JAAS between WLS (untrusted) domains - ServerIdentity failed validation

Similar Messages

• BEA-090513 "ServerIdentity failed validation" on single domain single server

  Hi!
  I'm getting loads of
  <Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading
  to anonymous.>
  errors though I'm running a single server in a single domain - so the information
  in
  http://e-docs.bea.com/wls/docs81/messages/Security.html
  isn't very helpful. What can I do to remove this problem?
  Thanks so much,
  Hans-Peter Stoerr

  Hi I get the similar error
  <Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
  <Sep 12, 2007 4:04:51 PM CDT> <Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
  ####<Sep 12, 2007 2:47:32 PM CDT> <Error> <Security>sb1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Defau
  lt (self-tuning)'> <<WLS Kernel>> <> <> <1189626452736> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
  ####<Sep 12, 2007 2:47:32 PM CDT> <Error> <Security> > <sb1> <ExecuteThread: '8' for queue: 'weblogic.socket.Muxer'> <<WLS
  Kernel>> <> <> <1189626452759> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
  ####<Sep 12, 2007 2:47:32 PM CDT> <Error> <Security> < <sb1> <ExecuteThread: '8' for queue: 'weblogic.socket.Muxer'> <<WLS
  Kernel>> <> <> <1189626452760> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
  I tried the bea method to change the credentials that the domain is interacting with (trust certificate) but no help.The errors keep coming still.
  iN order to rule out some possiblity i shutdown the other domain completley and i could still see same errors in my managed server logs.i would really appreciate anyones tips to fix this issue.

• Server Crash : ServerIdentity failed validation, downgrading to anonymous

  All,
  Setup is as follows:
  Domain has got an admin server and 2 managed servers.
  Managed Server 1 on Machine 1
  Managed Server 2 on Machine 2
  Following error is continuously thrown in the logs :
  <22-Jul-2010 09:54:45 o'clock> <Error> <Security> <managed1> <ExecuteThread: '2' for queue: 'weblogic.
  socket.Muxer'> <<WLS Kernel>> <> <BEA-090513> <ServerIdentity failed validation, downgrading to anonymous.>
  Can this 090513 error on JMS queue lead to a server crash ?
  I also get the below error
  <ExecuteThread: '2' for queue: 'weblogic.adm
  in.RMI' : Executing(weblogic.management.internal.MBeanHomeImpl)> <<WLS Kernel>> <> <BEA-080003> <RuntimeException thrown by r
  mi server: weblogic.management.internal.MBeanHomeImpl.getMBean(Ljavax.management.ObjectName;)
  java.lang.NullPointerException.
  java.lang.NullPointerException
  at weblogic.management.internal.MBeanHomeImpl.getMBean(MBeanHomeImpl.java:109)
  Regards,
  Rashi

  Does this domain have rmi communication with another weblogic domain? If so this error would normally occur if you have not enabled domain trust between the domains. You can enable domain trust by following the steps in the below link :
  http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/domain.html#wp1176064
  Not sure is this alone will crash a server. Is there any other errors in the logs ?

• ServerIdentity failed validation, downgrading to anonymous

  I'm getting this error when trying to run one of the application
  deployed in my domain. I only have one domain, so the information in the
  error message list about enabling trust between domains should not apply
  here.
  I get the error mentioned in the topic with BEA code BEA-090513
  What other ways are there to fix this error?

  Here's a more complete stack trace from the server log:
  ####<Nov 18, 2003 10:12:10 AM EST> <Error> <Security> <ORLEX1090> <demoServer>
  <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <BEA-090513>
  <ServerIdentity failed validation, downgrading to anonymous.>
  ####<Nov 18, 2003 10:12:10 AM EST> <Error> <Security> <ORLEX1090> <demoServer>
  <ExecuteThread: '0' for queue: 'weblogic.admin.RMI'> <<WLS Kernel>> <> <BEA-090513>
  <ServerIdentity failed validation, downgrading to anonymous.>
  ####<Nov 18, 2003 10:12:10 AM EST> <Warning> <RMI> <ORLEX1090> <demoServer> <ExecuteThread:
  '0' for queue: 'weblogic.admin.RMI'> <<WLS Kernel>> <> <BEA-080003> <RuntimeException
  thrown by rmi server: weblogic.management.internal.RemoteMBeanServerImpl.invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;)
  weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
  principals=[], on ResourceType: ServerConfig Action: execute, Target: lookupServerRuntime.
  weblogic.management.NoAccessRuntimeException: Access not allowed for subject:
  principals=[], on ResourceType: ServerConfig Action: execute, Target: lookupServerRuntime
       at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.wlsRun(SecurityHelper.java:557)
       at weblogic.management.internal.SecurityHelper$IsAccessAllowedPrivilegeAction.run(SecurityHelper.java:453)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:317)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
       at weblogic.management.internal.SecurityHelper.isAccessAllowed(SecurityHelper.java:347)
       at weblogic.management.internal.RemoteMBeanServerImpl.invoke(RemoteMBeanServerImpl.java:764)
       at weblogic.management.internal.RemoteMBeanServerImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:466)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:409)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:353)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:144)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:404)
       at weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:30)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
  Steven Ostrowski <[email protected]> wrote:
  I'm getting this error when trying to run one of the application
  deployed in my domain. I only have one domain, so the information in
  the
  error message list about enabling trust between domains should not apply
  here.
  I get the error mentioned in the topic with BEA code BEA-090513
  What other ways are there to fix this error?

