SCOM 2022 agent in trusted domain issues (two-way forest trust with selective authentication)

Bojan Zivkovic 466 Reputation points
2024-11-25T09:19:00.97+00:00

Hi, I have two-way forest trust with selective authentication between forest A and forest B. Having installed SCOM 2022 Management Server in forest A and deployed SCOM agents to all servers in the same forest, I have issues with SCOM agents on all servers in the trusted forest B:

Failed to initialize security context for target MSOMHSvc/SCOMServerFQDN. The error returned is 0xC0000413(0xC0000413). This error can apply to either the Kerberos or the SChannel package.

OpsMgr was unable to set up a communications channel to SCOMServerFQDN and there are no failover hosts. Communication will resume when SCOMServerFQDN is available and communication from this computer is allowed.

For security reasons I have to keep two-way forest trust with selective authentication. I guess in case of this type of trust I do not need Gateway Server. Any help would be highly appreciated.

Operations Manager
Operations Manager
A family of System Center products that provide infrastructure monitoring, help ensure the predictable performance and availability of vital applications, and offer comprehensive monitoring for datacenters and cloud, both private and public.
1,505 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. XinGuo-MSFT 19,696 Reputation points
    2024-11-26T02:35:55.36+00:00

    Hi,

    Failed to initialize security context for target MSOMHSvc/SCOMServerFQDN. The error returned is 0xC0000413(0xC0000413). This error can apply to either the Kerberos or the SChannel package.

    The default configuration on SCOM 2019 Agents, is that service accounts and RunAs accounts will now leverage the “Log on as a Service” user right, and no longer require “Log on locally” user right.  This means that in order for any RunAs account to work, Log on as a Service is now required.

     When you install SCOM 2019, the setup program automatically configures this for accounts you specify during setup.  You can review this by opening the Local Security Policy > Local Policies > User Rights Assignment > Log on as a service:

    User's image

    Security changes in SCOM 2019 – Log on as a Service – Kevin Holman's Blog

    User's image

     Configuring Selective Authentication for User Profile Migration

      

    0 comments No comments

  2. Bojan Zivkovic 466 Reputation points
    2024-11-26T19:25:40.7466667+00:00

    Still, I am not sure what I should do here.

    0 comments No comments

  3. XinGuo-MSFT 19,696 Reputation points
    2024-11-27T07:19:34.8233333+00:00

    Based on the description in the above document, we can try to add SCOM service accounts to Local Group for Authentication

    • Enable Selective Authentication
    • Create a Domain Local Group in the Target Domain
    • Set Access Control on "Domain Controllers" OU or a Specific Domain Controller
    • Add Source Domain Accounts to Local Group for Authentication
    0 comments No comments

  4. Bojan Zivkovic 466 Reputation points
    2024-11-30T16:02:41.0433333+00:00

    Same errors:

    Failed to initialize security context for target MSOMHSvc/SCOMServerFQDN. The error returned is 0xC0000413(0xC0000413). This error can apply to either the Kerberos or the SChannel package.

    OpsMgr was unable to set up a communications channel to SCOMServerFQDN and there are no failover hosts. Communication will resume when SCOMServerFQDN is available and communication from this computer is allowed.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.