Mutual Authentication in Operations Manager 2007
In Operations Manager 2007, mutual authentication is required between agents, Management Servers, and gateway servers. It is achieved by using either the Kerberos version 5 protocol or certificates. The Kerberos protocol is used in an Active Directory domain, between domains with two-way trusts, or between forests with two-way forest trust. The Kerberos protocol is not used in an external trust. Certificates need to be used in an environment where the Kerberos protocol cannot be used.
When an agent initiates communication with either a gateway server, Management Server, or Root Management Server, or when a gateway server initiates communication with either a Root Management Server or Management Server, the agent and the gateway server attempt to authenticate by using the Kerberos protocol. If mutual authentication using the Kerberos protocol is not possible, then an attempt to mutually authenticate using certificates will be attempted.
If the authentication attempt is unsuccessful, events are written to the Operations Manager Event Log on both the server and agent computers.
The following is an example of an event.
Event Type:Error
Event Source:OpsMgr Connector
Event Category:None
Event ID:21007
Date:1/19/2007
Time:11:01:57 AM
User:N/A
Computer:Sales
Description:
The OpsMgr Connector cannot create a mutually authenticated connection to contoso.com because it is not in a trusted domain.
For more information about the Kerberos protocol, see https://go.microsoft.com/fwlink/?LinkId=78644 and https://go.microsoft.com/fwlink/?LinkId=78646
For more information about the use of certificates in Operations Manager 2007, see the Security Guide at https://go.microsoft.com/fwlink/?LinkId=64017
See Also
Tasks
How to Import Certificates in Operations Manager 2007
Concepts
Certificates in Operations Manager 2007
Other Resources
About Security in Operations Manager 2007
Security Considerations in Operations Manager 2007