Task Client Machines Are Unable To Communicate With NS. Bindings On Ports 50121 and 50124 Fail.

Article:TECH166902  |  Created: 2011-08-10  |  Updated: 2012-08-26  |  Article URL http://www.symantec.com/docs/TECH166902
Article Type
Technical Solution


Environment

Issue



Task client machines are unable to communicate with Notification Sever (SMP). They are able to communicate to site servers. The atrshost.exe on the Notification Server also fails to bind on 50121 and 50124 but 50120, 50122, and 50123 bind correctly.


Error



NS logs:

"No connection could be made because the target machine actively refused it 127.0.0.1:50121"
"Credential check for "altadmin" failed: System.Net.WebException: The remote server returned an error: (401) Unauthorized."

Windows System Logs:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 8/8/2011 12:12:50 PM

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: N/A

Computer: MSTSRMS057483.mst.net

Description:

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: <NSACCTNAME>

Account Domain:

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xc000006d

Sub Status: 0x0

Process Information:

Caller Process ID: 0x0

Caller Process Name: -

Network Information:

Workstation Name: <NSHOSTNAME>

Source Network Address: <NSHOSTIPADDR>

Source Port: 17992

Detailed Authentication Information:

Logon Process:

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0


Environment



NS 7.X


Cause



The atrshost services attempts to authentication to the local machine mulitple times using the server alias. Microsoft by design put in security measure to prevent programs from doing this to prevent reflection attacks.


Solution



1: Open up the registry editor by typing regedit under Run.
2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
3: Right-click MSV1_0 and click New and choose to make it a Multi-String Value.
4: Enter BackConnectionHostNames as name for the entry, and double-click it to modify it.
5: Type the hostnames you need to use (usually the value specified NSPrefferedhost).
6: Restart IISAdmin Service ("Start" -> "Administrative Tools" -> "Services")

Solution 2 (Not recommended, but may be easier to test with):
1: Open up the registry editor by typing regedit under Run.
2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3: Right-click Lsa and click New and choose to make it a DWORD Value.
4: Enter DisableLoopbackCheck as name for the entry, and double-click it to modify it.
5: Set the value to 1 and click OK




Article URL http://www.symantec.com/docs/TECH166902


Terms of use for this information are found in Legal Notices