Windows 2025 Cluster Service won't start with Event ID 7024

Question

Hello,

I have a Windows 2025 Datacenter server and have successfully installed the feature, Failover Cluster, but after installing the Failover Cluster feature and rebooting, the cluster service cannot start.

We have applied CIS Level 1 hardening, which disables "Allow Custom SSPs and APs to be loaded into LSASS". This is a sensible security measure and I would prefer not to enable it. This is a setting that blocks custom Security Support Providers (SSPs) and Authentication Packages (APs) can prevent the Cluster service from loading its necessary authentication module, "CLUSAUTHMGR.DLL", resulting in Event ID 7024.

Is there a solution to this? Currently we cannot use 2025 for SQL Clustering with base level security recommendations.

Thanks,
Andrew

Answer 1

Dear Andrew,

Based on your description, the issue appears to be directly related to the CIS Level 1 hardening policy that disables the setting: “Allow Custom SSPs and APs to be loaded into LSASS.”

To restore Cluster service functionality while maintaining security posture, we suggest the following:

Temporarily enable the setting “Allow Custom SSPs and APs to be loaded into LSASS” during cluster formation and initial configuration.

Once the cluster is successfully formed and validated, reapply the CIS policy and monitor service behavior. In some environments, the service may continue to operate normally post-formation, though this is not guaranteed.

Alternatively, consider creating a policy exception for CLUSAUTHMGR.DLL if feasible within your security governance framework.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated. Best regards,

Harry Phan