locked
Connection handshake failed. An OS call failed (was: Database Mirroring) RRS feed

  • Question

  •  

    Hi,

     

    I am trying to setup database mirroring and running into following error. I am using MSSSMS to setup.

     

    Database Mirroring login attempt failed with error: 'Connection handshake failed. An OS call failed: (c0000413) 0xc0000413(error not found). State 67.'.

     

    Error: 1443, Severity: 16, State: 2.

     

    My servers are EE with 9.0.3257 build, both 64 bit, but two different domains. I have any to any access between these two servers, including a witness. I am using a domain account which is local admin as well as 'sa' with in SQL Server.

     

    Any help will greatly be appreciated.

     

    Thanks.

     

    Rizwan

    Wednesday, December 10, 2008 8:23 PM

Answers

  • Your problem is due to the differeing domains, but I'm unclear whether you are using the same single service account for all the partners, or a different service account in each partner. Therefore I'm unclear whether you're saying that all your service accounts have permissions to actually login to the remote machines (which is what they need), or whether each service account is just local admin / sysadmin on the server it runs on. 

     

    Have you created logins and granted the CONNECT permission explicity to the accounts used on the endpoints as shown in these examples:

     

    http://msdn.microsoft.com/en-us/library/ms178029(SQL.90).aspx

     

    http://msdn.microsoft.com/en-us/library/ms179306(SQL.90).aspx

     

     

     

     

    • Marked as answer by RizwanD Monday, December 15, 2008 5:15 PM
    Thursday, December 11, 2008 2:47 PM

All replies

  • Your problem is due to the differeing domains, but I'm unclear whether you are using the same single service account for all the partners, or a different service account in each partner. Therefore I'm unclear whether you're saying that all your service accounts have permissions to actually login to the remote machines (which is what they need), or whether each service account is just local admin / sysadmin on the server it runs on. 

     

    Have you created logins and granted the CONNECT permission explicity to the accounts used on the endpoints as shown in these examples:

     

    http://msdn.microsoft.com/en-us/library/ms178029(SQL.90).aspx

     

    http://msdn.microsoft.com/en-us/library/ms179306(SQL.90).aspx

     

     

     

     

    • Marked as answer by RizwanD Monday, December 15, 2008 5:15 PM
    Thursday, December 11, 2008 2:47 PM
  •  RizwanD wrote:


    Database Mirroring login attempt failed with error: 'Connection handshake failed. An OS call failed: (c0000413) 0xc0000413(error not found). State 67.'.

     



    Status c0000413 is STATUS_AUTHENTICATION_FIREWALL_FAILED

    Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.


    And, as is always the case with Windows authentication errors, the  Kerberos Troubleshooting guide explains the cause ands the resolution:


    0xC - KDC_ERR_POLICY: KDC policy rejects request
    Associated internal Windows error codes
    ...

    •    STATUS_AUTHENTICATION_FIREWALL_FAILED
    ...


    Possible Causes and Resolutions
    •    KDC_ERR_POLICY is usually the result of logon restrictions in place on a user’s account. This error is usually accompanied by an error packet which might contain additional information that can be viewed with a Network Monitor capture.
    Resolution
    Use Active Directory Users and Computers to verify whether restrictions in place on this account might prevent this user from logging on. To use Active Directory Users and Computers:
    1.    Click Start, click Run, and then type:
    dsa.msc
    2.    Locate the user that is having logon problems, right-click the user’s account, and then click Properties.
    3.    Verify settings on the Account tab for valid logon hours and computer to which this user is allowed to log on.
    •    Constrained delegation is being attempted across multiple domains.
    Resolution
    No resolution. Windows Server 2003 does not support constrained delegation across multiple domains.
    •    The server receives a ticket in which client’s realm does not match the local realm.
    Resolution
    Confirm the error with a Network Monitor capture. The only way to eliminate this error is to ensure that the server and client are in the same realm (domain).


    To connect computers in unrelated domains you must use certificate based authentication. I have explained how certificate based authentication works on my blog at http://rusanu.com/2008/10/23/how-does-certificate-based-authentication-work/

    MSDN also covers this in quite detail: http://msdn.microsoft.com/en-us/library/ms186384(SQL.90).aspx and http://msdn.microsoft.com/en-us/library/ms187671(SQL.90).aspx

    Thursday, December 11, 2008 8:57 PM
  • Thanks Graham for your reply. I guess, I was trying to be short in my discription. Anyway, I have it working now. To answer your questions:
    I am using different domain accounts for SQL Service but these accounts do have access to all partners.
    I am using a single domain account to setup database mirroring. This account is local admin on each partner as well as 'sa' with SQL Server. In addition to what you suggested, I granted CONNECT on ENDPOINT to [NT AUTHORITY\ANONYMOUS LOGON] to make this work.

    I will read comments posted by Remus for  better understanding and see if there is a work around other than using SQL certificate.

    Thank you again.

    Rizwan

    Monday, December 15, 2008 5:15 PM
  • Thanks for your reply. I have it working. I will read the links you have forwarded to understand how it all works. In the mean time, I have it working.

    Thank  you again.

    Rizwan

    Monday, December 15, 2008 5:17 PM
  • I am receiving the same error but I cannot create the users and grant permission like mentioned in the above links because I have two servers WITHOUT a domain.

     

    Is it possible to overcome this problem if you don't have a domain?

    Friday, April 9, 2010 12:30 PM