Problem
The error message below is received when attempting to view the original item in the review pane of Enterprise Vault (EV) Compliance Accelerator (CA) or Discovery Accelerator (DA).
Error Message
Log Name: Veritas Enterprise Vault
Source: Accelerator Service Processor
Event ID: 375
Level: Error
Description:
APP AS - Customer ID: X - An Error has occured when retrieving Item
SaveSetID: X
VaultID: X
Format: MUD:U
sAttachmentID: 0.
System.InvalidCastException: Unable to cast COM object of type 'System.__ComObject' to interface type 'IStorageOnline2'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{DDAA2295-3AF2-441A-AAA4-983E6549409B}' failed due to the following error: A security package specific error occurred. (Exception from HRESULT: 0x80070721).
at KVS.Accelerator.Common.EVStorageOnline.LoadStorageOnline(Boolean bForceReload)
at KVS.Accelerator.Common.EVStorageOnline.GetOnlineAttachment(String savesetId, String vaultId, String attachmentNum, String format, Object& oBytes, Object& oMimeTag, Object& oExtension, Object& oTitle, Object& oMsgStructure, Object& oLargeFileSize)
at KVS.Common.VaultItem.Item.GetOnlineAttachment(String sSaveSetID, String sAttachmentID, String sFormat, String sVaultID, Object& oBytes, Object& oMimetag, Object& oExtension, Object& oTitle, Object& oStructure, Object& oLargeFileSize)
at KVS.Common.VaultItem.Item.GetItemFromSTGOnline(String itemID, String sSaveSetID, String sAttachmentID, String sFormat, String sVaultID, Int32 msgType)
A network trace with Microsoft Network Monitor may show Kerberos errors similar to the below where DCOMServiceAccount is the identity of the COM+ application or the DCOM server application:
172.17.10.21 172.17.10.17 KerberosV5 KerberosV5:TGS Request Realm: <domain> Sname: DCOMServiceAccount
172.17.10.17 172.17.10.21 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Cause
The client requests a Kerberos ticket for the COM+ application or the DCOM service by using a user name as the SPN (Service Principal Name). The issue occurs when the KDC (Key Distribution Center) finds the account but not an associated SPN.
Other causes can include missing Reverse DNS entries or other server security hardening settings in any applied Group Policy Objects (GPO).
Solution
Registering the following SPNs should workaround the issue:
setspn -A DCOMService/DCOMServer Domain\DCOMServiceAccount
setspn -A DCOMService/DCOMServerFQDN Domain\DCOMServiceAccount
Where:
DCOMService: The name of the COM+ application or the DCOM server application. This will be IStorageOnline2.
DCOMServer: The NetBIOS name of the server machine where the COM+ application or the DCOM component resides. This will be the Discovery Accelerator server.
DCOMServerFQDN: The Fully Qualified Domain Name of the server machine where the COM+ application or the DCOM component resides. This will be the Discovery Accelerator server.
DCOMServiceAccount: The identity of the COM+ application or the DCOM server application. This will be whichever account is being used to run the Enterprise Vault Accelerator Manager Service; usually the Enterprise Vault Service Account. A domain administrator must be logged in to run setspn.exe to register a SPN for a domain account. Setspn.exe can be run on any machine in the domain.
To review the server's DNS entries, run the following at an administrative command prompt on the Accelerator server and on the EV Storage server servicing the item being Exported:
1. Obtain the server's IP address and hostname:
1.1. Server IP address:
ipconfig /all
1.2. Server hostname:
hostname
2. Run the following ping commands:
2.1. Determine the DNS entry for the server (replace <hostname> with the server's hostname):
ping <hostname>
2.2. Determine the Reverse DNS entry for the server (replace <IP address> with the server's IP address) and compare with the entry above:
ping -a <IP address>
3. Run the following nslookup commands:
3.1. Determine the DNS entry for the server (replace <hostname> with the server's hostname):
nslookup <hostname>
3.2. Determine the Reverse DNS entry for the server (replace <IP address> with the server's IP address) and compare with the entry above:
nslookup <IP address>
Any differences found should be referred to the onsite network team for further DNS investigation.
To determine the GPOs being applied (Resultant Set Of Policies or RSoP), can run the gpresult command at an administrative command prompt and compare with other working servers. Here is an example command to obtain all information for EVServer01 while logged in as the VSA with output to a file:
gpresult /s EVServer01 /u domain\vsa /p VSA_P@ssw0rd! /user domain\vsa /z > E:\Logs\RSoP_EVServer1.txt
/s EVServer01: Target server.
/u domain\vsa: Vault Service Account username using the domain\username convention.
/p VSA_P@ssw0rd!: VSA password
/user domain\vsa: User that is to be emulated on the remote server for RSoP.
/z: Specifies to list all available group policy information.
> E:\Logs\RSoP_EVServer1.txt: Location for the log.
More information on the gpresult command can be found here: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.