none
5722 error. The session setup from the computer .... failed to authenticate

    Question

  • Hi,<o:p></o:p>

    We receive 5722 error for some computers: The session setup from the computer PC60 failed to authenticate. The name(s) of the account(s) referenced in the security database is PC60$. The following error occurred: Access is denied.

    I found this link:
    http://support.microsoft.com/kb/810977<o:p></o:p>

    I guess some computers there turn off for longer than 30 days and after it turned on password between machine account and dc has expired. <o:p></o:p>

    One solution is to reset machine account through ad. But in some cases we will have to rejoin pc to domain and this is not the way to go.
    Another solution as I read in link above is to change the date of computer account to current one with nltest that pc and dc could communicate.<o:p></o:p>

    Could this help if I follow the link?
    How could I prevent this happen in the future? Could I extend password expiration to 1 year? <o:p></o:p>

    Single domain, 2 dc windows 2008 R2, no replication errors. Most of computers windows xp.

    Thank you,
    N<o:p></o:p>


    Friday, March 23, 2012 8:05 AM

Answers

  • You can take a look at below article which explains why this occurs and fix for this behaviour.

    http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Bruce-Liu Wednesday, March 28, 2012 9:44 AM
    Friday, March 23, 2012 9:51 AM
  • From the log it is clear that secure channel between the DC and Client is broken.Log on locally with admin login,remove the worksation/member server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the client  & the domain controller.http://support.microsoft.com/kb/260575

    Also ensure correct dns setting on clients /member servers
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    The client machine is the one that initiates the password change. The Domain Controller never initiates a password change. The default for computers joined to an AD domain is every 30 days. If the machine is disconnected from the domain, nothing happens to the computer account in AD.The computer just requests a password change the next time it authenticates to the domain.Regarding more on the Password age you can refer below link.

    Password Age for Machine Accounts do not expire.
    http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx

    Machine Account Password Process
    http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

    Hope this helps

        


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Bruce-Liu Wednesday, March 28, 2012 9:44 AM
    Friday, March 23, 2012 11:43 PM

All replies

  • Security channel password is stored with computer account in domain controllers. Computer account password changes every 30 days. IF LSA(Local security authority) and computer account password are not syncronissed then netlog will generate this error code 5722.

    In this case as you ,mentioned you can go ahead and unjoin and rejoin the machine which is having problem.

    another method is use nltest - http://support.microsoft.com/kb/810977

    I don't think it is something to do with password expiration of user account here.

    This maily occurs when secure channel between workstation and Domain controllers break out,

    Read this,

    http://support.microsoft.com/kb/810977

    About LSA.

    http://www.outpostfirewall.com/forum/showthread.php?2306-What-is-lsass-exe-LSA-Shell-LSASS-Local-Security-Authority-System-Service

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 23, 2012 8:16 AM
  • Hello,

    "I guess some computers there turn off for longer than 30 days and after it turned on password between machine account and dc has expired"

    No, this is not the way it works, by default the machine can be not used for whatever time and during the next boot into the domain the machine password will be reset and you are done. Translated this article will explain in detail about machine account password http://blogs.technet.com/b/deds/archive/2009/01/23/wann-laeuft-ein-maschinenaccount-computerkonto-ab-gar-nicht.aspx, you can use http://www.online-translator.com/Default.aspx/Site for the translation part from German to English.

    Are the machines created from an image that is NOT prepared with sysprep?

    This is often the reason with problems you see. Also DNS settings can be a problem, so make sure to use ONLY the domain DNS servers on the NIC.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 23, 2012 8:21 AM
  • Secure channel is not broken like this, a machine can be disconnected from the network for any number of days considering there is no attempt of adding same hostname, there is no conflict in DNS with same hostname or IP. You can extend the password for a year but again its not going to be good practice from the ecurity perspective. Take a look at below link to know more.

    http://awinish.wordpress.com/2010/12/24/when-secure-channel-is-broken/

    Take a look at below hotfix.

    http://support.microsoft.com/kb/979495

    Take a look at below article, how secure channel is broken from Dean Wells(AD Expert, ExMVP and now working at MS).

    http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/SIM406


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 23, 2012 9:13 AM
  • I checked the time for one pc:

    NETLOGON error logged on 2012.03.23
    pwdLastSet on 2012.03.16

    So I guess the problem is that computer's account password may not match the password that is on the domain controller.

    Is any they to fix this appart rejoining to domain?

    Friday, March 23, 2012 9:16 AM
  • You can take a look at below article which explains why this occurs and fix for this behaviour.

    http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by Bruce-Liu Wednesday, March 28, 2012 9:44 AM
    Friday, March 23, 2012 9:51 AM
  • From the log it is clear that secure channel between the DC and Client is broken.Log on locally with admin login,remove the worksation/member server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the client  & the domain controller.http://support.microsoft.com/kb/260575

    Also ensure correct dns setting on clients /member servers
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    The client machine is the one that initiates the password change. The Domain Controller never initiates a password change. The default for computers joined to an AD domain is every 30 days. If the machine is disconnected from the domain, nothing happens to the computer account in AD.The computer just requests a password change the next time it authenticates to the domain.Regarding more on the Password age you can refer below link.

    Password Age for Machine Accounts do not expire.
    http://blogs.msdn.com/b/john_daskalakis/archive/2010/02/01/9956266.aspx

    Machine Account Password Process
    http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

    Hope this helps

        


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Marked as answer by Bruce-Liu Wednesday, March 28, 2012 9:44 AM
    Friday, March 23, 2012 11:43 PM