Push Installed agent getting into Pending management
Symptoms
Push Installed agent getting into Pending management. We see 20071, 21016 event which shows connection closed without authentication taking place.
Cause
Missing Authenticated Users / Everyone from “Access this computer from the network” policy on the SCOM MS.
Troubleshooting
This issue is not happening with all the SCOM agents, only few and mostly with newly deployed SCOM agents.
We can install SCOM Agent on servers using Discovery wizard without any issues, but the agent get into pending management and shows as installation is in progress forever. We only get an option to reject. This agent should have been shown up in agent managed instead of pending management.
We can see this agent information in agentpendingaction table.
Also we found even if the agent is installed manually, it's not showing under Pending Management and no information at all in SCOM MS or DB.
We don't see the agent information in agentpendingaction table. (with manual installation)
Even though both SCOM MS and the agent machine are in the same domain we were seeing 20071/21016 like below:
***************************
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 8/1/2016 3:40:15 PM
Event ID: 20071
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: agent.domain.com
Description:
The OpsMgr Connector connected to scomms.domain.com, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.
***************************
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 8/1/2016 3:39:49 PM
Event ID: 21016
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: agent.domain.com
Description:
OpsMgr was unable to set up a communications channel to scomms.domain.comand there are no failover hosts. Communication will resume when scomms.domain.com is available and communication from this computer is allowed.
***************************
We verified and confirmed there is no issues with agent and MS communications. Telnet to 5723, NSLOOKUP, PING works fine. There is no firewall between the agent and MS.
Taken SCOM ETL traces and found below SSPI failures:
********************************************************************
05337 [2]1296.7508::08/02/2016-14:40:18.371 [MOMChannel] [] [Error] :MOMChannel::SSPIUtil::ServerPerformSSPISetup{SSPIUtil_cpp780}AcceptSecurityContext failed, error = -2146893044(SEC_E_LOGON_DENIED)
05338 [2]1296.7508::08/02/2016-14:40:18.371 [MOMChannel] [] [Error] :MOMChannel::SSPIAsyncSink::ContinueInternal{SSPIAsyncSink_cpp1664}SSPI Setup failed
********************************************************************
Resolution
Seems the MS is not accepting the connections for some agents.
We implemented the below plan on SCOM MS and the issue is resolved.
Add the authenticated users and Everyone in the group policy setting->
Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment under this “Access this computer from the network”.