• ServerIdentity failed validation

  I am porting over some code from WebLogic 6.1 to 8.1 and getting the following
  errors. Any clue as to what these might be? Thanks.
  <Error> <Security> <BEA-090513> <ServerIdentity failed validation, downgrading
  to anonymous.>
  <Error> <JTA> <BEA-110200> <User [<anonymous>] is not authorized to invoke startCommit
  on a transaction branch.>

  The problem went away after I established trust between the two domains. Thanks
  so much for your help.
  Naresh
  "Peter" <PeterB> wrote:
  >
  "Naresh Bhatia" <[email protected]> wrote in message
  news:[email protected]..
  I am porting over some code from WebLogic 6.1 to 8.1 and getting thefollowing
  errors. Any clue as to what these might be? Thanks.
  <Error> <Security> <BEA-090513> <ServerIdentity failed validation,downgrading
  to anonymous.><messagedetail>
  The ServerIdentity failed validation. Within this domain, the server
  identity is downgraded to Anonymous.
  </messagedetail>
  <cause>
  Trust has not been properly established between two domains.
  </cause>
  <action>
  See the documentation on Enabling Trust Between WebLogic Domains at
  http://e-docs.bea.com.
  </action>

• Trust Relationship between PC and Domain broken\failed after System Restore

  We are currently faced with a problem that every time we do a System Restore on our Windows 7 workstation, upon login attempt, we an login failed because the Trust Relationship between PC and Domain is broken. 
  As solution: we have to log in as a local admin,  remove the workstation account from the domain, then re-add the workstation back to the domain.
  Does anybody know if there is a hotfix for this or how we can bypass having to remove and re-add the workstation to the domain in order to login?

  Have you checked on when the computer last checked in and changed the computer account password with the domain?  When a computer changes it's password, Active Directory will store only the current password and it does not expire.  The workstation
  will store both the current password and the previous password.  This for cases when you may restore Active Directory to a point before the computer password change.  
  To handle this, the workstation will try it's current password, then it's previous.
  If you're restoring the workstation to a previous point in time, you may be rolling the stored passwords back too far for Active Directory to accept.  I would only imagine this to be the case a handful of times if you're going back 1-2 days.
  Are you experiencing 100% failure?

• BEA-090513 -- ServerIdentity failed validation, downgrading to anonymous

  I'm getting this error when starting up my instance. I only have one domain, so the information in the error message list about enabling trust between domains should not apply here.
  I get the error mentioned in the topic with BEA code BEA-090513
  What other ways are there to fix this error?

  I think, if you only have a single domain, the only thing that could be causing this is a misconfiguration. Can you recreate the domain? Can you confirm that the config.xml files on all servers are identical?

• Getting Error The trust relationship between the primary domain and the trusted domain failed in SharePoint 2010

