Certificate Import Failure in OpsMgr SP1

Certificate Import Failure in OpsMgr SP1

July 21, 2010

So this was an issue that I hadn’t come across before, and before I get to the meat of the issue, let me give you some background…

I am in the process of migrating our customers OpsMgr SP1 environment to R2. They have a very large and complicated architecture, and based on best practice (and common sense) maintain 2 Management Groups, LAB (for testing) and PROD.

As part of the migration plan, the LAB Management Group will be upgraded first, allowing for troubleshooting any potential issues that may occur when it comes time to migrate PROD. To simulate a DMZ, the 2 LAB Management Servers are configured with Certificates to allow monitoring of agents in a non-trusted domain.

And this is where I found my issue…

The Issue

I noticed during my Health Check that the Health Service on one of the Management Servers was not being monitored (greyed out). I fixed this issue, but in troubleshooting it I discovered that all of the “DMZ” agents that report to this MS were offline. Digging deeper, I found a series of events with ID 21036 indicating that…

The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication.  The error is The credentials supplied to the package were not recognized
(0x8009030D).

A google search led me to a post by Joe Elway with an issue exhibiting the same issue. Having read through Joe’s post, and confirming that the certificate had not been imported into the Operations Manager certificate store, I took a slightly different approach.

The Solution

I manually imported the certificate into the Operations Manager certificate store by right clicking the cert store, selecting import and then following the on screen wizard. After restarting the Health Service, I can now see that all my “DMZ” agents are reporting in correctly.

I need to point out that if you are having this issue, you still need to run the MOMCERTIMPORT tool as this writes the certificate serial number to the registry, so that OpsMgr knows which cert to use.

Twitter Digg Delicious Stumbleupon Technorati Facebook Email
Featured, OpsMgr
, , , ,

About Dan Kregor

View all posts by Dan Kregor