The Caller was not Authenticated by the Service

hmwillett · July 7, 2021, 11:50am

So, we’ve been experiencing an intermittent issue with our production Epicor for the past 3-4 weeks and are running out of ideas to try to fix it.
About 2-4 times a day, users’ Epicor will close with the message “Epicor is Offline”. Clicking “Retry” gives the message “The Caller was not Authenticated by the Service”.

Recycling the app pool after this happens helps for a time, but it inevitably goes down again.
Epicor suggested removing the server from the domain and adding it back, which we did last night, but are still receiving the issue.
From an Epicor server standpoint, nothing changed when it started happening. Epicor support is claiming it’s some sort of domain issue and aren’t really providing assistance because of that.
We’re hosted privately in the Azure cloud if that helps anyone.

I’m finding the following in the Event Viewer around the time it went down.

Domain issues are a bit outside of my, well, domain.
Does anyone have any ideas?

hmwillett · July 7, 2021, 11:58am

Here’s some more detail of the error I found in my local Event Viewer:

Unable to reach the server. Retrying...

System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
   at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open()

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at System.ServiceModel.ICommunicationObject.Open()
   at Epicor.ServiceModel.Channels.ChannelEntry`1.CreateNewChannel()
   at Epicor.ServiceModel.Channels.ImplBase`1.GetChannel()
   at Epicor.ServiceModel.Channels.ImplBase`1.HandleContractBeforeCall()
   at Ice.Proxy.BO.ReportMonitorImpl.GetRowsKeepIdleTimeWithBallonInfo(String whereClauseSysRptLst, Boolean getBallonInfo, String whereClauseSysTask, String whereClauseSysTaskLog, DataSet& sysMonitorData)

Olga · July 7, 2021, 2:56pm

Your domain controleer is intermittently unaccessible. It is not Erp problem. it just complains about it.

hmwillett · July 7, 2021, 3:01pm

And this is where I falter. I’m not too sure how to troubleshoot a domain controller issue. Was kinda hoping someone would have some suggestions to look at.

Mark_Wonsil · July 7, 2021, 4:06pm

Azure Active Directory?

kylepbsps · July 7, 2021, 5:34pm

Try this microsoft tool. You can run from any connected machine I believe.

https://www.microsoft.com/en-us/download/details.aspx?id=30005

Otherwise DNS issues it what it seems like. You can DNS flush the client machine if its a single user issue, otherwise you might need to enter a record for the epicor server address in your DNS.

hmwillett · July 7, 2021, 6:53pm

Well, at present, that tool does not show any issues. Should I run it the next time Epicor goes down?

kylepbsps · July 7, 2021, 7:04pm

Run command prompt and type ipconfig /all on one of the naughty machines.
Verify their network settings are correct.

You can also do nslookup MyErp.cloudaddress.net to verify your DNS knows what to do with your epicor address.

hmwillett · July 7, 2021, 7:05pm

It’s everyone that goes down. I believe it’s the server that loses its connection with the DNS.

kylepbsps · July 7, 2021, 7:18pm

run this on a client machine.

Close Epicor
Open Command Prompt
ipconfig /flushdns
Open Epicor and Connect
ipconfig /displaydns

This should show all the sites that have used DNS since flushing and all the automatically assigned records for your local network. It might give you some ideas.

Randy · July 7, 2021, 9:01pm

Did the one from CMD. It’s clearly something with the domain trusting the server but still not sure what to do.

kylepbsps · July 8, 2021, 12:14pm

Ouch,

Try leaving and joining the domain on a client computer you’re not worried about breaking. If you can’t successfully join the domain controller that’s a problem.

You should contact a MSP if you aren’t able to tackle this issue.

hmwillett · July 8, 2021, 12:35pm

We have a ticket open with Microsoft. They suggested we demote the DC in Azure and promoting it with read and write since it’s only read right now.

hmwillett · July 10, 2021, 5:00pm

Promoting the Azure DC did the trick.