  Hi,
  SharePoint 2010 Backup has been taken from production and restored through Semantic Tool in one of the server.The wepapplication of which the backup was taken is working fine.
  But the problem is that the SharePoint is not working correctly.We cannot create any new webapplication ,cannot navigate to the ServiceApplications.aspx page it shows error.Even the Search and UserProfile Services of the existing Web Application is not working.Checking
  the SharePoint Logs I found out the below exception
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.78  WebAnalyticsService.exe (0x06D4)         0x2D24 SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Database                     
   8u1d High     Flushing connection pool 'Data Source=urasvr139;Initial Catalog=SharePoint_Config;Integrated Security=True;Enlist=False;Connect Timeout=15' 
  11/30/2011 12:14:53.79  WebAnalyticsService.exe (0x06D4)         0x12AC SharePoint Foundation          Topology                     
   2myf Medium   Enabling the configuration filesystem and memory caches. 
  11/30/2011 12:14:55.54  mssearch.exe (0x0864)                    0x2B24 SharePoint Server Search       Propagation Manager          
   fo2s Medium   [3b3-c-0 An] aborting all propagation tasks and propagation-owned transactions after waiting 300 seconds (0 indexes)  [indexpropagator.cxx:1607]  d:\office\source\search\native\ytrip\tripoli\propagation\indexpropagator.cxx 
  11/30/2011 12:14:55.99  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     The SPPersistedObject with
  Name User Profile Service Application, Id 9577a6aa-33ec-498e-b198-56651b53bf27, Parent 13e1ef7d-40c2-4bcb-906c-a080866ca9bd failed to initialize with the following error: System.SystemException: The trust relationship between the primary domain and the trusted
  domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection
  sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()    
  at Microsoft.SharePoint.Administration.SPAcl`1.Add(String princip... 
  11/30/2011 12:14:55.99* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   75dz High     ...alName, String displayName, Byte[] securityIdentifier, T grantRightsMask, T denyRightsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider
  persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state) 
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Topology                     
   8xqx High     Exception in RefreshCache. Exception message :The trust relationship between the primary domain and the trusted domain failed.   
  11/30/2011 12:14:56.00  OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable The following error occured while trying to initialize the timer: System.SystemException: The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection
  sourceSids, Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, Byte[] securityIdentifier, T grantRightsMask,
  T denyRightsMask)     at Microsoft.SharePoint.Administrati... 
  11/30/2011 12:14:56.00* OWSTIMER.EXE (0x1DF4)                    0x1994 SharePoint Foundation          Timer                        
   2n2p Monitorable ...on.SPAcl`1..ctor(String persistedAcl)     at Microsoft.SharePoint.Administration.SPServiceApplication.OnDeserialization()     at Microsoft.SharePoint.Administration.SPIisWebServiceApplication.OnDeserialization()    
  at Microsoft.SharePoint.Administration.SPPersistedObject.Initialize(ISPPersistedStoreProvider persistedStoreProvider, Guid id, Guid parentId, String name, SPObjectStatus status, Int64 version, XmlDocument state)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(Guid
  id, Guid parentId, Guid type, String name, SPObjectStatus status, Byte[] versionBuffer, String xml)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.GetObject(SqlDataReader dr)     at Microsoft.SharePoint.Administration.SPConfigurationDatabase.RefreshCache(Int64
  currentVe...
  Please guide me on the above issue ,this will be of great help
  Thanks.

  I have same error. Verified for trust , ports , cleaned up cache.. nothing has helped. 
  The problem is caused by User profile Synch Service:
  UserProfileProperty_WCFLogging :: ProfilePropertyService.GetProfileProperties Exception: System.SystemException:
  The trust relationship between the primary domain and the trusted domain failed.       at System.Security.Principal.SecurityIdentifier.TranslateToNTAccounts(IdentityReferenceCollection sourceSids,
  Boolean& someFailed)     at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)     at System.Security.Principal.SecurityIdentifier.Translate(Type
  targetType)     at Microsoft.SharePoint.Administration.SPAce`1.get_PrincipalName()     at Microsoft.SharePoint.Administration.SPAcl`1.Add(String principalName, String displayName, SPIdentifierType identifierType, Byte[]
  identifier, T grantRightsMask, T denyRigh...        
  08/23/2014 13:00:20.96*        w3wp.exe (0x2204)                      
          0x293C        SharePoint Portal Server              User Profiles                
          eh0u        Unexpected        ...tsMask)     at Microsoft.SharePoint.Administration.SPAcl`1..ctor(String persistedAcl)    
  at Microsoft.Office.Server.Administration.UserProfileApplication.get_SerializedAdministratorAcl()     at Microsoft.Office.Server.Administration.UserProfileApplication.GetProperties()     at Microsoft.Office.Server.UserProfiles.ProfilePropertyService.GetProfileProperties()
  Please let me know if you any solution found for this?
  Regards,
  Kunal  

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.

