Operations Manager Authentication Event Reference

Wikis > Operations Manager > Operations Manager Authentication Event Reference

This is the Authentication and Security page on the System Center WIKI at System Center Central.

 Mutual Authentication takes one of two forms in Operations Manager 2007 / 2012 – 1) Kerberos or 2) Certificate Authentication.  This is a list of authentication failures compiled by Pete Zerger based on field experience and his MMS 2008 presentation on Gateway Scenarios in OpsMgr 2007 SP1, which can be downloaded by clicking on the previous link, which is still largely applicable even to OpsMgr 2012 SP1. Having helped many dozens (perhaps hundreds) of OpsMgr administrators troubleshoot mutual authentication issues, I have encountered many different scenarios. Here is a list of event IDs and potential explanations you may find helpful.

The following is a list of mutual authentication-related error messages and some general indicators of source cause. Some errors are Kerberos-related issues (like SPN problems) and some are related to certificate authentication. 

Event ID

Description

Explanation

20050

Enhanced key usage error

Wrong OID specified on the certificate

20057

The OpsMgr Connector could not connect to MSOMHSvc/rms01.local because mutual authentication failed.  Verify the SPN is properly registered 

Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication.

20070 / 20071

The OpsMgr Connector connected to <server> but the connection was closed immediately after authentication occurred.  The most likely cause of this error is that the agent is not authorized to communicate with the server, or the server has not received configuration.

 

This and 21016 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.

21001

The OpsMgr Connector could not connect to MSOMHSvc/rmsxxx.domain.com because  mutual authentication failed. Verify the SPN is properly registered

Often associated with SPN registration failures. Make sure SPNs are registered (and forest trust in place if separate forest) so Kerberos authentication can succeed.

21005

DNS resolution failed

Check DNS name resolution on the agent and upstream  gateway or mgmt server.

21006

TCP Connection failed (at TCP level) The OpsMgr Connector could not connect to <server>. The error code is 10061L…

Often indicates you have a firewall in the path blocking communication. Try telnet to 5723 from both nodes attempting to communicate.

21007

Not in a trusted domain

Cannot establish a security communication channel to the management server because the correct certificates are not available. Retrace your steps on certificate Configuration (see KB947691)

21008

Untrusted target (usually means untrusted domain or failure to reach DC)

Check name resolution and network connectivity.

21016

OpsMgr was unable to set up a communications channel to server and there are no failover hosts.

This and 20070 are general indicators of failed authentication. However, these two events do not provide much insight into source cause. This error will appear when a manually installed agent is in “Pending” status, but for a host of other reasons.

21035

SPN registration failed; Kerberos authentication will not work

Often associated with SPN registration failures. Make sure SPNs are registered so Kerberos authentication.

21036

The certificate specified in the registry at cannot be used for authentication.

Private key is missing from the certificate. Usually see this on export and CLI registration OR when certificate is copied between stores in Certificates snap-in.

20068

Certificates has unusable / no private key

Also indication of private key missing

20069

Wrong type of certificate (KEY_SPEC)

Wrong OIDs on certificate

20072

Remote certificate not trusted

The certificate of the CA (CA chain, root to issuer) of the remote servers certificate must be in the “Trusted Root Certification Authorities” store of the local computer account in the Certificates snap-in

20075

Unable to obtain subject or issuer from certificate

Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate

20076

Unable to obtain subject or issuer from remote certificate

Never seen this one in a live environment…Indicates failure to retrieve subject (aka common name) or issuing authority on the certificate presented by the other system

20077

Certificates cannot be queried for property info

This typically means that no private key was included with the certificate.  

Tags: