Kerberos may not be working in the other direction - I did check for a
success/fail audits on the Kerberos auth on the gw and there were
neither. I will investigate the lack of mutual authentication in the
morning. If needed I can probably get logging turned up -
Wireshark/netmon would be more difficult.

Thank you both!

Ken Schaefer wrote:
>
> I think the issue that is complicating the problem is the use of
> Selective Authentication. However I would have assumed that
> Read/Allowed to Authenticate would be sufficient. Have you verified
> that Kerberos authN is working the other way (since Ops Manager uses
> mutual authentication, not one-way authN)?
>
>
>
> If we think it's working properly in both directions, then:
>
> Can we bump up:
>
> a) Security audit logging on the MS
>
> b) Kerberos logging on GW, MS and relevant DCs
>
> To see if we can get more events logged?
>
>
>
> Alternatively, can we get a Wireshark packet capture from the GW and
> MS to see if we can see any Kerberos related failures?
>
>
>
> Cheers
>
> Ken
>
>
>
> *From:* admin@lists.myITforum.com [mailto:admin@lists.myITforum.com]
> *On Behalf Of *Pete Zerger
> *Sent:* Friday, 28 August 2009 7:03 AM
> *To:* msmom@lists.myitforum.com
> *Subject:* Re: [msmom] Gateway server woes (UNCLASSIFIED)
>
>
>
> If no certs here, then Kerberos is failing plain and simple. Off the
> top of my head, the most common issues I've seen in these
> circumstances are
>
>
>
> 1) Admin only thinks they have a forest trust (but actually have two
> one-way external trusts)
>
> 2) Name resolution is not fully functional (which can lead to issue
> number three)
>
> 3) Legitimate issues exist with the trust relationship preventing
> Kerberos authentication.
>
>
>
>
> Regards,
>
> Pete Zerger, MS-MVP - Operations Manager 2007
> Founder, System Center Central: http://www.systemcentercentral.com
> Founder System Center Virtual User Group
> http://www.systemcenterusergroup.com
>
>
>
>
> On Thu, Aug 27, 2009 at 5:01 PM, Taylor, Terry N Mr CTR USA MEDCOM
> USAMITC
> > wrote:
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Not using certs ... I thought that I could get away without them being
> that there is a 2-way forest trust - apologies for not pointing that
> out explicitly.
>
>
> Regards,
> Terry
> 210-295-3408
>
> -----Original Message-----
> From: admin@lists.myITforum.com
> [mailto:admin@lists.myITforum.com ]
> On Behalf Of Pete Zerger
>
> Sent: Thursday, August 27, 2009 4:48 PM
> To: msmom@lists.myitforum.com
> Subject: Re: [msmom] Gateway server woes (UNCLASSIFIED)
>
> Check name resolution from the downstream node and port connectivity.
>
> On your certs, check
>
> * That each host in the conversation trusts the issuer of the
> opposing hosts cert.
> * That the certififcate configuration is correct, including OIDs AND
> * that the correct serial number was written to the registry
> with MOMCertImport.
>
> Registry key for the serial is
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations
> Manager\3.0\Machine Settings
>
> Regards,
>
> Pete Zerger, MS-MVP - Operations Manager 2007
> Founder, System Center Central: http://www.systemcentercentral.com
>
> >
> Founder System Center Virtual User Group
> http://www.systemcenterusergroup.com
>
> >
>
>
>
>
>
> On Thu, Aug 27, 2009 at 4:36 PM, Taylor, Terry N Mr CTR USA MEDCOM
> USAMITC
> > wrote:
>
>
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Hey Pete -
>
> Thanks for responding. Those generic errors are all that I
> have. There are no other relevant warning-critical errors on the gw,
> upstream MS, or RMS in that range. :(
>
> This gw (candidiate) and MS are in separate enclaves, so I'm
> always suspicious of ports and general network com - but if I telnet
> from the gw to the ms on port 5723 I get the blinking cursor (as
> opposed to an immediate connection termination) - I'm looking at
> netstat -n | find "hostIP" right now to see if anything jumps out there...
>
> Regards,
> Terry
> 210-295-3408
>
>
> -----Original Message-----
> From: admin@lists.myITforum.com
> [mailto:admin@lists.myITforum.com
> ] On Behalf Of Pete Zerger
> Sent: Thursday, August 27, 2009 3:57 PM
> To: msmom@lists.myitforum.com
> Subject: Re: [msmom] Gateway server woes (UNCLASSIFIED)
>
> 200070 and 21016 are generic errors you will see with every
> authentication failure, but do not tell us anything specific. Sort
