Problem with the SCOM Agent authentication against the SCOM Management Server

Problem description

You have successfully installed SCOM Agent manually on managed computer. However, managed computer doesn’t appear in the Agent Managed or Pending Management list in the Operations Console.

The following event is logged in the Operations Manager event log on Agent-managed computer:

Event Type:            Error

Event Source:         OpsMgr Connector

Event Category:     None

Event ID: 20057

Description: Failed to initialize security context for target MSOMHSvc/<SCOM Management Server Name> The error returned is 0x80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.

 

How to confirm the problem?

To troubleshoot the issue, Microsoft Network Monitor can be used:

  • Stop HealthService on managed computer to stop the SCOM Agent (open the Command Prompt and type the net stop HealthService).
  • Start Microsoft Network Monitor.
  • Click on the New capture tab.
  • In the Capture Filter, enter the following filter:

KerberosV5
OR KerberosV5_Struct
OR NLMP
OR NLMP_Struct
OR GssAPI
OR SpnegoNegotiationToken
OR GssapiKrb5
OR LDAP

  • Click on the Apply button to apply the Capture Filter.
  • Click on the Start button to start the new capture.
  • Now, quickly start the HealthService to start the SCOM Agent (net start HealthService).
  • Wait (usually 10-15 seconds) until event 20057 appears in the Operations Manager event log on the affected computer.
  • In Network Monitor, click on the Stop button to stop the capture.
  • Now carefully revise capture frames in the Frame Summary window. You should see KerberosV5 and LDAP protocol traffic against the Active Directory Domain Controllers.

NOTE: Above applies in case that you are not using certificate-based authentication.

To resolve this issue, make sure that TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP) is open against the Domain Controllers in your Active Directory environment.

These ports are not documented in the TechNet’s article Using a Firewall with Operations Manager 2007.

What happens under the hub?

When SCOM Agent <-> Management Server communication starts, authentication takes place (Kerberos). If you have multi-domain environment, things are bit more complicated. Before the authentication protocols can follow the forest/domain trust path, the service principal name (SPN) of the SCOM Management Server must be resolved (LDAP).

When a managed computer (SCOM Agent) in one domain attempts to access resource computer (SCOM Management Server) in another domain, it contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same domain as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows the referral chain until it gets to the domain where the resource is located.

If you have SCOM Management Server in child domain A of the Active Directory Forest infrastructure and the SCOM Agent in child domain B, make sure that SCOM Agent is able to access all DC’s in the referral chain which are required to get to the domain where SCOM Management Server is located.

For more information about the ports required for the System Center Operations Manager, and the authentication in Operations Manager, refer to the following TechNet articles:

Authentication and Data Encryption for Windows Computers in Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/bb735408.aspx

Using a Firewall with Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/cc540431.aspx

Advertisements
Problem with the SCOM Agent authentication against the SCOM Management Server

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s