  Hello,
  I have gone through couple of posts regarding this issue but couldn't get the right solution. Could you please help what exactly we are missing here.
  Details:
  1) we have two SQL instances on one standalone machine (Default Instance (2008 SP3) + Named Instance (SQL 2012 SP1))
  2) Both instances are configured to accept SQL+ Windows authentication.
  3) when we give access to our users they are getting following exception if they connect with 'windows authentication'. (For both instances)
  Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.
  Note: (Being a sys + windows admin I'm able to connect both the instances from same client machine without
  any issues)
  4) Also, we observed following error in windows application event log,
   SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.
  The logon attempt failed   [CLIENT: 192.168.xxx.xyx]
  5) If we create SQL login it is working fine without any issues.
  Could someone guide/help  me identifying and fixing this issue.
  Thank you

  Hello,
  Are those Windows Logins associated to domain Windows accounts? Windows Logins work for domain accounts and local Windows account created on the server where the SQL Server instance is installed (and used to login locally to the server).
  Could you try to delete one of the Windows logins that fail to login , and try to recreate them?
  The following resources may help:
  http://blogs.msdn.com/b/dataaccesstechnologies/archive/2012/12/19/error-message-quot-login-failed-the-login-is-from-an-untrusted-domain-and-cannot-be-used-with-windows-authentication-quot.aspx
  http://support.microsoft.com/kb/555332
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• SQL server(PC1) --- PC2: Login failed. The login is from untrusted domain and cannot be used with windows authentification

  Hey,
  I'want to make connection from my laptop(xxx.xxx.xxx.xxx = A) to a fixed computer(SQL server xxx.xxx.xxx.xxx =B). My connection string = "Provider=SQLNCLI11; Data source:name-pc/SQLEXPRESS; Integrated circuit=SSPI;Intial Catalog=Database name for visual
  studio C#.
  Laptop -> PC1 : Eror
  It works when i use localhost or 127.0.0.1 and i can read my database without any problems if i install SQL server on my laptop. Know i install it to PC1 and uninstall on my laptop. When i change the name-pc by an ip-adress i get this error: Login failed.
  The login is from untrusted domain and cannot be used with windows authentification. I did some research on multiple forums where they say about Local security policy(secpol.exe) but i don't have this file. 
  PC2-> PC3: work fine but i want to work with my laptop and i don't understand why it isn't working with my Laptop. 
  Can someone help me?
  Thx a lot and sry about my english(its a disaster) 
  Thibaut

  Hello,
  Yes, for the Windows Authentication to work you should be using the same Windows account and password.
  Are you willing to create SQL logins inside SQL Server and allow your users to connect to SQL Server using SQL Authentication
  instead of Windows Authentication? That could be a solution on a workgroup network.
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• SCCM 2012 R2 - Distribution Point untrusted domain - Not acknowledging Network Access Account (FYI)

