When you try to install a System Center Operations Manager agent on a workgroup computer without using a gateway server, Operations Manager cannot see the workgroup computer

Symptoms

When you try to install a Microsoft System Center Operations Manager agent on a workgroup computer without using a gateway server, Operations Manager cannot see the workgroup computer.

Additionally, the following error message will be logged in the Operations Manager event log:
Event ID : 21007 The OpsMgr connector cannot create a mutually authenticated connection to <Management server> because it is not in a trusted domain. Event ID : 21016 Opsmgr was unable to setup a communication channel to <Management server> and there is no failover hosts

Cause

This problem usually occurs when the agent cannot establish a security communication channel to the management server because the correct certificates are not available. This problem occurs because agents in the workgroup cannot use the Kerberos protocol for mutual authentication. The certificates must be used in an environment in which the Kerberos protocol is not used.

Resolution

To resolve this problem, you can configure an Operations Manager server to monitor a remote, untrusted workgroup computer without using a gateway server. To do this, certificate authentication is required between the management server and the agent-managed workgroup computer. Presumably, this scenario will be common in a perimeter network (also known as DMZ, demilitarized zone, and screened subnet).

 To configure an Operations Manager server to monitor a stand-alone, agent-managed workgroup computer, you must have the following certificates:
  • An imported certification authority (CA) root certificate for the management server and for the workgroup computer
  • A certificate for the Root Management Server (RMS) or for the management server

    Note The Name (CN) of the certificate must be a fully qualified domain name (FQDN).
  • A certificate for the workgroup computer
Note If the workgroup computer is addressed by an FQDN, the computer should also use the FQDN format to request the certificate for this computer. Otherwise, you will receive the following error message:
The specified certificate could not be loaded because the Subject name on the certificate does not match the local computer name Certificate Subject Name: XXXXXX Computer Name: XXXXXX.XXXXXX.com

How to monitor a workgroup computer without using a gateway server

  1. Import the Root CA certificates for the management server and for the agent-managed workgroup computer. To do this, follow these steps.

    Note You must follow these steps on the management server and on the workgroup computer. You must have a root certification authority (CA) installed, and you must be able to create another certificate by using object identifiers (OIDs). If you do not have a root certification authority installed, see the "How to install a root certification authority in a domain" section.
    1. From the server desktop, open a Web browser, and then point it at the certification authority server. For example, type the following address:
      http://certification_authority_server/certsrv
    2. Click Download a CA certificate, certificate chain, or CRL.
    3. Click Download CA certificate chain.

      Note A certificate that is named Certnew.p7b is downloaded. Save this certificate on the desktop.
    4. When the download is finished, click Start, click Run, type mmc, and then click OK to open a Microsoft Management Console (MMC) instance.
    5. On the File menu, click Add/Remove Snap-in, click Add, and then click Certificates.
    6. Click Add, select Computer account, and then click Next.
    7. Select Local computer, click Finish, click Close, and then click OK.
    8. Under Trusted Root Certificate Authorities, right-click Certificates, point to All Tasks, and then click Import.
    9. Click Import, and then click Next.
    10. When you are prompted for the certificate file, click Browse.
    11. Change Files of type to PKCS #7 Certificates (*.spc,*.p7b ).
    12. Click the appropriate certificate file that you downloaded from the certification authority server, and then click Open.
    13. Click Next, and then click Finish.
  2. Configure the enterprise root certification authority server to support the Operations Manager certificates. To do this, follow these steps:
    1. Use domain administrator credentials to log on to the enterprise subordinate certification authority server.
    2. Click Start, click Run, type mmc, and then press ENTER.
    3. On the File menu, click Add/Remove Snap-in.
    4. Click Add.
    5. Under Add Standalone Snap-in, click Certificate templates, and then click Add.
    6. Click Certification Authority, and then click Add.
    7. In the Certification Authority snap-in, select the Local computer (the computer this console is running on) option.
    8. Click Finish.
    9. Click Close, and then click OK.
    10. In the Certification Authority snap-in, verify that the Certificate Templates snap-in and the Certification Authority snap-in appear.
    11. Click Certificate Templates.
    12. In the details pane, right-click Computer, and then click Duplicate Template.
    13. On the General tab, change the template name to a meaningful name for your organization. For example, you can use OpsMgr2007 as the template name. Verify that the validity period meets your organization’s requirements.
    14. Click the Request Handling tab, and then click Allow private key to be exported.
    15. Click the Subject name tab, and then click Supply in the Request option.
    16. Click the Security tab.
    17. Grant Enroll and Auto enroll permissions for the following groups in all domains:
      • Authenticated users
      • Domain Admins
      • Domain Computers
      • Enterprise Admins
    18. Click Apply, and then click OK.
    19. To verify the settings, expand Certificate Templates.
    20. In the details pane, right-click the template that you configured, click Properties, verify your settings, and then click OK.
    21. Expand Certification Authority (local), and then expand your certification authority.
    22. In the console tree, right-click Certificate Templates, point to New, and then click Certificate Template to Issue.
    23. Select the new template, and then click OK.
    24. Verify that the new template appears in the details pane, and then verify that the Server Authentication entry and the Client Authentication entry appear under Intended Purpose.
    25. Close the snap-in.
    26. Click Start, click Run, type gpupdate /force in the Open field, and then press ENTER.

