Availability Group Endpoints Windows Authentication Error

Question

I have a two-node SQL Server 2016 Standard Always-On environment and when I create a new availability group, I receive the error message below:

The Endpoints tab lists at least one endpoint that uses only Windows Authentication. However, the server instance might be running under a nondomain account. To use the listed endpoint, change the corresponding SQL Server service account to a domain account. To continue using the nondomain account, alter the endpoint to use a certificate.

Do you want to use the listed endpoints?

Now there is a fair amount of information to correct this, but I am struggling to find a fix for my scenario. All im finding, is when you are running SQL Server and the endpoints as a non-domain user, as the message suggests.

I am running both instances as the same domain user, which has admin on both nodes and sysadmin in each instance of SQL Server, and this can be seen on the endpoints tab, both endpoint SQL Service account entries are the Domain\svc_account that is running SQL Server.

The Availability groups get created perfectly, i occasionally have do grant CREATE DB to the secondary node to initialize the seeding, but other than that all is great. Failovers are perfect etc. We do have over 20 AG's. Could that be an issue? I believe AG have been tested successfully at up to 100 groups. Being SQL Server Standard, we can only do 1 DB per group, and most of the DBs are small at <5GB.

So I am assuming its not causing any issues yet, but regardless I would like to know if its something I can ignore, or fix, in my scenario.

The output of Node 1:

Node 2:

Thank you for all your assistance.

Answer 1

So i am assuming its not causing any issues yet, but regardless i would like to know if its something i can ignore in my scenario, or fix.

Looks like since everything seems to be configured properly (I can't see the domain account information [which is redacted as it should be :) ]) so I wouldn't worry about it. If this happens on multiple servers in the environment then it may require further investigation but overall everything you posted seems in line with a normal configured system.

I traced this down to a call IsValidDomainUserForWinAuthentication used in SSMS which, for whatever reason, is returning false. Looking at the logic, it's checking a few various items, but the one that stands out is the assumption on how the service account name is configured (allowable characters) and that calls to LookupAccountName complete successfully. It would take a time travel trace or full memory dump of SSMS (when the message box is shown) to really investigate further which I don't believe is warranted at this time.