Cluster Build Failure
[CS] Service CreateNodeThread Failed, (80090305)' because of 'Loading of security package failed'
An error occurred while creating the cluster and the nodes will be cleaned up.
While working on building a Microsoft Failover Cluster hosted on VMWare vSphere platform, I was challenged by an error during Cluster build.I started With Cluster Validation after adding both Cluster Nodes, It passed successfully with minor warnings which were related to security updates.
Error Logs:
Forming cluster 'SOLXXXXXXX'.
Error getting a handle to node . The operation failed with error code 0x0. For more information check the cluster log and the system event log from node .
Error getting a handle to node Node1. The operation failed with error code 0x6d9. For more information check the cluster log and the system event log from node Node1. There are no more endpoints available from the endpoint mapper.
Error getting a handle to node Node2. The operation failed with error code 0x6d9. For more information check the cluster log and the system event log from node Node2. There are no more endpoints available from the endpoint mapper.
An error occurred while creating the cluster and the nodes will be cleaned up. Please wait...
An error occurred while creating the cluster and the nodes will be cleaned up. Please wait...
There was an error cleaning up the cluster nodes. Use Clear-ClusterNode to manually clean up the nodes.
There was an error cleaning up the cluster nodes. Use Clear-ClusterNode to manually clean up the nodes.
An error occurred while creating the cluster.
An error occurred creating cluster 'SOLXXXXXXX'.
To troubleshoot cluster creation problems, run the Validate a Configuration wizard on the servers you want to cluster.
When I started with adding both nodes It took forever to form the cluster and never completed even after leaving it for more than 10 minutes.
Looking at the Event logs I saw these:
Applications and Services Logs > Microsoft > Windows > FailoverClustering > Operational
There was one error which grabbed my attention:
Applications and Services Logs > Microsoft > Windows > FailoverClustering > Diagnostic
After doing some more research I found out that this is a Setting that is listed in the CIS Hardening setting under 18.9.26.1 'Allow Custom SSPs and APs to be loaded into LSASS' recommended state is 'Disabled'. (CIS LEVEL 1)
This policy setting controls the configuration under which the Local Security Authority Subsystem Service (LSASS) will load custom Security Support Provider/Authentication Package (SSP/AP).
The LSASS process is crucial for handling security-related operations, including authentication. Allowing custom SSP/AP to load introduces the potential for vulnerabilities where attackers could intercept logon credentials. Disabling the loading of custom SSP/AP reduces the attack surface and minimizes the risk of credential interception.
The recommended state for this setting is: Disabled. Custom Security Support Provider/Authentication Packages will not be permitted to load this may impact some legitimate third-party packages.
Default value: Enabled. (LSA allows custom SSPs and APs to be loaded).
This was the reason why Cluster was not able to load custom SSP/Auth Package from the cluster resource/Service which is why the Cluster creation was failing.
To Fix this:
Open gpedit.msc on the both the nodes:
Navigate to: Computer Configuration\Administrative Templates\System\Local Security Authority
- On the right pane double click the 'Allow Custom SSPs and APs to be loaded into LSASS' setting and ensure it is configured to “Enabled”
Open Command Prompt as Administrator and run gpupdate /force to apply the policy.
Since this setting is under computer configuration, It is recommended to reboot the nodes after applying and then retry the cluster creation.
It should pass and the cluster will be created successfully now:
