Event Log Error: NT AUTHORITY\SYSTEM is not setup for single sign-on

Hello,

I’m seeing a LOT of these Errors in my Windows Application Event Log:

Service authorization failed.
Service: net.tcp://erplive/ERP101500/Ice/Lib/SessionMod.svc
Action: Ice:Lib:SessionMod/SessionModSvcContract/Login
ClientIdentity: NT AUTHORITY\SYSTEM; S-1-5-18
AuthorizationContext: uuid-29938269-e488-4b73-8e94-a2497acf62aa-1486
ActivityId:
ServiceAuthorizationManager: AuthorizationManager
FaultException: NT AUTHORITY\SYSTEM is not setup for single sign-on.

Been trying to search for an answer out there but not having much luck. One suggestion I saw and tried was making sure the NT AUTHORITY\SYSTEM Login has “sysadmin” checked as a Server Role but that didn’t seem to make any difference.

Could any one explain where this error is coming from and how to fix it please? Thank you!

Are you attempting a migration from E9 to E10? Could be related to this then:

1 Like

It looks like it might be the user account on the Task Agent service. The Epicor ICE Task Agent service in Windows services needs to be set to execute with a domain user account that is associated to an Epicor user account record when using SSO.

Then, your Task Agent configuration for this appserver/database needs to be set to a Windows endpoint binding.

3 Likes

Thank you @Noffie,

Yes, I am attempting a migration from E9 to E10 but I’m not sure the link you gave me is quite my problem nor solution…? I have everything (A,B, & C) installed all on one single Server. So I’m not having any problems with the communication across multiple servers. No hops here! :rabbit2:

And thank you @aidacra,

That was actually the very first thing I tried (or looked at because it was already setup that way! :raised_hands:) based on the riveting :wink: (but very helpful) KB Article: KB0029419 - But even when I try stopping the Task Agent - I still get the error in the Event Logs.

I have narrowed the issue down to one single Application/Database/AppServer. Because when I stop the Application Pool that contains that single Application, I stop getting the errors in the Event Log. The strange thing is that I have another E9–>E10 Application/Database/AppServer running on this same Server and it isn’t generating any errors like this and it was migrated after this “problem” one was on the same server (I guess possibly on a different point release?).

I just tried completely deleting the AppServer for this problem Database and re-creating it and I’m still getting the same error. So I guess all I can say about that test is I would assume that narrows it down to an issue with the SQL DB itself and its settings…not sure if that helps to get any closer to solving this issue?

Thank you guys so much for your responses! They were helpful and gave me additional ideas of things to look at.

Does the boldface text below help point to anything in particular?

Service authorization failed.
Service: net.tcp://erplive/ERP101500/Ice/Lib/SessionMod.svc
Action: Ice:Lib:SessionMod/SessionModSvcContract/Login
ClientIdentity: NT AUTHORITY\SYSTEM; S-1-5-18
AuthorizationContext: uuid-dafa1267-3a32-43ee-acd2-f5840c757238-4
ActivityId:
ServiceAuthorizationManager: AuthorizationManager
FaultException: NT AUTHORITY\SYSTEM is not setup for single sign-on.

To me, that says some process is trying to login to your ERP101500 app server on server erplive using Windows authentication. The problem is, the process that is attempting to login is running as the NT AUTHORITY\SYSTEM login and not as an actual domain user that would have a corresponding user setup in Epicor. Do you have some other process, maybe even on another server, that might be trying to authenticate to that app server but running as a system account in windows services? One that pops up in my mind for us would be Service Connect (which, if I guessed lucky and that was the case, would involve re-importing your .NET References in service connect to point it at a username/password based app server, or having the Service Connect services run as a domain account that has a corresponding user in Epicor).

2 Likes

Thank you @Noffie for the really great ideas and the help! That does make perfect sense that it could have been some other process like Service Connect on another server trying to authenticate to that app server but running the System account in Windows Services. And that was pretty much what was happening only it was a (rarely used?) Epicor Service that was running the System Account on the same machine that was the cause of the errors.

I had to work on another issue with @aidacra yesterday so I asked him about this and (I don’t want to steal his thunder if he wanted to report his findings) but he figured out that it was the Epicor SQL Report Monitor Service 3.0.100 Service. Which, honestly, how that even got installed…uh, I gotta blame that one on the gremlins. :space_invader: He said it was just pure luck that he ran across it but that boy’s got some crazy mad troubleshooting skillz! So once I changed that service to a Domain account, the errors went away. YAY! :raised_hands:

Thank you both for taking the time to help me out! You guys are Da Bomb!!!

1 Like

This was an odd one to be sure so
< plug >
I am planning on using it as an example during the “Troubleshooting Performance and Complex Issues in Epicor ERP, Case of the Unexplained” session this year at our Insights conference (Monday May 23 at 10:45am).
< / plug >

Have most of it written, now I just need to spend the appropriate amount of time on the animations in the powerpoint deck :slight_smile:

OMGosh! You mean my problem is going to show up in your presentation at Insights!?

I’ll be sure to bring my pen to sign autographs! Nothing like being famous for your problems…LOL That’s SO Cool! Hum, let me see what else I can break to help you with your presentation…(JUST KIDDING!) :wink:

Good luck on the most important part of your presentation! Not sure why but for some reason these images just scream “Troubleshooting Performance and Complex Issues in Epicor ERP…”:

1 Like