  Hello!
  Scenario
  Built a single primary site server in one domain with multiple distribution points. All site servers are member of this one site.
  The distribution points in the primary site servers' domain function as expected. The distribution point deployed to an untrusted domain does not. The primary site server can see all objects in the domain, publishes successfully, and CCM client on the
  DP in the untrusted domain knows its part of the site, knows its AD site (according to locationservices.log). The DP role is installed properly, logs are populating, queries are being made for application lists and updates. nfortuantely authentication
  errors indicate that this software can'tbe downloaded.
  In essence the DP in the untrusted domain can't pull down content from the primary site server. The role uses BITS to download content from IIS on the primary site server, but the requests each throw a 401 error. Unauthorised. This should be an easy fix.
  Create a Network Access Account in the primary site server's domain, assign it to the site (Software Distribution setting), wait for the DP to pick up the setting and watch it retrieve its content. The DP in the untrusted domain is configured as a Pull DP,
  implying it has to use a Network Access Account to download content. It knows the content is available and makes every effort to download it.
  Problem
  The DP in the untrusted domain doesn't know a Network Access Account (NAA) has been defined for the site.
  The account does exist, created in the primary site server's domain and assigned to the site. Its not a password issue. IIS has not been set for Anonymous access as this isn't needed - the NAA should provide the credentials it requires to pull down content.
  A manual check using the URL of the package confirms the package is accessible from the DP when using the NAA's credentials. I've allowed enough time (i think) for the DP to acknowledge the NAA. For fun the DP role was removed, and the CCM agent removed. Both
  were reinstalled. A fresh install didn't detect the NAA.
  Solution
  After some soul searching and a little frustration, it came down to this: A Pull DP always uses the Network Access Account. If the DP can't find a Network Access account it will fail to pull down content. This is undisputed. Found an article that states
  the Pull DP always uses the CCM client configuration to do its dirty work. At that point the CCM client was checked. It had the classic problem of only displaying two Actions - Machine Policy Retrieval & Evaluation Cycle, User policy Retrieval & Evaluation
  Cycle. Most components were installed but not enabled. This is fairly common. Looked at the console, found the device, added the Approval column. Turns out it wasn't auto-approved. Reason being that the client is in an untrusted domain and clients in untrusted
  domains aren't approved automatically (by default).
  In this case something as simple as an Approving the client fixed these issues. 
  The DataTransferService.log highlights the issue:
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}' ErrorCode=0x80190191]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="1" thread="3136" file="dtsjob.cpp:3501">
  <![LOG[CDTSJob::JobError: DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' URL='http://PRIMARYSERVER.A.B.COM:80/SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68'
  ProtType=1]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3136" file="dtsjob.cpp:3504">
  <![LOG[Authentication required by the proxy, DTS Job ID='{17E0B672-F699-434D-B063-87CC2ACF715C}' BITS Job ID='{38B81ADE-55B5-4BD7-A881-DBFF13943EDE}'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="3" thread="3136" file="dtsjob.cpp:3513">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} in state 'Cancelled'.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.h:166">
  <![LOG[DTS job {17E0B672-F699-434D-B063-87CC2ACF715C} BITS job
  {38B81ADE-55B5-4BD7-A881-DBFF13943EDE} encountered Access Denied error during download.  Will retry using Network Access Account.]LOG]!><time="18:25:54.264+00" date="02-19-2015" component="DataTransferService"
  context="" type="2" thread="3136" file="dtsjob.cpp:3652">
  <![LOG[DTSJob {8814E9A1-3D26-4089-83CF-3C7D17BCEC6E} cancelled by client.]LOG]!><time="18:25:54.280+00" date="02-19-2015" component="DataTransferService" context="" type="1" thread="3688"
  file="dtsjob.cpp:3205">
  <![LOG[No network access account info found.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="1"
  thread="3136" file="netaccessaccount.cpp:288">
  <![LOG[The network access account is not defined.]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context=""
  type="1" thread="3136" file="netaccessaccount.cpp:858">
  <![LOG[DTSJob {17E0B672-F699-434D-B063-87CC2ACF715C} encountered error setting BITS job to use Network Access Account
  (0x00000000).]LOG]!><time="18:25:54.327+00" date="02-19-2015" component="DataTransferService" context="" type="3" thread="3136" file="dtsjob.cpp:1885">
  The IIS server logs u_ex150219.log captures the request:
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 2 5 1509 2
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 4
  2015-02-19 123.11.12.13 GET /SMS_DP_SMSPKG$/5af1680e-4a14-4dc5-8a60-bda7370e6d68/sccm /windows6.1-kb3021917-x64.cab 80 - 9.10.11.12 Microsoft+BITS/7.7 -
  401 1 3221225581 1509 3
  2 x Domains: DomainA and DomainX
  - Single domain forests
  - No trusts between domains/forests
  DomainA\PRIMARYSERVER
  - Primary Site Server, MP, DP, IIS, all roles
  DomainX\DP1
  - Distribution Point, IIS, etc
  - CCM client installed

  Based on the above, you are using a PullDP. If so, have you installed the client agent on this system? The client agent is required on PullDPs in untrusted domains so that they can acquire the NAA.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Authentication needed after doing trust between two different domains.

  Hi There,
  I have a problem when i did the trust relationship between two different domains in two different forests ,,in the trust relationship steps all working two ways trust,with external trust,stub zone created on both domains and they are validated in both sides
  ,,my problem is with the objects it can't be retrieved from side and it can be from the other side . For instance :
  NY domain can get the users and computers of 2012DC1 
  but 2012DC1 can't get the users and computers of NY
  Date and time are the same,i am always getting this error 
  The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer.  
  USER ACTION  
  If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'test.com.' is a legitimate machine account
  for the computer '2012DC1' then '2012DC1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise,
  the following steps may be taken to resolve this problem:  
  If 'test.com.' is a legitimate machine account for the computer '2012DC1', then '2012DC1' should be rejoined to the domain.  
  If 'test.com.' is a legitimate interdomain trust account, then the trust should be recreated.  
  Otherwise, assuming that 'test.com.' is not a legitimate account, the following action should be taken on '2012DC1':  
  If '2012DC1' is a Domain Controller, then the trust associated with 'test.com.' should be deleted.  
  If '2012DC1' is not a Domain Controller, it should be disjoined from the domain.
  Can you please help me in this error.
  Thank You in advance.

