Freigeben über


Common Issues with using Certificates in SCOM environment

installation of a GW or agent by a certificate, exists on other blogs, for example Stefan Stranger's blog:

https://blogs.technet.com/b/stefan_stranger/archive/2012/04/17/monitoring-non-domain-members-with-om-2012.aspx

Goal of this post is to put emphasis on matters important to notice when using a certificate authenticating

In SCOM environment the authentication from management server to agent could by in two ways - Kerberos authentication or Mutual Authentication

When you running agents in same domain of management server or in trusted domain you are using Kerberos Authentication but agent in workgroup or another domain without trust or by using gateway server you must use mutual authentication by using certificate.

In such a situation, needs to use certificates for authentication, firstly verify that have Name Resolution between agent or GW server and management server - vice versa, then making sure the port 5723 is open to the management server.

Then when issuing a certificate for the GW or agent must also issue a certificate for the - management server - and insert both by the tool MOMCertImport.

The reason there is a need to emphasize the need for introduction of the management server certificate is, in many blogs do not attach importance and makes it clear in IT Admins, because, having entered a certificate for the first time there is no need to issue a new certificate and therefore enough now issued certificate only for the agent

Another important thing, when issued certificate and transferred to the server, and you have to insert the Cert to the Certificate Store, careful not to insert the certificate by tapping the Cert and select Personal store, because the certificate comes to 'Current User' then it is necessary to move the cert to the 'Current Computer' into the Personal Store, and copying from the Stores breaks the Certificate Private Key

Then Event 21036 appears in Event log, and now you need to import the original certificate again to personal store.

The correct way is to import from the Current Computer / Personal Store, and import the certificate directly into the Store.