Are your spn's good everywhere? I'd have yoru AD people involved as well as it sure smells like a kerbose issue
Subject: [msmom] One Mgt. Svr. showing Event Id 18456 on OpsMgr DB server. Date: Tue, 3 Sep 2013 15:48:07 -0400 From: [email protected] To: [email protected] Hello, We have eight SCOM 2012 SP1 management servers, all virtual, all located in the same data center. One of those is the RMSe. Recently one of the management servers, we’ll call it “007”, has started showing a flood of Event Id 2115. I stopped the health service, renamed the Health Service State folder, restarted the health service then watched as the OpsMgr event log eventually started showing Event Id 2115 again. I believe this event id is a direct result of the following: While the health service was restarting, I switched over to the OpsMgr DB server and watched the Application event log. It began showing Event Id 18456: " Log Name: Application Source: MSSQLSERVER Date: 9/3/2013 1:33:27 PM Event ID: 18456 Task Category: Logon Level: Information Keywords: Classic,Audit Failure User: Domain\<mgt svr>007$ Computer: <opsmgr db server>001.domain.com Description: Login failed for user 'Domain\<mgt svr>007$'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors. [CLIENT: some ip address] Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";> <System> <Provider Name="MSSQLSERVER" /> <EventID Qualifiers="49152">18456</EventID> <Level>0</Level> <Task>4</Task> <Keywords>0x90000000000000</Keywords> <TimeCreated SystemTime="2013-09-03T18:33:27.000000000Z" /> <EventRecordID>37127</EventRecordID> <Channel>Application</Channel> <Computer><opsmgr db server>001.domain.com</Computer> <Security UserID="S-1-5-21-2953958680-949419512-4227892181-137369" /> </System> <EventData> <Data>DOMAIN\<mgt svr>007$</Data> <Data> Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.</Data> <Data> [CLIENT: 172.30.70.246]</Data> <Binary>184800000E000000100000005600410055005300530043004F004D004F005000440042003000300031000000070000006D00610073007400650072000000</Binary> </EventData> </Event> I thought maybe an spn registration had deregistered, but those were still intact. Again, the other 7 management servers are running fine. Some of them are also members of the same Resource Pools as the problematic mgt. server. Any ideas on what I can do to resolve this? Thanks, Sven Sven Wells SYSTEMS ADMINISTRATION SPECIALIST TECHNOLOGY AND LABORATORY SVCS Wilmington NC HQ PPD Phone +1 910 558 6870 [email protected] www.ppdi.com This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient or a person responsible for delivering this transmission to the intended recipient, you are hereby notified that you must not read this transmission and that any disclosure, copying, printing, distribution or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner.
