Windows metric collections are intermittent with WinRM even when the FglAM (Agent Manager) WinRM prerequisites are met according to the documentation.
The FglAM logs (FglAM_YYYY-MM-DD_HHMMSS_001.log) show an error like this:
WARN [WinRMWebServiceManagementConnection[24]-3] com.quest.glue.core.remoteconnection.negotiate.SPNEGOAuthenticationScheme - Authentication failed: unable to connect to http://servername.example.com:5985 (Clock skew too great (37))
Credential alarms show that WinRM authentication fails with this error:
Failure: Cannot establish connection to servername.example.com: WinRM request to http://servername.example.com:5985/wsman failed: received HTTP/401 - credentials rejected
Kerberos authentication requires all three hosts in the authentication process to have their clocks in sync; Client Host (Agent Manager), Kerberos Service Host (Monitored Host) and Key Distribution Center (Domain Controller). A 5 minute time difference can cause this type of issues.
The reason for this type of failures is better explained by Microsoft here and MIT here.
Confirm that the FglAM clock, the Monitored Host clock and the Domain Controller clock are all in sync.
If all monitored hosts have the same symptoms, then it's likely that the issue is with either the FglAM or the Domain Controller.
Using an NTP provider to sync the clocks would be optimal.
Note: Although the clock skew between FMS (Management Server) and FglAM doesn't affect the authentication process, it can have other negative effects.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center