This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 75%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
I am trying to monitor a untrusted domain member and I have created a cert for the untrusted domain member (with client and server authentication) from our internal CA and imported it into the untrusted domain member.
The comms between them are open and fine. but I get below events that regarding Kerberos authentication between untrusted domain member and SCOM management server.
Also created host file on the untrusted domain member and the SCOM management server to each other so they resolve fine.
the SDK account has SPN correctly set for the SCOM Management server.
Failed to initialize security context for target MSOMHSvc/xxxxxxxxxxxxxxxxxx. The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.
***
The OpsMgr Connector could not connect to MSOMHSvc/xxxxxxxxxxxxxxxxxxx because mutual authentication failed. Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
***
The OpsMgr Connector connected to xxxxxxxxxxxxxxxxxxxxxxxxxxxx, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 91%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
you said imported did you use the momcertimport tool?
Did you also put a cert on the Management server/gateway that the agent is communicating with?
Also look at this tool to validate the cert
https://blakedrumm.com/blog/scom-certificate-checker-script/
We found it easiest to put a gateway in the untrusted domain and get the gateway to authenticate with certificates to the management server. Then all the agents can use kerb auth to the gateway. this avoids multiple cert setups and multiple or large firewall rules.
Hi Stephen, i used momimport cert directly on the untrusted domain member in it. the cert has both client and server authentication usage type enabled. so it is the kerberos authentication that is failing and it is expected to fail as there is no trust between these domains.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Hi,
Monitoring an untrusted domain member in SCOM can be challenging due to the lack of Kerberos authentication. The errors you're encountering suggest issues with mutual authentication and the SPN registration.
Here are some steps and considerations that might help resolve the issues:
-Certificate Installation: Ensure that the certificate imported into the untrusted domain member has the correct permissions and is properly installed. The certificate should be for both client and server authentication.
-Host Files: Double-check the host files on both the untrusted domain member and the SCOM management server to ensure they resolve correctly.
-Service Principal Name (SPN): Verify that the SPN for the SCOM Management server is correctly set. The SPN is crucial for mutual authentication.
-Gateway Server: If you're using a Gateway server, ensure that it's correctly configured to communicate with the untrusted domain member.
-Agent Installation: The agent on the untrusted domain member should be installed and configured correctly. You might need to use the MomCertImport tool to import the certificate for the agent.
-Firewall and Ports: Check that the necessary ports are open and the firewall settings allow communication between the untrusted domain member and the SCOM management server.
Hi XinGuo, from the above suggestiong you have provided, i have followed everything except. the SCOM Management server has SPN set for their SDK Service Account.
Can you guide some solution to fix kerberos authentication. there is no truste between the domains. they can resolve fine and no comms or ports issue. Certs has both Client And Server authentication.
we dont have any Gateway server in the untrusted domain member.
But still the following error exist:
Failed to initialize security context for target MSOMHSvc/xxxxxxxxxxxxxxxxxx. The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.
Hi,
We could treat untrusted domain members as workgroup servers and should use certificate authentication not Kerberos.
Please refer to the link below:
Hi , I tried the same and having the same error message
Failed to initialize security context for target MSOMHSvc/xxxxxxxxxxxxxxxxxx. The error returned is 0x80090303(The specified target is unknown or unreachable). This error can apply to either the Kerberos or the SChannel package.
***
The OpsMgr Connector could not connect to MSOMHSvc/xxxxxxxxxxxxxxxxxxx because mutual authentication failed. Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
***
The OpsMgr Connector connected to xxxxxxxxxxxxxxxxxxxxxxxxxxxx, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.
did you run the powershell script to validate the cert on both the agent and the management/gateway server? I believe that both ends need a cert and need to be created from the same CA.
Yes, the certs are valid on the untrusted domain member as i have installed the root cert from the issuing CA.
Could you take a screenshot for the following steps:
And check the event log on the server and on the agent for events which indicate a failure to authenticate.
could anyone provide suggestions ?