-
标题
Hybrid Agent fails to install and the error "Account Validation failed with the error [A local error occurred.]" is displayed. -
说明
When attempting to install the Hybrid agent during installation then it will fail showing the following error:
"Account Validation failed with the error [A local error occurred.]" is displayed. Though proper credentials are being supplied and account is a domain member and is in the local administrators group on the server. -
原因
Local security policy has the following set:
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers - DENY ALL
The setup program validates service credentials using NTLM instead of Kerberos -
解决办法
There will be Warning/4001 event IDs with the following description in the Event Viewer path "Application and Services Logs>Microsoft>Windows>NTLM>Operational":
If you want only the target server ldap/dc1.mydomain.com/domain.com@domain.com to accept NTLM authentication requests from this computer, set the security policy Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers to Deny all and then set the security policy Network Security: Restrict NTLM: Add remote server exceptions and list the target server ldap/dc1.mydomain.com/domain.com@domain.com as an exception to use NTLM authentication.The defect has been identified with ID:
551143: [Hybrid Agent ] Setup program validates service credentials using NTLM instead of Kerberos.
This will be reviewed for a fix in a future version release without ETA.
WORKAROUND:
1. Add the DC mentioned in the 4001 event to the security policy:
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Note: Add the short name and FQDN (one entry per line).
2. Run gpupdate /force command
3. Run the agent setup and validation should be passing now.
4. Remove the DC from the exception policy setting and run gpupdate /force again
Note: This validation is a one-time occurrence so it will not interfere with agent updates. -
缺陷ID
551143 -
其他信息
Product Defect ID: 551143
