none
Accounts could not be validated error during installing SCOM 2019 RRS feed

  • Question

  • Hi Team,

    While installing SCOM 2019 I m getting the error as " one or more accounts provided could not be validated. Please provide valid user name and passwords". 

    Created the secuirty Group for SCOM and added the service accounts under this group. Added this group as local admin on the SCOM Management Server where I'm trying to install.

    Please suggest on what could be the issue

    Regards

    SK

    Tuesday, January 28, 2020 9:27 AM

Answers

All replies

  • Hi,

    Make sure the time on the server is synchronized with the DCs, make sure the account you are using to install SCOM 2019 is local administrator as well, and also make sure you have local administrator on the server hosting the SQL Server.

    When you enter the accounts, make sure you enter as follows: "DOMAIN\Serviceaccount".

    For more clues check the OpsMgrSetupWizard.log under %LocalAppData%\SCOM\Logs.

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, January 28, 2020 9:37 AM
  • HI SK,

    I had this exact same issue a couple of weeks ago and the cause was that the Kerberos encryption type RC4 has been disabled, using a GPO. This exact same behaviour is described here:

    SCOM Installer Failure with RC4 Protocol Disabled

    "The install failed at the account validation section with the UI stating that the run as accounts for all four SCOM accounts could not be validated. "

    So what you need to do is to ensure RC4 can be used as an encryption mechanism for Kerberos, by setting the following GPO on your SCOM Management Servers (described in the Blog):

    "Via GPO, this can be addressed by adding RC 4 to the following GPO setting:

    Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos"  If RC 4 is missing here and this setting is enabled, you will want to change it."

    Please check it and, I am really curious if this was the case here.

    You can also compare your Installation Logs with the lines, referenced in the log. 

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov



    Tuesday, January 28, 2020 10:36 AM
    Moderator
  • RC4 is enabled. AD and MS Servers are in sync. But still the issue
    Tuesday, January 28, 2020 1:05 PM
  • RC4 is enabled. AD and MS Servers are in sync. But still the issue

    Hi,

    That is a good start, thanks.

    Can you please provide the related information from the Logs, referenced by Leon. Let's see what we have there. Thanks and Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov


    Tuesday, January 28, 2020 1:07 PM
    Moderator
  • regarding Accounts, most of the time it says Failed to log in with accounts xyz.

    [07:22:56]: Info: :Info:AccountsInformationPage: In OnNextFinalValidationsDoWork to validate account access.

    [07:22:56]: Error: :Error:Failed to log in with account xyz(action Account)
    [07:22:56]: Error: :Error:Failed to log in with account abc(Das)

    Tuesday, January 28, 2020 1:21 PM
  • Please submit the whole OpsMgrSetupWizard.log, upload it to a Microsoft OneDrive or Google Drive and share the link here.

    Also make sure you have the firewall ports open:
    Configuring a Firewall for Operations Manager


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, January 28, 2020 1:34 PM
  • Hi,

    agree with Leon, this outpuit is unfortunately not enough. There are certianly much more entries there, which somehow relate to the issue. Please post a bit more or upload the Logs as suggested by Leon.

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Tuesday, January 28, 2020 1:43 PM
    Moderator
  • Sure will do that. BTW just tried to give my personal credentials it worked.
    Tuesday, January 28, 2020 1:48 PM
  • The OpsMgrSetupWizard.log should give us clues to why this is happening, you can also check the differences between your account and the service accounts used.

    Here's a pretty good account permission matrix although it's for SCOM 2016:
    https://kevinholman.com/2019/03/08/scom-2016-security-account-matrix


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, January 28, 2020 1:57 PM
  • Sure will do that. BTW just tried to give my personal credentials it worked.

    Hi,

    can you please check if the accounts are fine. It could be that those are locked out in Active Directory. Also if the Passwords contain blank spaces or some very odd charachters, this could be failing too.

    Make sure also that the Passwords you enter are valid. Copy/Paste can trick you sometimes. 

    Regards,



    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Tuesday, January 28, 2020 2:11 PM
    Moderator
  • Hi,

    Agree with Stoyan, is there any way we can test the account offline? For example, try to login with this account? If the account has been verified, it is suggest to reboot the server and restart the installation program to see if it works.

    Hope the above information helps.

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Wednesday, January 29, 2020 5:52 AM
  • I just tried and below are logs. Yes I tried to login with the server account, it says "password must be changed before logging on for the first time", which means the credentials are correct though I'm unable to login due to this message.

