News

The OpsMgr Connector could not connect to MSOMHSvc\rms01.local

So there you are on your first OpsManager installation. All is looking well so far… you have your first agents deployed in your environment and they started to heartbeat. Some give some alerts. Nothing shocking… But, well you know… there are some problems in your environment. Hmmm… Looks like a security problem. Okay, well you know what? The health service on my RMS named RMS01 is running under the local system account. Maybe it doesn’t have enough privileges to perform the tasks it wants to perform. Let’s try a domain administrator account (DomAdmin).

You click start >> administrative tools >> services, and you change the credentials of the “OpsMgr Health Service” to the domain administrator ‘DomAdmin’. Having done that you restart the service, and voila, you’re done…

Are you?...

Whoops… this can’t be true… one by one you’re agents start giving up on you. Worse, the RMS was first. They all turn grey. No Heartbeat? What’s happenin’ man?

Okay, here’s what happened:

To support mutual authentication between your agents and the opsmanager management server, your SCOM installation registered a Service Principal Name(SPN) under the security principal (user or groups) in whose security context the service executes. Since the service (in this case) was running under the local system account, the SPN was registered under RMS01$. When you changed the credentials nothing happened but as soon as you restarted the service, the same SPN was registered in Active Directory a second time under the newly entered credentials of the domain administrator ‘DomAdmin’, and that’s not allowed.

The symptoms are as described above. Furthermore the agents will have the following entries in the eventlog:

Event Type:                  Error
Event Source:              OpsMgr Connector
Event Category:           None
Event ID:                      20057
Date:                            5/30/2007
Time:                           9:55:55 AM
User:                            N/A
Computer:                    <ComputerName>
Description:
Failed to initialize security context for target MSOMHSvc/rms01.local The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can apply to either the Kerberos or the SChannel package.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And:

Event Type:                   Error
Event Source:               OpsMgr Connector
Event Category:            None
Event ID:                       21001
Date:                             5/30/2007
Time:                            9:55:55 AM
User:                             N/A
Computer:                     <ComputerName>
Description:
The OpsMgr Connector could not connect to MSOMHSvc/rms01.local because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

And:

Event Type:                   Error
Event Source:               OpsMgr Connector
Event Category:            None
Event ID:                       21016
Date:                             5/30/2007
Time:                            9:53:44 AM
User:                             N/A
Computer:                     <Computername>
Description:
OpsMgr was unable to set up a communications channel to rms01.local and there are no failover hosts.  Communication will resume when rms01.local is both available and allows communication from this computer.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The domain controller will have the following entry in the sytem-eventlog:

Event Type:                   Error
Event Source:               KDC
Event Category:            None
Event ID:                       11
Date:                             5/30/2007
Time:                            9:12:49 AM
User:                             N/A
Computer:                     <DomainControllerName>
Description:
There are multiple accounts with name MSOMHSvc/rms01.local of type DS_SERVICE_PRINCIPAL_NAME.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

Can we solve this?... yes we can and here’s how:

To generate a list of accounts that the SPNs are registered to, run the following command at the command prompt.

  1. From the domain controller, open a command prompt and then type the following string:
    ldifde -f domain.txt
  2. Open the text file in Notepad and then search for the SPN that is reported in the event log.
    ServiceClass/host.domain.com (in this case look for MSOMHSvc/rms01.local)
  3. Note the user accounts under which the SPN is located and the organizational unit the accounts reside in….the userPrincipalName should be located directly above the servicePrincipalName registration as in the example below.
    userPrincipalName: This e-mail address is being protected from spambots. You need JavaScript enabled to view it.
    servicePrincipalName: ServiceClass/host.domain.com

Use one of the following options to delete the account SPN registrations from the accounts that should not contain registrations to ServiceClass/host.domain.com. (i.e. Typically any accounts containing an SPN registration for SeriviceClass/host.domain.com that services are not explicitly starting with). Make sure you know which credentials you want to keep (in this case the system account or the domain administrator) and see to it that the service is running with the credentials you want to use. Delete the other one.

Using ADSIEdit

  1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
  2. Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
  3. Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.

Using SetSPN

  1. From the command prompt type the following command and hit enter.
    setspn -D ServiceClass/host.domain.com:Port AccountName

Make sure to test before performing this operation in a production environment.

Good luck.

 
 
Joomla-Template by guenstige.shop-stadt.de & go-windows.de
 
 
     
 
   
Books!