I recently ran into an interesting issue with a customer. A Windows 2000 Agent (running OpsMgr SP1) was not able to process configuration due to problems creating/using the self-signed certificate that the Health Service uses (this is not a Gateway or DMZ scenario, this is the certificate that all agents create and use). At first, we were seeing the following errors in the OpsMgr Event Log:
Event ID: 1220 Description: Received configuration cannot be processed. Management group "<MANAGEMENT_GROUP_NAME>". The error is Cannot find the certificate and private key for decryption. (0x8009200B).
Event ID: 21021 Description: No certificate could be loaded or created. This Health Service will not be able to communicate with other health services. Look for previous events in the event log for more detail.
After removing/reinstalling the agent, the Health Service would not start, and the following error was seen in the System Event Log:
Event ID: 7024 Description: The OpsMgr Health Service service terminated with service-specific error 2148073494.
This error maps to "Keyset does not exist".
This looks to me like the Health Service is having problems creating its self-signed certificate. To investigate this:
Check to see if we have the certificate in the certificate store:
Here’s what it looks like when the cert is there:
If the certificate is there and we still think we’re having problems with it, there’s no harm in deleting it….it should be re-created when the Health Service starts. In our case, since we had uninstalled the agent, the certificate was removed. When we tried to start the Health Service, it was failing to create the certificate. So, the next step is to verify that the Health Service is running under the context of the Local System account:
If it is, then the next step is to verify that the System and Administrator accounts have Full Control of the following directories:
%System Drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
%System Drive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18
Also, verify that the Administrators group is the owner of these directories. This is necessary for the Local System account to be able to create the certificate.
So, everything above checked out fine in my customer’s environment. While researching this, I came across another customer case where some other service was failing to create a certificate because a service named “Protected Storage Service” was not running. I tested on a Windows Server 2003 Agent and could not reproduce the problem…we created the self-signed cert just fine without the Protected Storage service running. Then, I remembered that my customer’s problem was on a Windows 2000 Agent, and the other customer case I was reading was quite old, so likely from Windows 2000.
Anyway, we checked the Protected Storage Service and it was disabled. Enabled and start it and the Health Service started without error, created its certificate, and was talking to the Management Server in no time.
So, if you have any of the above errors, check to verify that the Protected Storage Service is started.
A while ago I bumped into the same issue and solved it in another manner. Also blogged about it: http://thoughtsonopsmgr.blogspot.com/2009/02/eventid-7024.html
It is good to see that you used another approach but got the same endresult as well. I'll refer to this posting in my blogarticle.
Do these certificates automatically renew? By reading this and looking at a number of our agents, they are set to expire in less than a month.
Yes, it should renew automatically. You really should never have to touch this, unless your Health Service is failing to start.
Hello. The same problem but i couldn't even find a folder in Certificates which names "Operation Manager". How could i create it?
First, verify that you are looking in the Certificate store for Local Computer and not for your user account. If the folder isn't there, then it should be created once we are able to create the certificate....so try to resolve the problem using the steps in this blog and see if it gets created.
Saw additional Event IDs 7005, 7009 and 7022 in the Operations Manager event log.
Searched the net for this error:
Event Type: Error
Event Source: HealthService
Event Category: Health Service
Event ID: 7022
Time: 1:17:25 p.m.
The Health Service has downloaded secure configuration for management group <Management Group Name>, and processing the
configuration failed with error code 0x80FF0066(0x80FF0066).
Both articles mention registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\<Management Group Name>\SSDB\References.
Imported this key from a working server. Server is still reporting as healthy.
I had the same problem, cant start the service, and just start Protected Storage service and solve my problem.
I ran into the same problem on a Windows 2008 R2 server and it was the permissions on the folder C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 that were wrong. Thank you Jimmy!
We're having this exact same problem with the SCOM2012 agent. We're "baking" it into our image and the certificate has the name of the image template. Removing the cert, then bouncing the service fixed it. Thanks for pointing me in the right direction.