  Hello,
  "The session setup from computer '2012DC1' failed because the security database does not contain a trust account 'test.com.' referenced by the specified computer. "
  This belongs to the machine 2012Dc1 in test.com and not to the other domain from your trust. Seems for me that you mix the trust with the problems of the machine 2012DC1 in test.com.
  In this error message 2012DC1 has lost the trust to its OWN domain and therefore you have to find the reason. How exactly was this machine installed?
  Or was there a restore on that machine from not supported type of backup like image/clone/snapshot?
  Best regards
  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://blogs.msmvps.com/MWeber
  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
  Twitter:  

• Management Servers in untrusted domains

  Hi,
  I am planning a deployment of SCOM 2012 R2 and have several questions regarding the appropriate placement of management and gateway servers.
  The environment has multiple untrusted domains and need to monitor both Windows and Linux computers on both sides of the firewall. The main domain has 1500 Windows computers and 1300 Linux computers. The untrusted domain has 250 Windows servers and
  450 Linux servers.
  It is understandable that gateway servers are utilized to communicate across the firewall.
  The questions are:
  1. Is it possible to locate one or more management servers in the untrusted domain for the Linux servers and another management server to work with the Windows servers and have those management servers in the untrusted domain communicate through the firewall
  via gateway servers to the databases in the main domain?
  2. If it is not possible to have management servers in the untrusted domain communicate via the gateways; how many gateways would be required to relay to the management servers in the main domains management group?
  3. With the number of Linux servers in the untrusted domain is it better to install a separate management group there?
  Thanks, for any advice in dealing with the above scenario.
  --SG

  Hi There,
  Microsoft recommends you to place all the management servers in the same data center so if 1 goes down the other comes to know about it asap.
  If you place it in another location then fail over may happen late.
  Also you have mentioned to place the management servers in another domain, Which is possible but you need to have trust and permission stuff which is a very hectic work.
  So i would suggest you to place gateways as it will help in compression if the network bandwidth is low between the domains and sites.
  And based on the MS's Sizing and management options a Gateway server can manage 100 Unix boxes for a dedicated gateway server and 500 per management server on the same domain.
  So based on your situation as below:
  1300 Linux - Same domain
  450 - Different domain
  3 Management servers for the main domain for dedicated Linux
  1 MS For Windows Agent monitoring.
  Totally 4 in a management group for the same domain one.
  1 Separate management group with 1 MS will be fine for dedicated Linux monitoring for the 450 servers in the other domain.
  If you want to still place gateways then you will need to place 5 Gateway servers which is difficult to manage.
  Operations Manager supports the following number of monitored items.
  Monitored item
  Recommended limit
  Simultaneous Operations consoles
  50
  Agent-monitored computers reporting to a management server
  3,000
  Agent-monitored computers reporting to a gateway server
  2,000
  Agentless Exception Monitored (AEM)-computers per dedicated management server
  25,000
  Agentless Exception Monitored (AEM)-computers per management group
  100,000
  Collective client monitored computers per management server
  2,500
  Management servers per agent for multihoming
  4
  Agentless-managed computers per management server
  10
  Agentless-managed computers per management group
  60
  Agent-managed and UNIX or Linux computers per management group
  6,000 (with 50 open consoles); 15,000 (with 25 open consoles)
  UNIX or Linux computers per dedicated management server
  500
  UNIX or Linux computers monitored per dedicated gateway server
  100
  Network devices managed by a resource pool with three or more management servers
  1,000
  Network devices managed by two resource pools
  2,000
  Agents for Application Performance Monitoring (APM)
  700
  Applications for Application Performance Monitoring (APM)
  400
  URLs monitored per dedicated management server
  3000
  URLs monitored per dedicated management group
  12,000
  URLs monitored per agent
  50
  Refer the below link for the managing details: https://technet.microsoft.com/en-us/library/dn249696.aspx?f=255&MSPPError=-2147217396
  Gautam.75801

• Pull DP error for cross untrusted domain

  I have put the pull DP into untrusted domain and opened bidirectional ports in both firewall.clients are not communicating to primary SCCM server. 

  I am trying to install SCCM agent manually on untrusted forest and getting following error.
  Failed to get assigned site from AD.Error 0x800004005
  getADinstallparams failed with 080004005
  no valid source or MP locations could be identified to download content from ccmsetup.exe cannot continue