Solving the Gateway 20071 event

5 Jan

After installing a GW or Agent using a certificate you keep getting the 20071 event. Saying “The OpsMgr Connector connected to opstapms01, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.”

You have double checked every normal solution as the certificate chain, network connection, ports , setup ect.. . But what’s causing this and how to solve it.

A very important step is to check the registry. Go to the OPS reg hive and check if the FQDN name is supplied for the Networkname and AuthenticationName. If this doesn’t match your certificate common name you will get the 20071 event.

Just change it and restart the OpsMgr service.

Happy SCOM’ing

Michel Kamp

image

Advertisements

23 Responses to “Solving the Gateway 20071 event”

  1. MM August 30, 2012 at 01:38 #

    Thanks for that, been trying to figure out what the hell was stopping the connection. I ended up adding the reg keys manually, restarting the services, this has removed them again, but somehow fixed the issue. Obviously something was missing

    Thanks again

  2. Emanuel December 28, 2012 at 21:06 #

    Yes, that worked! Thank you!

  3. Abdul January 14, 2013 at 13:18 #

    Awesome post ! Cheers

  4. Anonymous April 25, 2013 at 11:42 #

    It is worked. Thak you.

  5. Jonas Gomes May 23, 2013 at 17:42 #

    Good…Thanks..

  6. Ted June 5, 2013 at 20:35 #

    So, from your screen shot, I’m assuming that’s your gateway server. So, are you saying that using the momcertimport tool, you imported the OpsMgr cert for OPSTAPMS01.xyz.local to the gateway server and that CN has to match the registry info? Or, is the registry screen shot you’re showing the RMS emulator or management server in the management group?

    • Michel Kamp June 6, 2013 at 05:19 #

      Hi,

      The screenshot is from a gw server. But the same apply’s to a agents.

      Michel

      Verzonden met mijn Windows Phone ________________________________

  7. medhatrizk June 26, 2013 at 10:37 #

    Hello,

    I have the Same issue with the same error with 2 gateway server one was working and the has has never been working but now the 2 are generating the same error, i checked the registry on both they are point to the MS with the same name of it’s certificate but donnu what’s the problem

    • Michel Kamp June 26, 2013 at 11:10 #

      Hi,

      Make sure you use as gw fqdn the fqdn of the mng server. You can do this using the host file. This must be used since scom 2012.

      Michel

      Verzonden met mijn Windows Phone ________________________________

      • medhatrizk June 26, 2013 at 11:18 #

        Thank you for your fast reply
        I did it is resolving the FQDN from both side and from the MS I’ve added the GW with the FQDN and the same from the GW server, by the way I’m using Standalone CA following this article
        http://technet.microsoft.com/en-us/library/bb735417.aspx

      • Michel Kamp June 26, 2013 at 12:10 #

        Did you import the cert chain also on the mng servers ?

        Verzonden met mijn Windows Phone ________________________________

      • medhatrizk June 26, 2013 at 12:13 #

        yes and there was one server that was working and i deleted the certificate in the personal store by mistake then added it again and running momcert import then made sure from the reg key but it stopped working generating 20071 event id

      • Michel Kamp July 6, 2013 at 17:05 #

        please send me some screenshots of the ms server and agent. need : computer properties, computer cert store and trusted store. regkey screenshot.

    • geertbaeten July 8, 2013 at 16:11 #

      When trying to add some new Windows 2012 machines to SCOM 2012 SP1 I came across eventids 20070, 20071, 21016 and 36888 and managed to solve it as follows:

      https://geertbaeten.wordpress.com/2013/07/08/scom-agent-or-gateway-certificate-issue/

      Perhaps this might help?

  8. CsG April 17, 2016 at 09:40 #

    i do not think so this is the problem. The parent server data is in those fields and the parent server information are not in the certificate. That is important to use FQDN and same targets in those fields, because the SCOM agent on the GW wants to connect there and it is not possible if it is a GW in a different domain. But there are no any relations to the cert.

    • michel kamp April 17, 2016 at 11:02 #

      Hi CsG,

      This is ALL about the Certificate name and the registry settings below. Only this way it will work . At the time I wrote this post , and that a long time ago , it was verified by the SCOM product team it self’s. . If you have another solution , fine then please share it so it could help others too.

      Thanks,

      Michel

      • CsG April 18, 2016 at 12:49 #

        I have two environment and each of them has around 20 management servers and more than 20 gateways. That registry settings are for the parent management servers. That is the servers where the gateway has to connect. Both registry entries has to be the same of course. The certificate has to store the fqdn name of the gateway, but the cert is for the gateway and that registry setting is for the parent SCOM communication. No direct or close connection between them. of course the communication will work if all components store and use the FQDN

      • michel kamp April 18, 2016 at 13:15 #

        Csg,

        This issue comes when you use a gateway outside of your organisation and use a different fqdn to connect the GW to the MS servers (or whatever chaining of GW / MS servers you have in place)

        I worked then for a cloud monitoring company that where monitoring customers all over the world using GW servers at customer side and one central SCOM environment in one datacenter.

        It also a loooong time ago to remember the details… but if I remember correctly. We had this because we used a public common FQDN to connect to the MS servers from of the GW servers. So every GW connection was going to gateway.domain.local . Since the MS server FQDN is different than the used gateway.domain.local name it will not connect. Ect..

      • CsG April 18, 2016 at 13:21 #

        Hi Michel

        Yep, of course I’m talking about the different FQDN. I’m using GWs because of the different domain (different FQDN, different service users, fws…) and using GWs if the latency is to high.

        Sorry to refresh this post, just i was working several issues, which are so similar to it. Most of times the problem caused by the certificates if the user followed the golden rule: use FQDN all the time 😀

      • michel kamp April 18, 2016 at 13:40 #

        Correct but the main difference here is that normally you specify the FQDN of the MS server. But in my scenario you specify a different alias FDQN for the MS server. Since the FQDNs are checked by the channel connection mechanism it won’t match and won’t connect. Ect…

Trackbacks/Pingbacks

  1. Fix Scom Error 20071 Windows XP, Vista, 7, 8 [Solved] - November 30, 2014

    […] Solving the Gateway 20071 event | Touching SCOM – Jan 05, 2012 · After installing a GW or Agent using a certificate you keep getting the 20071 event. Saying “The OpsMgr Connector connected to opstapms01, but the …… […]

  2. Fix Scom 2012 Gateway Error 21016 Windows XP, Vista, 7, 8 [Solved] - December 1, 2014

    […] Solving the Gateway 20071 event | Touching SCOM – Jan 05, 2012 · After installing a GW or Agent using a certificate you keep getting the 20071 event. Saying “The OpsMgr Connector connected to opstapms01, but the …… […]

  3. The OpsMgr Connector connected to scom01, but the connection was closed immediately without authentication taking place – Error with SCOM 2012 Gateway Server | Henry Truong - March 31, 2015

    […] of re-starting the process again, I found this blog article “Solving the Gateway 20071 event” by Michel […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: