OpsMgr: Master List of Mutual Authentication Related Errors for OpsMgr 2007

 

Mutual Authentication takes one of two forms in Operations Manager – 1) Kerberos or 2) Certificate Authentication.  This is a list of authentication failures compiled by Pete Zerger based on field experience and his MMS 2008 presentation on Gateway Scenarios in OpsMgr 2007 SP1, which can be downloaded HERE. Having helped many dozens (perhaps hundreds) of OpsMgr administrators troubleshoot mutual authentication issues, I have encountered many different scenarios. Here is a list of event IDs and potential explanations you may find helpful.

 

The following is a list of mutual authentication-related error messages and some general indicators of source cause. Some errors are Kerberos-related issues (like SPN problems) and some are related to certificate authentication. These errors are are also applicable to System Center Essentials 2007

 

Event ID

Description

Explanation

20050

Enhanced key usage error

Wrong OID specified on the certificate

20057

The OpsMgr Connector could not connect to MSOMHSvc/rms01.local because mutual authentication failed.  Verify the SPN is properly registered 

Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication.

20070

The OpsMgr Connector connected to <server> but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.

 

This and 21016 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.

21001

The OpsMgr Connector could not connect to MSOMHSvc/rmsxxx.domain.com because  mutual authentication failed. Verify the SPN is properly registered

Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication can succeed.

21005

DNS resolution failed

Check DNS name resolution on the agent and upstream  gateway or mgmt server.

21006

TCP Connection failed (at TCP level) The OpsMgr Connector could not connect to <server>. The error code is 10061L…

Often indicates you have a firewall in the path blocking communication. Try telnet to 5723 from both nodes attempting to communicate.

 

The other instance where I occasionally see this is when the wrong management group name AND management server are entered.

21007

Not in a trusted domain

Cannot establish a security communication channel to the management server because the correct certificates are not available. Retrace your steps on certificate Configuration (see KB947691)

21008

Untrusted target (usually means untrusted domain or failure to reach DC)

Check name resolution and network connectivity.

21016

OpsMgr was unable to set up a communications channel to server and there are no failover hosts.

This and 20070 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.

21035

SPN registration failed; Kerberos authentication will not work

Often associated with SPN registration failures. Make sure SPNs are registered so Kerberos authentication.

21036

The certificate specified in the registry at cannot be used for authentication.

Private key is missing from the certificate. Usually see this on export and CLI registration OR when certificate is copied between stores in Certificates snap-in.

20068

Certificates has unusable / no private key

Also indication of private key missing

20069

Wrong type of certificate (KEY_SPEC)

Wrong OIDs on certificate

20072

Remote certificate not trusted

The certificate of the CA (CA chain, root to issuer) of the remote servers certificate must be in the “Trusted Root Certification Authorities” store of the local computer account in the Certificates snap-in

20075

Unable to obtain subject or issuer from certificate

Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate

20076

Unable to obtain subject or issuer from remote certificate

Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate presented by the other system

20077

Certificates cannot be queried for property info

This typically means that no private key was included with the certificate.

               

One thought on “OpsMgr: Master List of Mutual Authentication Related Errors for OpsMgr 2007

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.