System Center Operations Manager 2007 uses mutual authentication to communication with the agents. First the agent will try to communicate with Kerberos and when this is not possible certificates will be used for the secure communication. If you happen to have agents that lie outside of your domain, such as in a DMZ, you’ll want to use certificates for agent to server communication
In order to configure certificates for this communication you will need to complete the steps below:
1. Importing Trusted Root certificate.
On all servers (RMS, Management server and all Workgroup servers):
2. Creating and installing Server (Client, Server) Certificates
For the root management server(RMS) and management server(MS):
3. Creating an installing Server (Client, Server) Certificates
For workgroup and/or DMZ server:
4. Export the Server (Client, Server) Certificate
This must be done on all Workgroup/DMZ servers, root management server(RMS) and management servers (MS):
5. Allow manual agent installation.
Before the first manual agent installation, the global setting must be changed from reject to “Review new manual agent installation in pending management view” in the operations console of OpsMgr 2007:
6. Manual OpsMgr 2007 agent installation
On the workgroup and/or DMZ servers:
7. Running MOMcertimport.exe on the servers.
This must be done on all servers. Also make sure the exe which you use is of the same version (for 32-bit and 64 bit we have separate exe’s) and also make sure the files from the same version dump of the SCOM server \ agent you are running on the system):
8. Approve agent
In the System Center Operations Manager Console, after every manual agent installation the new agent must be approved in the operations Console of OpsMgr 2007:
To check if the agent is successfully approved look in the “Agent Managed” folder for the approved agent to see if the agent is there.
9. Create Run As Account
In the System Center Operations Manager Console:
10. Change default Action Account Run As profile
That should be it, but in case you need more information please see Authentication and Data Encryption for Windows Computers in Operations Manager 2007.
Hope this helps,
Sudheesh Narayanaswamy | Operations Manager Support Engineer
I followed this to the letter (except the killing in point 1.8, 4.5 and 7.1...) and it finally enabled communication between my agents and server. I'm not sure where exactly I failed when doing this exact thing previously on my own, but the only things I know I did differently was not selecting "strong protection" on export and selecting the installed certificate from the momcertimport gui rather than specifying a pfx in command line...
Thanks for this!
Why does step 7 have to be done all servers? I just want 1-3 servers outside our domain for monitoring our hosted URLs, but I am not sure I follow why we have to touch all server within our network to do this.
what is meant here by all servers is teh RMS\MS\Gateway and the clients ...Not all servers on your network.
Step 2.5.e which asks you to select the local computer store is not available. Is it because of the CA type? I am using Server 2008 R2 SP1.
For the DMZ servers, sometimes it expects the server names to in FQDN. You can find a similar event on your DMZ server:
Event Type: Error
Event Source: OpsMgr Connector
Event Category: None
Event ID: 20052
Time: 1:18:06 PM
The specified certificate could not be loaded because the Subject name on the certificate does not match the local computer name
Certificate Subject Name : SERVER1
Computer Name : SERVER1.CONTOSO.COM
In section 1. Importing Trusted Root certificate.
It says "Kill" where I believe it should say "Click". In a few places this is the case.
Does this procedure also work in OpsMgr 2012?
HI, I have this issue
I have issue the certficate for non-domain server signed my AD CA, placed in local-personal folder. This cert have private key included.
When I start MOMCertImport /SubjectName server.domain.local, in Local-Operation Manager folder i receive selfsigned certificate server.domain.local.
There is no signed with ma AD CA :-(
The port in the step 6 is wrong, it should be 5723
Another bit. In the steps 3.a and 3.f, it should be "full computer name", as I've just spent hours playing with a Lync edge server which has a computer name: servername and a full computer name: servername.domain.com. You guess, creating a cert and entering only the computer name didn't work, so I had to recreate it with the full comp name (servername.domain.com), even though the server is in a workgroup, and reimport the cert, and then it worked.
The correct steps mentioned above are 3.5.a and 3.5.f.