Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Can't access a resource that is hosted on a Windows Server 2012-based failover cluster

Can't access a resource that is hosted on a Windows Server 2012-based failover cluster

View products that this article applies to.



Important - This hotfix download prevents the issues that are described in the "Symptoms" section. However, if you are already experiencing these issues, you need to reset the password on the affected name resource or on the cluster name as described in the Post-installation instructions.

↑ Back to the top

Symptoms

Issue 1
You have a file share resource that is hosted on a Windows Server 2012-based failover cluster, and you try to access the file share from a Windows XP-based or Windows Server 2003-based computer. In this scenario, you cannot access the resource, and you receive the following error message:
<path> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Logon Failure: The target account name is incorrect.

At the same time, the following Error event is logged in the event log of the Windows XP-based or Windows Server 2003-based computer:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4

Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server <cluster-file-server$>. The target name used was cifs/cluster-file-server.domain.com.
This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (domain.COM), and the client realm. Please contact your system administrator.

Notes
  • The file share resource can be accessed if you connect to it by using the IP address.
  • You may also see "SMB:KrbError: KRB_AP_ERR_MODIFIED (41) R; Session Setup Andx, Krb5Error (0x300)" for the SMB Session Setup server response in a network trace.
  • You do not see this behavior with Windows 7 and later client computers unless you force them to use rc4-hmac.

Issue 2
When you attempt to bring a network name resource online in a Windows Server 2012-based failover cluster, the attempt fails. Additionally, the following events are logged in the System log:
Event ID 1228
Cluster network name resource 'Cluster Name' encountered an error enabling the network name on this node. The reason for the failure was: 'Unable to obtain a logon token'. The error code was '1326'. You may take the network name resource offline and online again to retry.

Event ID 1196
Cluster network name resource 'Cluster Name' failed registration of one or more associated DNS name(s) for the following reason: The handle is invalid. Ensure that the network adapters associated with dependent IP address resources are configured with at least one accessible DNS server.

Also, you may see the following in the cluster log:
INFO [RES] Network Name: [NNLIB] LsaCallAuthenticationPackage success with a request of size 82, result size 0 (status: 0, subStatus: 0)
WARN [RES] Network Name: [NNLIB] LogonUserEx fails for user E0117-C1$: 1326 (useSecondaryPassword: 0)
WARN [RES] Network Name: [NNLIB] LogonUserEx fails for user E0117-C1$: 1326 (useSecondaryPassword: 1)
WARN [RES] Network Name <Cluster Name>: AccountAD: Slow operation has exception ERROR_INVALID_HANDLE(6)' because of '::ImpersonateLoggedOnUser( GetToken() )'
ERR [RES] Network Name <Cluster Name>: Online thread Failed: ERROR_SUCCESS(0)' because of 'Initializing netname configuration for ‘Cluster Name’ failed with error 6.'
INFO [RES] Network Name <Cluster Name>: All resources offline. Cleaning up.
ERR [RHS] Online for resource Cluster Name failed. Error 6 -> The Handle is invalid.

Issue 3
The live migration of virtual machines between Windows Server 2012 hosts fail. When this occurs, the following event may be logged:
Event ID 21502
Live migration of 'VM name' failed. Virtual machine migration operation for 'VM name' failed at migration source 'Node name'

The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host 'Node name': The logon attempt failed (0x8009030C).

The Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: The logon attempt failed (0x8009030C).

↑ Back to the top

Cause

These issues occur when running a Windows Server 2012 Failover Cluster which is a member of a Active Directory domain which has a Domain Functional Level of Windows Server 2003. This is a result of the rc4-hmac keys on the Domain Controller and the cluster side for the virtual computer object (VCO) are different. The ticket decryption fails when the ticket is encrypted by using the rc4-hmac encryption. Additionally, the cluster becomes unavailable for any computer that uses the rc4-hmac keys.

↑ Back to the top

Resolution

To resolve this issue, install update rollup 2889784, or install the hotfix that is described in this article.

For more information about how to obtain update rollup 2889784, click the following article number to view the article in the Microsoft Knowledge Base:

2889784 Windows RT, Windows 8, and Windows Server 2012 update rollup: November 2013


This hotfix is also available at Microsoft Update Catalog.

Microsoft also recommends that you upgrade the domain functional level for the Active Directory domain that the Windows Server 2012 Failover Cluster is connected to from Windows Server 2003 to a later version of Windows Server.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2012.

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Post-installation instructions

This hotfix prevents the issues that are described in the "Symptoms" section. However, if you are already experiencing these issues, you need to reset the password on the affected name resource. But if it still does not work, try to reset the password on the cluster name.

NoteYou must be logged on with a user account that has rights to administer the cluster and to reset passwords in the domain in order to perform the following steps.

To reset the password on the affected name resource or on the cluster name, perform the following steps:
  1. From Failover Cluster Manager, locate the name resource.
  2. Right-click on the resource, and click Properties.
  3. On the Policies tab, select If resource fails, do not restart, and then click OK.
  4. Right-click on the resource, click More Actions, and then click Simulate Failure.
  5. When the name resource shows "Failed," right-click on the resource, click More Actions, and then click Repair.
  6. After the name resource is online, right-click on the resource, and then click Properties.
  7. On the Policies tab, select If resource fails, attempt restart on current node, and then click OK.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.
File information
The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.





