Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

Rare gateway / certificate issue – Event 20077 - the certificate cannot be queried for property information

Rare gateway / certificate issue – Event 20077 - the certificate cannot be queried for property information

  • Comments 6
  • Likes

I was installing a gateway in a locked down DMZ environment today, and ran across an issue getting my certificates to work.

My DMZ based gateway has NO access to browse the Enterprise CA’s website, so I had to request and issue my certificates, and export them all manually.  When trying to use the certificate for the GW – I was getting this event during Health Service startup in the OpsMgr log:

Event Type:    Error
Event Source:    OpsMgr Connector
Event Category:    None
Event ID:    20077
Date:        2/5/2011
Time:        1:48:35 PM
User:        N/A
Computer:    DMZGW1
Description:
The certificate specified in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings cannot be used for authentication, because the certificate cannot be queried for property information.  The specific error is 0x80092004(%3).
This typically means that no private key was included with the certificate.  Please double-check to ensure the certificate contains a private key.

I was using the following documentation:

How to Obtain a Certificate Using Windows Server 2008 Enterprise CA in Operations Manager 2007

 

The only difference was – I could not submit the request and directly import it using the machine in the DMZ.  Instead I was using my desktop to submit the request to the CA, and then download a copy of it.  This downloaded copy was a .CER file.

It imported just fine in the computer personal store – but would not work – giving the error event above.

 

After a little digging, I found an internal article with the following resolution:

  • Open certmgr for "Computer account" in MMC as a snap-in.
  • Double click on the certificate in question.
  • Go to "Details" tab.
  • Scroll down till you find the "Thumbprint" section.
  • Copy the information and paste in a text editor like notepad which typically looks like below:
  • fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be
  • certutil.exe -repairstore My "thumbprint"
  • In the above example the command would look like this:
  • certutil.exe -repairstore My "fb 5a d6 35 50 84 fd 6c ec ca b8 47 2a 36 94 d6 63 15 d3 be"
  • Once this is done, On opening the certificate, we should see the text as "you have a private key that corresponds to this certificate."

 

After doing this – sure enough – I verified that the certificate in my computer personal store now has the correct “You have a private key that corresponds to this certificate”

image

 

Now – I had to re-import my trusted root certificate chain, and bounce the Health Service on the Gateway, and it all worked perfectly.

 

I don’t expect this to be a common issue, but figured it worthy of writing up in case others run into this situation.

Comments
  • i think the thumbprint is not correct because you made request CertReq –New –f RequestConfig.inf CertRequest.req not on GW machine, so it created request with wrong thmbprint

    I had Related problems too

  • I did run the certreq for the inf on the gateway.  Then I copied that file to my worstation to process, then copied the cert back to the GW.  So I dont think that's it.

  • You describe a false path, the path is correct - support.microsoft.com/.../889651   :)

  • Hi Kevin,  Thanks for posting.  You saved my day and probably my IT contract!

  • Thank you Kevin. Solved my problem. Took me a couple of hours though to find this thread.

  • Thanks, this solved my problem on and old 2003 gateway server :)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
Search Blogs