Thursday, November 11, 2010

MOMCertImport and UAC

With the arrival of Windows Server 2008 R2 it seems that more administrators are keeping UAC enabled.  I ran into an issue where I installed the certs for a gateway server and ran the cert import tool but kept getting this error





Event: 21016
OpsMgr was unable to set up a communications channel to scomrms1.scom.com and there are no failover hosts.  Communication will resume when scomrms1.scom.com is available and communication from this computer is allowed.

and

Event: 21007
 The OpsMgr Connector cannot create a mutually authenticated connection to scomrms.scom.com because it is not in a trusted domain.

I ran MOMCertImport and everything seemed to be fine.  After taking a look into HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ I realized that there was no reg key for ChannelCertificateSerialNumber.
This told me there was a problem with running the MOMCertImport tool as nothing was being written to the registry.
It turns out that running MOMCertImport doesn’t call the UAC dialog box the application runs and lets you select you cert and exits normally.  So what you must do is right click on MOMCertImport.exe and click on Run as administrator.
CertImport
Then click Continue in the UAC dialog box.
Capture