80070721: A security package specific error occurred- Note: the OS version of the device could not b

Full text of the error:

80070721: A security package specific error occurred- Note: the OS version of the device could not be determined, WMI might not work reliably.

The error here is related to security issues directly in PRTG or the target Windows. It's an error-message directly from the targets DCOM.

I'm afraid it's very hard to solve such sporadic issues with WMI Sensors, where the actual error originates within the target DCOM/WMI. Over which PRTG or we do not have any control or influence over. So there is very little we can do to be honest, except of course try the usual tips with WMI Issues, use longer scanning intervals, maybe use Remote Probes to distribute WMI load or do local WMI access.

It seems though using the FQDN instead of 'just' hostnames helps with this error as well: http://blogs.technet.com/b/brad_rutkowski/archive/2011/03/08/solution-for-a-security-package-specific-error-occurred.aspx

I was able to resolve this and the solution turned out to be easy. The problem was because I had mistakenly joined the server to the wrong domain in the forest - e.g. contoso.com, when it should belong to dev.contoso.com I had already moved the server to the correct domain a while ago, but the "old" computer account still existed in AD under contoso.com. Once I verified that it existed also in dev.contoso.com, I deleted the one under contoso.com and voila! Problem solved.

In case anyone is curious, here is an event in the system event log for the server that runs PRTG, which gave me a clue:

Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ProblemServerName$. The target name used was RestrictedKrbHost/ProblemServerName. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DEV.contoso.COM) is different from the client domain (contoso.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.