      Note This step forces a Group Policy update on the domain controller and a replication of these changes throughout the forest.
    27. Click Start, click Run, type http://name_of_the_issuing_CA_Server/certsrv in the Open field, and then press ENTER.
    28. If you are prompted, enter the domain administrator account name and the password.
    29. On the Certificate Services Web page, click Request a certificate under Select a task.
    30. Click Advanced certificate request.
    31. Click Create and submit a request to this CA.
    32. In the Certificate template list, verify that your new certificate template appears.
  3. Submit the certificate request to the certification authority server. To do this, follow these steps on the management server and on the workgroup computer:
    1. Click Start, click Run, type http://name_of_the_issuing_CA_Server/certsrv in the Open field, and then press ENTER.
    2. If you are prompted, enter the domain administrator account name and password.
    3. On the Certificate Services Web page, click Request a certificate under Select a task.
    4. Click Advanced certificate request.
    5. Click Create and submit a request to this CA.
    6. In the Certificate Template field, select the template name that you configured in step 2m. For example, select OpsMgr2007.
    7. In the Name field, type the FQDN of the RMS server.
    8. Select the Mark key as exportable check box. When you are using the Web certificate request UI, you must also check the Store the certificate in the local compute certificate store box.

      Note The certificate will be unusable if this is not done.
    9. Click Submit to submit your request to the certification authority server, and then follow the instructions that appear on the screen.
    10. Depending on the security configuration on the CA, you have to wait for an administrator to manually approve the request. It is not guaranteed that the CA can be downloaded immediately.
    11. Verify the certificate. To do this, follow these steps:
      1. Click Start, click Run, type mmc, and then press ENTER.
      2. On the File menu, click Add/Remove Snap-in.
      3. Click Add.
      4. Select the Certificates snap-in, and then click Add.
      5. Select My user account, click Finish, click Close to close the snap-in list, and then click OK to close the Add/remove snap-in window.
      6. Expand Certificates – Current User, expand Personal, expand Certificates, and then select the server certificate.
      7. Double-click the certificate, and then select the Details tab.
      8. In the list, click Enhanced Key Usage. You should see the following entries:
        • Client Authentication (1.3.6.1.5.5.7.3.2)
        • Server Authentication (1.3.6.1.5.5.7.3.1)
  4. Configure the Operations Manager 2007 server to use certificates that can be exported from the computer private store. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then press ENTER.
    2. On the File menu, click Add/Remove Snap-in.
    3. Click Add.
    4. Click Certificates, and then click Add.
    5. Select Computer account, and then click Finish.
    6. Select Local computer, click Finish, click Close to close the snap-in list, and then click OK to close the Add/remove snap-in window.
    7. Expand Certificates (local computer), expand Personal, expand Certificates, and then select a suitable certificate.
    8. Right-click the certificate, point to All tasks, and then click Export.
    9. Click Next.
    10. Select Yes, export private key, and then click Next.
    11. Use the default setting for the file format.
    12. Type a password for the file.
    13. Type a file name, and then click Next. For example, type C:\RMS.pfx.
    14. Click Finish.
    15. Repeat all these steps on the management server and on the workgroup computer.
  5. Install the agent on the workgroup computer. To do this, follow these steps.

    Note Because you are performing a manual installation of the agent, you must use the agent setup executable file that is available in the \Agent\i386 folder in the Operations Manager distribution location.
    1. Run the MOMAgent.msi file.
    2. On the Welcome screen, click Next.
    3. When you are prompted for a folder destination for the software, accept the default location, and then click Next.
    4. When you are prompted to configure the management group information, accept the default settings, and then click Next.
    5. Type the management group name, the management server name, and the port, and then click Next.
    6. Accept the default settings, and then click Next.
    7. Verify that all information that you have entered is correct, and then click Install to start the installation.
    8. When the installation is complete, click Finished to exit the installation.
  6. Use the Momcertimport tool to import the certificate. To do this, follow these steps.

    Note The Momcertimport tool is used to enter the serial number of the specific certificate in the registry. You must follow these steps on the management server and on the workgroup computer. Make sure that the Operations Manager agent is installed on the workgroup computer. Otherwise, you will receive an error when you run the Momcertimport tool.
    1. Click Start, and then click Run.
    2. In the Open field, type cmd, and then click OK.
    3. At the command prompt, type drive_letter:, and then press ENTER.

      Note drive_letter is the drive on which the Operations Manager installation media is located. 
    4. Type cd \SupportTools\i386, and then press ENTER.
    5. Type the following command, and then press ENTER:
      MOMCertImport path_of_the_certificate .pfx_file_that_is_exported_in_step_5m
    6. Restart the OpsMgr Health service.
  7. Wait for the management server to see the manual installation and to request approval. This should take some time (five to ten minutes). When you are prompted, approve the agent. The workgroup agent can now communicate with the server.

How to install a root certification authority in a domain

Note If your site already has a root certification authority, skip these steps.

To install certification authority services on a domain controller, follow these steps. This sample procedure uses a domain controller. However, you can install the root certification authority anywhere in your domain.
  1. Log on to a domain controller.
  2. Click Start, click Control Panel, double-click Add or Remove Programs, and then click Add/Remove Windows Components.
  3. Scroll down until you find Certificate Services, and then select it. Make sure that you select both the suboptions for the services. When you select these components, you receive a warning message. This message tells you not to change the name of the computer or its domain membership. After you read the warning, click Yes to continue, and then click Next.
  4. When the wizard prompts you for the CA type, select Stand-Alone Root CA, and then click Next.
  5. When the wizard prompts you for a common name for the certification authority, use the NetBIOS name or the Domain Name System (DNS) host name. For this example, type DC01, and then click Next.
  6. Accept the default database settings, and then click Next.
Certification authority services are now installed on the server. To access the services, visit the following Web site:
http://server_name/certsrv
Note Type http://dc01/certsrv in this example.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
خصائص

رقم الموضوع: 947691 - آخر مراجعة: 19‏/03‏/2012 - المراجعة: 1

تعليقات