[HP SIM] Systems Insight Manager stopped working, sqlserver error code 0x8009030

tedwhy

　　2015-04-20 update, find another case for SQL server authentication.



SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: xx.xx.xx.xx].
　　This case find out is SQL server agent using its own instance name to do authentication, by defaut when receiving NTLM request windows will verify OS name and access name, if they are different, the handshake will fail. The behavior is to avoid some sort of network attack, to disable it we just need to tell LSA service to ignore name loop back check.
　　https://support.microsoft.com/en-us/kb/896861



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Value: DisableLoopbackCheck
Data type: DWORD
Data: 1
　　
　　What is HP SIM first? A: SIM in the artical means Systems Insight Manager, from Hewlett-Packard, for central management of HP servers.
　　One of function for SIM is monitoring, SIM will auto-discover HP servers in your network, when server go down or encounter hardware issue, SIM will notify ITers.

　　Yes, it doesn't work suddently, SIM service still running with some errors in eventlog,



com.hp.mx.database.DbVerificationException: Error loading database verification handler 'com.hp.mx.database.MsSqlVerificationHandler'
com.hp.mx.database.DbVerificationException: Error accessing database


SSPI handshake failed with error code 0x80090302, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: xxxxxxx].
　　Screenshot attached,


　　MSSqlserver is succeed to be connected via studio and ODBC, checked netstat 1433 port is alive. Anyhow SIM just can't make it right, finally found the KB,
　　http://h20564.www2.hp.com/hpsc/doc/public/display?docId=mmr_kc-0114705
　　According to the knowledge base, we nearly can guess SIM using non-NTLMv2 potocols for Windows authentication, the problem can be resolved by adding "useNTLMv2=true" into the SQL connection string.
　　Question is why the problem just pop-up? Nobody rarely touch a server like SIM, so launch rsop.msc to check policies related to NTLM.

　　The default values from "explain",



Windows 2000 and windows XP: send LM & NTLM responses
Windows Server 2003: Send NTLM response only
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only
　　Generally speaking, Windows servers will negoiate with each other, make decision for potocol, then start exchanging data, but this time the policy changed to "Refuse LM & NTLM", therefore server refused authentication from SIM service.