Global Service Monitor not working because the remote certificate is invalid according to the validation procedure

  • Article

When we install and use Global Service Monitor in System Center Operations Manager 2012, the Management Server(s) need to access the GSM site in Azure which will be using a certificate from Microsoft. The Management Server needs to trust this certificate and for this it needs to have in its computer certificate store, in Trusted Root Certificate Authorities store, a list of trusted Microsoft Certificate Authorities.

 

So, let's say that you just installed GSM and you get this Warning Event in the Operations Manager Event Log on the Management Server:

Global Service Monitor Modules: Failed to discover Global Service Monitor locations.
Failure step: 'Couldn't get the ACS endpoint from discovery service. SubscriptionId: 'SOME_ID', OutsideInServiceBaseUri: 'https://gsm-prod.systemcenter.microsoft.com/''
Message: 'Could not establish trust relationship for the SSL/TLS secure channel with authority 'gsm-prod.systemcenter.microsoft.com'.'
Details: 'System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'gsm-prod.systemcenter.microsoft.com'.
         ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
         ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

 

In this particular case when we checked the Trusted Root Certificate Authorities store on this Management Server, we have noticed that some Microsoft Root CA certificates were missing, for example one of the most important ones for GSM, the Baltimore Cyber Trust Root certificate.

All these certificates should get imported on your Computers through Windows Update, basically KB931125. This gets updated very often with the new certificates so it might be a good idea to check if there are new certificates from time to time.

So here we installed KB931125 from the download link and then the error was gone and GSM started working again: https://www.microsoft.com/en-us/download/details.aspx?id=6149

 

After waiting a couple of minutes, we could see data getting in from the GSM Web Tests that were created in OpsMgr :D yuhuuu!