none
GW - Error 7000: The Health Service could not log on the RunAs account RRS feed

  • Question

  • Problem: 

    I have an action account for my domain joined servers. The same account is also used as a SQL MP account. For my GW server (and the other servers in DMZ which connect to the GW server) I get error messages in the event logs that the account failed to login.

    • 7000: The Health Service could not log on the RunAs account <domain\action account> for management group <group>.  The error is The user name or password is incorrect.(1326L).  This will prevent the health service from monitoring or performing actions using this RunAs account
    • 7015: The Health Service cannot verify the future validity of the RunAs account <domain\action account> for management group <group>.  The error is The user name or password is incorrect.(1326L).
    • 7021: The Health Service was unable to validate any user accounts in management group <group>.

    Setup:

        • During my GW installation, I picked the 'Local System'-option, not the 'Domain or Local Computer Account'-option during the 'Gateway Action account'-step in the wizard. 
        • Also, under Run as configuration->Profiles->Default action account, the GW and DMZServer use 'Local System Action'.

        The warning displayed in the Operation manager console is:

        "The Health Service could not log on the RunAs account <'domain\action account'> for management group <group>.  The error is The user name or password is incorrect.(1326L).  This will prevent the health service from monitoring or performing actions using this RunAs account"

        From the GW & connected servers I can also see these event ID:

        • 7023:  "The Health Service has downloaded secure configuration for management group <group> successfully."
        • 7025: "The Health Service has authorized all configured RunAs accounts to execute for management group <group>.
      • 7028: All RunAs accounts for management group <group> have the correct logon type.

      Also, the Run as account used for the SQL MPs seems like the logical place to begin, but:

      • I have a group (LAN Group) that exclude DMZ IP-addresses.
    • For each 'Profile' under Administration->Run As Configuration, where the 'SQL MP account' is used, I have selected the LAN Group as a target.

    For exampel, the 'Microsoft SQL Server 2014 Discovery Run As Profile'-profile use the 'SQL MP account'. If I edit this account there is a option to select a class, group or object. I have selected the 'LAN Group' option - which exclude the DMZ servers.


    Monday, August 12, 2019 10:10 AM

Answers

  • So, yeah - I figured it out. The problem was the SQL MP account which had the 'Less Secure' radio button under the distribution tab in:

    Administration->Run as configuration->Accounts

    I thought this was not necessary since I managed how the credentials was used with the Lan Group for all its Profiles mentioned above. But after reading the description for 'Less secure' it is kind of obvious:

    'Less secure - I want the credentials to be distributed automatically to all managed computers'

    • Marked as answer by MrGiraff Tuesday, August 13, 2019 8:24 AM
    Tuesday, August 13, 2019 8:24 AM