    [01:53:39]: Always: :Entering Page: AccountsInformationPage
    [01:55:47]: Info: :Info:AccountsInformationPage: In OnNextFinalValidationsDoWork to validate account access.
    [01:55:49]: Error: :Error:Failed to log in with account Domain\scom19aa
    [01:55:50]: Error: :Error:Failed to log in with account Domain\scom19das
    [01:55:51]: Debug: :MSSQLSERVER on server scomsql is in a running state
    [01:55:51]: Debug: :Connection was not open.  We will try to open it.
    [01:55:51]: Debug: :SqlConnectionReady returned True.
    [01:55:51]: Info: :Info:Using DB command timeout = 1800 seconds.
    [01:55:51]: Info: :No need to validate Data Reader and Data Writer are the same as the Management Group.
    [01:55:52]: Debug: :MSSQLSERVER on server scomsql is in a running state
    [01:55:52]: Debug: :Connection was not open.  We will try to open it.
    [01:55:52]: Debug: :SqlConnectionReady returned True.
    [01:55:52]: Info: :Info:Using DB command timeout = 1800 seconds.
    [01:55:52]: Info: :Info:AccountsInformationPage: Async account validation thread returned to UI thread.
    [01:56:23]: Info: :Info:AccountsInformationPage: In OnNextFinalValidationsDoWork to validate account access.
    [01:56:25]: Error: :Error:Failed to log in with account Domain\scom19aa
    [01:56:26]: Error: :Error:Failed to log in with account Domain\scom19das
    [01:56:27]: Debug: :MSSQLSERVER on server scomsql is in a running state
    [01:56:27]: Debug: :Connection was not open.  We will try to open it.
    [01:56:27]: Debug: :SqlConnectionReady returned True.
    [01:56:27]: Info: :Info:Using DB command timeout = 1800 seconds.
    [01:56:27]: Info: :No need to validate Data Reader and Data Writer are the same as the Management Group.
    [01:56:28]: Debug: :MSSQLSERVER on server scomsql is in a running state
    [01:56:28]: Debug: :Connection was not open.  We will try to open it.
    [01:56:28]: Debug: :SqlConnectionReady returned True.
    [01:56:28]: Info: :Info:Using DB command timeout = 1800 seconds.
    [01:56:28]: Info: :Info:AccountsInformationPage: Async account validation thread returned to UI thread.

    Wednesday, January 29, 2020 7:03 AM
  • Try removing the check mark for the "User must change the password at next logon" for the service accounts.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, January 29, 2020 7:15 AM
  • Do you say this is causing the issue?
    Wednesday, January 29, 2020 7:27 AM
  • This is definitely causing your issue.

    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, January 29, 2020 7:46 AM
  • Ok, will get this unchecked and keep you posted.
    Wednesday, January 29, 2020 7:56 AM
  • Ok, will get this unchecked and keep you posted.

    Hey,

    this aplies to to all service accounts, used in SCOM and also im general. Service Acconts must NOT have this option selected, otherwise some of the local service rights cannot be granted to them.

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov

    Wednesday, January 29, 2020 9:49 AM
    Moderator
  • I ran a test in my lab, and you will receive the "One or more accounts provided could not be validated. Please provide valid user name and passwords" error if you have the "User must change the password at next logon" checked for the accounts, which are used for the following:

    • Management Service Action account
    • System Center Data Configuration Service and System Center Data Access service accounts


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, January 29, 2020 10:13 AM
  • I have managed to change the passwords and now I'm able to proceed to with account section and installation page. 

    Thanks all for your support.

    Wednesday, January 29, 2020 1:07 PM
  • Hi,

    Thank you very much for the update and we're glad the problem is solved now. Your solid technical skills are really impressive.

    Hope others facing the same situation will benefit from this thread. Here's a short summary for the problem.

    Problem/Symptom:
    ===================
    Platform: System Center Operations Manager 2019
    Problem details:
    While installing SCOM 2019 I m getting the error as " one or more accounts provided could not be validated. Please provide valid user name and passwords". 

    Possible Cause:
    ===================
    With Operations Manager 2019, Log on as a Service feature is enabled by default. This change impacts all the service accounts and Run As accounts, they must have Log on as a Service permission.
    If "User must change password at next logon" is checked, it prevents the authentication during installation

    Solution/Answer:
    ===================
    Uncheck "User must change password at next logon" for the service account, try again and it works.

    Reference:
    ===================
    N/A

    If you have any questions in future, we warmly welcome you to post in this forum again.

    Have a nice day!

    Regards,

    Alex Zhu
    -----------------------------------------------
    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
    Monday, February 3, 2020 3:15 AM