[HP SIM] Systems Insight Manager 不能正常工作，数据库错误0x80090302。

This artical also published in English: http://www.cnblogs.com/LarryAtCNBlog/p/4153295.html

2015-04-20 update, find another case for SQL server authentication.

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: xx.xx.xx.xx]. 

This case find out is SQL server agent using its own instance name to do authentication, by defaut when receiving NTLM request windows will verify OS name and access name, if they are different, the handshake will fail. The behavior is to avoid some sort of network attack, to disable it we just need to tell LSA service to ignore name loop back check.

https://support.microsoft.com/en-us/kb/896861

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Value: DisableLoopbackCheck
Data type: DWORD
Data: 1

什么是HP SIM？文章里所说的SIM指的是Systems Insight Manager，是HP公司给自家的服务器制作的一个中心管理Web，界面如下。

基本作用就是探测网络里的HP服务器，当server down掉或者有硬件问题的时候可以给出告警。

就是这货出了问题，突然访问不了，但是后台SIM service依然是运行着的。eventlog里出现如下错误，

com.hp.mx.database.DbVerificationException: Error loading database verification handler 'com.hp.mx.database.MsSqlVerificationHandler'
com.hp.mx.database.DbVerificationException: Error accessing database

SSPI handshake failed with error code 0x80090302, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure.  [CLIENT: xxxxxxx]. 

错误截图如下，

MSSQLSERVER用studio之类的连接都是正常的，ODBC也试过正常，端口正常监听1433，但就是SIM连接不上，最后在如下链接找到了答案，

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=mmr_kc-0114705

跟据knowledge base里的内容，可以确定是SIM会用非NTLMv2的LM或者NTLM来做windows的验证，只要在SQL连接字符串中加入useNTLMv2=true即可解决该问题。

那怎么突然就有问题了呢？平时也不会有人动SIM这种server，于是用rsop.msc查看NTLM的相关策略，因为向下兼容这种事应该没人会去改动的。

explain里的default如下，

Windows 2000 and windows XP: send LM & NTLM responses
Windows Server 2003: Send NTLM response only
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only

一般来说验证都是服务器之间会协商一下大家用什么版本的协议，握个手后再通信，但是group policy却改成了"Refuse LM & NTLM"，而SIM调用MSSQL连接字符串默认用的可能是LM或NTLM，于是导致了协议错误。