> that log for us and find a warning or critical error in the 20,000 -
> 21,000 range. This is the event that will give us the real story.
>
> If you do not see anything definitive there, go to the upsteam
> mgmt server and look for events in the same range in the OpsMgr log on
> that box.
>
>
> Regards,
>
> Pete Zerger, MS-MVP - Operations Manager 2007
>
> Founder, System Center Central:
> http://www.systemcentercentral.com
>
> >
>
> >
> Founder System Center Virtual User Group
> http://www.systemcenterusergroup.com
>
> >
>
> >
>
>
>
>
>
>
>
>
> On Thu, Aug 27, 2009 at 3:48 PM, Taylor, Terry N Mr CTR USA
> MEDCOM USAMITC
> > wrote:
>
>
>
> Classification: UNCLASSIFIED
>
> Caveats: NONE
>
>
>
> I need to install a gateway server residing in a
> separate forest. There is a 2-way forest trust in place, and the
> trust is configured for selective authentication. The forest where the
> gateway resides is single domain. The forest where the Management
> Group lives has a disjointed namespace, so there is an "empty" root,
> and then a separate tree for resource domains - CONUS.yadayada.mil
> , PAC.CONUS.yadayada.mil
> , EUR.CONUS.yadayada.mil
> . The management group (RMS,
> databases, and 2X MS) reside in CONUS. Management group is at R2.
>
>
>
> I have:
>
> · Added the machine account for the gateway
> server to the security permissions for both MS servers machine account
> with 'read' and 'allowed to authenticate'
>
> · Installed the gw server software on the
> gateway (default port, Domain account as GW action account)
>
> · Approved the gateway server
>
> · Verified port 5723 is available between gw
> server and ms server(s)
>
> · Verified name resolution in both directions
>
>
>
> On the MS I'm logging:
>
> Event Type: Error
>
> Event Source: OpsMgr Connector
>
> Event Category: None
>
> Event ID: 20002
>
> Date: 8/27/2009
>
> Time: 10:50:53 AM
>
> User: N/A
>
> Computer: hostname
>
> Description:
>
> A device at IP x.x.x.x:1132 attempted to connect but
> could not be authenticated, and was rejected.
>
>
>
> On the GW server I'm logging:
>
> Event Type: Error
>
> Event Source: OpsMgr Connector
>
> Event Category: None
>
> Event ID: 20070
>
> Date: 8/27/2009
>
> Time: 2:41:35 PM
>
> User: N/A
>
> Computer: hostname
>
> Description:
>
> The OpsMgr Connector connected to XXXXXX, but the
> connection was closed immediately after authentication occurred. The
> most likely cause of this error is that the agent is not authorized to
> communicate with the server, or the server has not received
> configuration. Check the event log on the server for the presence of
> 20000 events, indicating that agents which are not approved are
> attempting to connect.
>
>
>
> I can see from the security log on the MS that I'm
> authenticating via Kerberos. I have an object for the new gw in
> "management servers", showing as not monitored (assuming that was
> populated by the approval tool), but it never shows up in pending
> management. I have rebooted both the MS and the RMS. :puzzled:
>
>
>
> Any advice or suggestions welcome and appreciated.
>
>
>
>
>
> _____________________________
>
> Terry N. Taylor (Contractor)
>
> USAMITC Enterprise Monitoring
>
> 210-295-3408
>
>
>
>
>
>
>
> Classification: UNCLASSIFIED
>
> Caveats: NONE
>
>
> ==============
> Missed an email? Check out the list archive:
>
> http://myitforum.com/cs2/blogs/momlist/
>
> >
>
> >
>
>
>
>
>
> ==============
> Missed an email? Check out the list archive:
> http://myitforum.com/cs2/blogs/momlist/
>
> >
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
> ==============
> Missed an email? Check out the list archive:
> http://myitforum.com/cs2/blogs/momlist/
>
> >
>
>
>
> ==============
> Missed an email? Check out the list archive:
> http://myitforum.com/cs2/blogs/momlist/
> Classification: UNCLASSIFIED
> Caveats: NONE
>
>
> ==============
> Missed an email? Check out the list archive:
> http://myitforum.com/cs2/blogs/momlist/
>
>
>
>
> ==============
> Missed an email? Check out the list archive:
> http://myitforum.com/cs2/blogs/momlist/
>
>
> ==============
> Missed an email? Check out the list archive:
> http://myitforum.com/cs2/blogs/momlist/



==============
Missed an email? Check out the list archive:
http://myitforum.com/cs2/blogs/momlist/

06:37 - Aug 28, 2009

Trackbacks

No Trackbacks

Comments

No Comments