Windows Server 2012 file information notes
Important Windows 8 hotfixes and Windows Server 2012 hotfixes are included in the same packages. However, only "Windows 8" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 8" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    VersionProductMilestoneService branch
    6.2.920 0.16 xxxWindows Server 2012RTMGDR
    6.2.920 0.20 xxxWindows Server 2012RTMLDR
  • GDR service branches contain only those fixes that are widely released to address widespread, extremely important issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2012" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2012
File nameFile versionFile sizeDateTimePlatform
Failoverclusters.objectmodel.dll6.2.9200.16703805,37630-Aug-201306:11x64
Clusres.dll6.2.9200.167032,456,06430-Aug-201305:18x64
Clusapi.dll6.2.9200.16703374,78430-Aug-201305:18x64
Resutils.dll6.2.9200.16703626,68830-Aug-201305:19x64
Clusapi.dll6.2.9200.16703302,08029-Aug-201323:47x86
Resutils.dll6.2.9200.16703488,96029-Aug-201323:48x86
Clusapi.dll6.2.9200.20711372,22409-May-201300:29x64
Clusres.dll6.2.9200.207112,463,23209-May-201300:29x64
Failoverclusters.objectmodel.dll6.2.9200.20711805,37609-May-201303:15x64
Resutils.dll6.2.9200.20711626,68809-May-201300:30x64

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Additional file information

Additional file information for Windows Server 2012

Additional files for all supported x64-based versions of Windows Server 2012
File nameFile versionFile sizeDateTimePlatform
Amd64_14947166e5fc6246e345777582704cf0_31bf3856ad364e35_6.2.9200.16703_none_d30dc128f99df9e1.manifestNot applicable1,07630-Aug-201312:56Not applicable
Amd64_21c45ccc196e81f957e3a95676653170_31bf3856ad364e35_6.2.9200.16703_none_4c7a02f5939697bc.manifestNot applicable71930-Aug-201312:56Not applicable
Amd64_50393e7caa4138610ef317a7dfce18cf_31bf3856ad364e35_6.2.9200.16703_none_e2b6bb12dba82457.manifestNot applicable71830-Aug-201312:56Not applicable
Amd64_d64fe8ea3141b80fc9455bfb61ccd7ab_31bf3856ad364e35_6.2.9200.16703_none_722107ca7154442e.manifestNot applicable71530-Aug-201312:56Not applicable
Amd64_microsoft-windows-f..cluster-objectmodel_31bf3856ad364e35_6.2.9200.16703_none_e903ebe1a75b0655.manifestNot applicable3,18630-Aug-201306:24Not applicable
Amd64_microsoft-windows-f..overcluster-clusres_31bf3856ad364e35_6.2.9200.16703_none_19f9cd3e267f7abc.manifestNot applicable2,73230-Aug-201306:24Not applicable
Amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.2.9200.16703_none_ea66b67ec1e3cde7.manifestNot applicable3,26930-Aug-201306:24Not applicable
X86_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.2.9200.16703_none_8e481afb09865cb1.manifestNot applicable3,26530-Aug-201301:08Not applicable
Update.mumNot applicable3,33930-Aug-201312:56Not applicable
Amd64_22959da6f77875e22c189aef602ac593_31bf3856ad364e35_6.2.9200.20711_none_7b6ea888e461d78e.manifestNot applicable1,07609-May-201314:15Not applicable
Amd64_240ba0ace4c2c8b9c8745edd06482551_31bf3856ad364e35_6.2.9200.20711_none_271156e49f32068b.manifestNot applicable71909-May-201314:15Not applicable
Amd64_7726f2098d2a44f4da03ecdb96d859b4_31bf3856ad364e35_6.2.9200.20711_none_eb6ac394e840a8da.manifestNot applicable71509-May-201314:15Not applicable
Amd64_ba12a7bd45ebe55651873ea028d8ecf5_31bf3856ad364e35_6.2.9200.20711_none_72148c0b9ebe8511.manifestNot applicable71809-May-201314:15Not applicable
Amd64_microsoft-windows-f..cluster-objectmodel_31bf3856ad364e35_6.2.9200.20711_none_e980b646c082923b.manifestNot applicable3,18609-May-201303:25Not applicable
Amd64_microsoft-windows-f..overcluster-clusres_31bf3856ad364e35_6.2.9200.20711_none_1a7697a33fa706a2.manifestNot applicable2,73209-May-201303:25Not applicable
Amd64_microsoft-windows-f..rcluster-clientcore_31bf3856ad364e35_6.2.9200.20711_none_eae380e3db0b59cd.manifestNot applicable3,26909-May-201303:25Not applicable

↑ Back to the top

Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, kbexpertiseadvanced

↑ Back to the top

Article Info
Article ID : 2838043
Revision : 1
Created on : 1/7/2017
Published on : 5/19/2015
Exists online : False
Views : 1001