


    Wilson W.

    Did you run the correct version of the momcertimport utility?  If it’s a 64bit OS you need to run the 64bit version of the momcertimport utility.


    Also, after installing the cert, when you open the cert it shows the certificate chain is valid, right?



    Yes, 64bit load / 64bit utility; I did also verify the freshly imported certificate did show as valid with corresponding Certificate Path also showing valid.


    Wilson W.

    Is DNS resolution working between your gateway server and the non-domain system?






    Yes, I can resolve FQDN in both directions; I also did a successful telnet from the untrusted machine to the gateway server using fqdn and port 5723.


    Wilson W.

    Well, I’m stumped.  The only other thing I can think of is that there is some property incorrectly specified in your certificate template.  Did you actually double-check to make sure the cert serial number is in the registry?  Did you run momcertimport under local administrator credentials?



    Yeah, this has stumped me as well; hence the call for help.

    I did verify the serial number did show up in the registry, and I was logged into the untrusted server as the local administrator during the whole process.

    I will mull it over this weekend and maybe just dump the template and certificates; revoke the one for the server and start from scratch on Monday.



    Gordon, the events in the Operations Manager Event Log tell the story. Use this event reference to find root cause.




    That is part of my confusion Tommy,

    I have looked at the event logs, and the error entries appear to be for Trusted Kerberos Authentication problems, when these two domains are not and can not be trusted. (Event ID 21001)



    Removed the template as well as the certificates created with it. (I did find a flaw within the template.)
    Created a new template as well as new certificates for the two servers.
    Imported and verified that the certificates are viewed as valid by the two servers.

    On the gateway server I am seeing a new Event ID.
    Event ID 21036:
    The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication. The error is The credentials supplied to the package were not recognized(0x8009030D).

    On the server that is in the untrusted domain there are Event ID’s:
    Event ID 21016:
    OpsMgr was unable to set up a communications channel to uslabscom03.us.cstenet.com and there are no failover hosts. Communication will resume when uslabscom03.us.cstenet.com is available and communication from this computer is allowed.

    Event ID 20071:
    The OpsMgr Connector connected to uslabscom03.us.cstenet.com, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.




    After re-exporting w/key and re-importing the certificate via the momcertimport /filename on the gateway server, I received an approval prompt on the untrusted server to utilize the certificate for authentication.

    Finally, I have secure authentication and communication between the two servers.

    The modifications to the template were in the Key Usage Extension; setting the Encryption -> Allow key exchange only with key encryption, and Allow encryption of user data.


    Pete Zerger

    The 21036 is definitely a private key problem with the cert. May be other issues at play, but I get that one a fair amount.

    The certificate specified in the registry at cannot be used for authentication. Private key is missing from the certificate. Usually see this on export and CLI registration OR when certificate is copied between stores in Certificates snap-in.
Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic.