 |
Gateway RunAs Account Issues
| |
Gateway RunAs Account Issues
Posted: Sat, Jun 13, 2009 3:42 AM :: Rank: 1 |
Author
|
|
|
Points: 10134
Level: System Center Expert |
Thank you for your rating!
|
Hi,
I've installed 2 two gateway servers in an untrusted domain. I followed exactly the instructions from technet to set them up. Everything is working fine except one thing:
Everytime the systemcenter management service is restarted on the gateway I get two event log entries that management server action account from the untrusted scom domain couldn't log on.
This event doesn't show up again until the service is restarted. Of course my health explorer shows an unhealthy gateway server because of this.
The thing I do not get is, how does the gateway server get the idea to use this management server action account. In the setup I provided an action account from the gateway domain and in SCOM all runas profiles point to the correct runas account.
Anyone else seeing this? Do I miss something here?
cheers,
Stefan Koell
CODE4ward
http://www.code4ward.net
Home of Royal TS - Remote Desktops the easy way! |
|
Reply
Report Abuse
| Your Reports Help Protect the Community |
|
The community depends on each member to help keep Answers a safe and positive place. Do your part by using the form below to report Q&A that violates the Community Guidelines.
|
Additional Detail(optional)
|
|
Report AbuseCancel
|
|
|
|
|
Re: Gateway RunAs Account Issues
Posted: Sat, Jun 13, 2009 10:03 AM :: Rank: 1 |
Author
|
|
|
Points: 25205
Level: System Center Expert |
Thank you for your rating!
|
Where Gateway and untrusted domains are concerned, it will help to know two things:
1. What is the event ID and description?
2. Are you using AD Integration for agent configuration? If so, there is a known issue with the RunAs Account Check that I am not sure is resolved in R2. If so, check the AD Integration paper Raphael and I updated a few months ago, which has a workaround.
http://www.systemcentercentral.com/Downloads/DownloadsDetails/tabid/144/IndexID/7936/Default.aspx
In short, if we know details and from what MP it's sourced, we can determine if it's simply a failing RunAs check, and not an actual functionality issue. |
|
Reply
Report Abuse
| Your Reports Help Protect the Community |
|
The community depends on each member to help keep Answers a safe and positive place. Do your part by using the form below to report Q&A that violates the Community Guidelines.
|
Additional Detail(optional)
|
|
Report AbuseCancel
|
|
|
|
|
Re: Gateway RunAs Account Issues
Posted: Mon, Jun 15, 2009 4:55 AM :: Rank: 1 |
Author
|
|
|
Points: 10134
Level: System Center Expert |
Thank you for your rating!
|
Pete, thanks for the response. I figured that event IDs would be helpful but I haven't had any access to the environment during the weekend.
I get three events from health service right after the service restart:
Event ID 7000 (Error): The Health Service could not log on the RunAs account for management group . The error is Logon failure: unknown user name or bad password.(1326L). This will prevent the health service from monitoring or performing actions using this RunAs account.
Event ID 7015 (Error): The Health Service cannot verify the future validity of the RunAs account for management group . The error is Logon failure: unknown user name or bad password.(1326L).
Event ID 7020 (Warning): The Health Service has validated all RunAs accounts for management group , except those we could not monitor.
As for number 2, no we don't use AD integration for agent configuration.
I also did a google search but nothing so far. It also seems that in general the gateway server is working and it seems to be a "cosmetic" issue only. The events are only logged when the service starts. They do not show up again later...
cheers
Stefan |
|
Reply
Report Abuse
| Your Reports Help Protect the Community |
|
The community depends on each member to help keep Answers a safe and positive place. Do your part by using the form below to report Q&A that violates the Community Guidelines.
|
Additional Detail(optional)
|
|
Report AbuseCancel
|
|
|
|
|
Re: Gateway RunAs Account Issues
Posted: Mon, Jun 15, 2009 8:00 AM :: Rank: 1 |
Author
|
|
|
Points: 25205
Level: System Center Expert |
Thank you for your rating!
|
I would suspect in this case we have a RunAs check being executed from the RMS, in which case this would predictably fail across trust boundaries, as it does in the AD Integration scenario. If you would, right click the alert and give us the rule name and the class targeted by the rule. |
|
Reply
Report Abuse
| Your Reports Help Protect the Community |
|
The community depends on each member to help keep Answers a safe and positive place. Do your part by using the form below to report Q&A that violates the Community Guidelines.
|
Additional Detail(optional)
|
|
Report AbuseCancel
|
|
|
|
|
Re: Gateway RunAs Account Issues
Posted: Tue, Jun 16, 2009 10:18 PM :: Rank: 1 |
Author
|
|
|
Points: 2967
Level: System Center Specialist |
Thank you for your rating!
|
For a gateway in an untrusted domain, the default action account should probably be set to either an account in the remote domain or the Local System account. |
|
Reply
Report Abuse
| Your Reports Help Protect the Community |
|
The community depends on each member to help keep Answers a safe and positive place. Do your part by using the form below to report Q&A that violates the Community Guidelines.
|
Additional Detail(optional)
|
|
Report AbuseCancel
|
|
|
|
|
Re: Gateway RunAs Account Issues
Posted: Wed, Jun 24, 2009 7:52 AM :: Rank: 1 |
Author
|
|
|
Points: 10134
Level: System Center Expert |
Thank you for your rating!
|
The mystery was finally solved with the help of Microsoft and I want to share it with you guys.
The problem was that at the time the RMS Cluster install the DNS registration was not complete. This caused the setup to write the NETBIOS name of the cluster into the OperationsManager DB. Everything looked fine. All management servers and agents could communicate with the RMS, but two things didn't work quite well:
1. Reporting Setup wasn't able to complete successfully.
2. The RunAs account issue with the gateway servers.
Maybe there were other side effects but for me everything else looked normal.
However, reinstalling the cluster with the FQDN fully registered in DNS solved both problems.
Thanks again for listeing and your help.
cheers,
Stefan Koell
CODE4ward
http://www.code4ward.net
Home of Royal TS - Remote Desktops the easy way! |
|
Reply
Report Abuse
| Your Reports Help Protect the Community |
|
The community depends on each member to help keep Answers a safe and positive place. Do your part by using the form below to report Q&A that violates the Community Guidelines.
|
Additional Detail(optional)
|
|
Report AbuseCancel
|
|
|
|
|
|
|
|
Quick Links
System Center Web sites
3rd Party / Partner Resources
Other System Center Resources
|
|
|
|
|
Top Contributors
|
|
Points: 25205
Level: System Center Expert
|
|
|
Points: 20303
Level: System Center Expert
|
|
|
Points: 19054
Level: System Center Expert
|
|
|
Points: 11573
Level: System Center Expert
|
|
|
Points: 10134
Level: System Center Expert
|
|
|
|
|
|
|
|
|
|
|
|
|
 |