Attempts to protect or pair with a Rapid Recovery Agent fail.
In the user interface, the following error is shown:
Service Host Error: Service error while handling request [POST https://localhost:8006/apprecovery/api/core/agents/validateAgentProtectionAbility]: Failed to connect to remote machine using provided credentials. This can be caused by one of the following:
- Destination host name is incorrect or host is offline.
- Destination host is behind firewall or similar protection software that prevents connection.
- If you are trying to connect to Windows machine:
- WMI service is not started or blocked by firewall.
- If you are trying to connect to Linux machine:
- SSH service is not started or blocked by firewall.
- Provided SSH port is incorrect.
In the Core logs (C:\ProgramData\AppRecovery\Logs\AppRecovery.log), a related internal error appears:
ERROR - Replay.Agent.Client.AgentPairManagementAgentClient () Error while deserialize ServerError object. GET https://[AgentName]:8006/apprecovery/api/agent/pair/connect/?useNtlmOnly=True failed with HTTP status code InternalServerError:
This indicates the Core attempted to connect to the agent using NTLM authentication, but the connection was blocked or failed on the agent side.
Unable to protect or pair a Rapid Recovery Agent from the Core
UI displays: Failed to connect to remote machine using provided credentials
Core logs show: useNtlmOnly=True and InternalServerError
Remote WMI tests (wbemtest or Get-WmiObject) return Access Denied
Local WMI tests on the agent using \\localhost\root\cimv2 may succeed
The protected machine is often a Domain Controller or hardened Windows Server
Windows Event Viewer may show WMI/DCOM errors (e.g., Event ID 10028 or 10036)
The failure is typically caused by security policy configurations on the agent and/or the Core server:
This step involves checking two related policies. Start by checking the incoming policy on the agent machine. If the issue persists, check the outgoing policy on the Core server.
secpol.msc) or, for domain settings, the Group Policy Management Console (gpmc.msc).Local Policies > Security Options.Network security: Restrict NTLM: Incoming NTLM trafficDeny all accounts.Audit incoming NTLM traffic or Not Defined.Network security: Restrict NTLM: Outgoing NTLM traffic to remote serversDeny all.Audit outgoing NTLM traffic or Not Defined.Allow all is not recommended as it enables a less secure protocol without any visibility. The Audit setting is the best practice, as it allows functionality while logging the legacy traffic for future remediation.secpol.msc or gpmc.msc).Local Policies > User Rights Assignment.Deny access to this computer from the network.gpupdate /force to apply the changes immediately.
For background, see KB 4033596 – NTLM and Pass-Through Authentication
Related WMI troubleshooting KB: KB 4033088 – Using wbemtest to Test DCOM and WMI Connections