RunAs Account Errors on SCOM
Hi, we are getting the following alerts in SCOM 2007 R2 Console in our production instance: "The Health Service could not log on the RunAs account JME\om_ccs_msaction for management group OM_CCS. The error is Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.(1935L). This will prevent the health service from monitoring or performing actions using this RunAs account" At first glance we panicked thinking this means our SCOM monitoring in production is not in a working state; but we do see alerts being raised by SCOM as expected. Any ideas why we might be getting the above error, and if it is something that is expected and can be safely ignored?
November 17th, 2010 12:37pm

Is Windows Firewall enabled on that machine where you are getting the error from? If so, try to disable and see it the alerts comes back again? Or open the ports required from the Agent to communicate with the (Root) Management Server: Agent installed using MOMAgent.msi 5723 ---> Root management server And check if this port is not being used by another process using netstat. Certifications: MCSA 2003|MCSE 2003|MCTS(4*)| MCTIP:SA
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2010 12:54pm

Is Windows Firewall enabled on that machine where you are getting the error from? If so, try to disable and see it the alers comes back again? Or open the ports required from the Agent to communicate with the (Root) Management Server: Agent installed using MOMAgent.msi 5723 ---> Root management server And check if this port is not being used by another process using netstat. Certifications: MCSA 2003|MCSE 2003|MCTS(4*)| MCTIP:SA
November 17th, 2010 12:55pm

it looks like this machine only allows some account to log on. you can have more than 1 AA on a healthservice running different workflows, so that would explain the alerts being raised. It might be an AA that's not used but is distributed to this machine anyway. I'm not sure those accounts are being checked though. Kevin holman has a good post about this: http://blogs.technet.com/b/kevinholman/archive/2010/09/08/configuring-run-as-accounts-and-profiles-in-r2-a-sql-management-pack-example.aspx?wa=wsignin1.0 Rob Korving http://jama00.wordpress.com/
Free Windows Admin Tool Kit Click here and download it now
November 17th, 2010 1:01pm

Please check if you need to configure Authenticate in AD Users and Computers for this computer. AD Users and Computers --> enable Advanced Features --> Select the Computer Object --> Properties --> Security --> Add the Group you want to allow access to the computer and allow "Allowed to Authenticate". Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 18th, 2010 4:07am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics