In Operations Manager 2007, mutual authentication is required between agents, management servers, and gateway servers. It is achieved by using either the Kerberos version 5 protocol or certificates. The Kerberos protocol is used in an Active Directory domain, between domains with two-way trusts, or between forests with two-way forest trust. The Kerberos protocol is not used in an external trust. Certificates need to be used in an environment where the Kerberos protocol cannot be used.

When an agent initiates communication with either a gateway server, management server, or root management server, or when a gateway server initiates communication with either a root management server or management server, the agent and the gateway server attempt to authenticate by using the Kerberos protocol. If mutual authentication using the Kerberos protocol is not possible, then an attempt to mutually authenticate using certificates will be attempted.

If the authentication attempt is unsuccessful, events are written to the Operations Manager Event Log on both the server and agent computers.

The following is an example of an event.

Event Type:Error

Event Source:OpsMgr Connector

Event Category:None

Event ID:21007

Date:1/19/2007

Time:11:01:57 AM

User:N/A

Computer:Sales

Description:

The OpsMgr Connector cannot create a mutually authenticated connection to contoso.com because it is not in a trusted domain.

For more information about the Kerberos protocol, see http://go.microsoft.com/fwlink/?LinkId=78644 and http://go.microsoft.com/fwlink/?LinkId=78646

For more information about the use of certificates in Operations Manager 2007, see the Security Guide at http://go.microsoft.com/fwlink/?LinkId=64017

See Also