Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 40960 Source: LSASRV

Source
Level
Description
The Security System detected an authentication error for the server <service>/<server name>. The failure code from authentication protocol Kerberos was "<error description> (<error code>)".
Comments
 
Error: "There are currently no logon servers available to service the logon request. (0xc000005e) - In our case, we have a server that slows to a crawl after a week or so and these errors start showing up.  A reboot fixes the slowdown.
Using Windows Server 2008 SP1 we had to allow specifically "NetLogon service (NP In)" on port 445, and that fixed the error.
As you are aware, an error could occur due to various reasons. Analysis should be done in various angles and thus diagnosis will be specific to the findings.

Solution: In my case all i did was disable all other network adapters, except the one actually connecting to the internet.

I had VMware adapters, LAN adapter, some 1392 adapters and a wireless adapter (this was the main network connection). I disabled all the adapters but the wireless and it worked fine. This may be a temporary fix.
Setting NETLOGON service dependant on DNS fixed the issue for me.
I had events 40960, 40961, 1053 and 1006 after a network switch firmware upgrade. Disabling Jumboframe support from NIC resolved the case.


I received this error in the following situation:

NT4.0 Domain was recently upgrade to windows Server 2003. The registry key NT4Emulator was added to the NT4.0 PDC prior to the upgrade, as per ME298713.

On external trusted domain, the Domain controllers from the trusted domain were ok, but on a member server in the external trusted domain, I was not able to add permissions from the upgraded NT 4.0 Domain, and in the event logs on the member server, event ID 40960 was seen.
The solution is to either remove the above registry key from the upgraded server, or to put the registry key NeutralizeNT4Emulator on the member server in the trusted domain. This solved our issue.
This event may be recorded if the SID of a domain client is not valid. You will see then messages in the Eventlog, that the computer account does not exist inside the domain etc. To fix this issue, you need to remove the client from domain. reboot and the join the domain again (after resetting the computer account in AD).
Our issue ended up being a locked-out service account on our Office Communications Server 2007 (OCS) server. It created issues within communicator like showing users offline, when they were really online. It couldn't connect to the SQL database since the account was locked.
In my case, I was experiencing this again and again with NET LOGON issue, SPN records, Kerberos, NLTEST, and connections beetwen servers and domain controllers. It was randomly losing connection with DC and only re-joining in domain solved this issue. There were also issues with communication with Kerberos, SPN ( even SPN was set correctly in schema ) recprds, and NLTEST was always unsuccessful. Renaming and rejoinging of systems did not fix the issue, neither did re-promoting of DCs.

I had this fixed as follows:
1. Removed any addtional default gateway from each network interface
2. Configured only primary and secondary DNS servers for each server network interface
3. Removed the DNS servers which were not domain members from NAME Servers settings on domain DNS systems.

Implementing all the updated specified in ME948496 and ME244474.

I recommend implementing the first patch on all systems, and second one depending on the network load.
I also had to force Kerberos to use TCP instead of UDP on the affected Windows XP workstation.  This workstation was located at a remote site that was connecting to the DC and Exchange servers via a VPN connection. The UDP packets were being fragmented and were arriving out-of-order, and subsequently dropped. This was causing a very slow Windows logon, and Outlook to not connect to Exchange. Refer to ME244474.

I was also able to resolve the issue by removing the logon script from the affected users AD account, although I'm not sure how this relates above. I opted for changing the Kerberos transmission protocol.
Error description: There are currently no logon servers available to service the logon request. Error code: 0xc000005e.

If this error is logged by a Windows 2008 member server than check your firewall configuration for all needed ports:

- LDAP (UDP/389 and TCP/389)
- Kerberos (TCP/88)
- SMB (TCP/445)
Similar to a post below, I too found a disconnected terminal session that was 42 days old. After disconnecting it, all returned to normal.
We had this problem with two domain controllers (two separate domains with trust relationship) in two cities connected through Internet using OpenVPN. The domain controllers could ping each other, connect to network shares, but could not get objects from AD. The error code was 0xc000005e. We fixed the problem by increasing the VPN MTU from 1400 to 1500.
In my case, 40960 (for server cifs/serverFQDN and error description "The referenced account is currently disabled and may not be logged on to. (Error code 0xc0000072)") and 40961 were logged on one XP workstation and only for a specific user when accessing a specific 2003 member server but that user account was not disabled and he could access all other servers, he just could not access any resource on that specific server.

After several tries, I was able to figure it the cause for this out by enabling failure auditing on all Domain Controllers (Domain Controller Security - Security Settings - Local Policies - Audit Policies) and checking the Security Events on all DC's logged at the same time as the 40960 on the XP workstation. I found that the credentials used to access that server from the XP computer were not the ones of the user logged in but belonged to a long gone employee. It turned out that the Password Manager on that that user profile on that computer had an old record for that server. This can be checked and fixed by removing the entry on the "Stored User Names and Passwords" applet by running the following command:

rundll32.exe keymgr.dll, KRShowKeyMgr


In our case, this was because we have updated Windows 2003 Server with SP2 which automatically enables windows firewall. Disabling the firewall resolved the problem.
In our case users who would vpn in using CheckPoint Secureclient were having issues with domain authentication not working. Outlook would prompt for credentials when launched (which did not work when proper credentials were entered) and the only connection to the exchange server was through a vpn connection. Our solution was to change kerberos auth to use TCP packets instead of UDP and also to lower the MTU of the interface. When UDP kerberos packets are fragmented and received out of order, the server ignores them, but when using TCP they are re-assembled in proper order.
This event with Error code 0xc000006f was being logged intermittently. We determined that a user remained logged in to a PC after hours when the time restriction didn’t allow them to be. The PC would attempt normal Kerberos interactions with the server and the server would log this event.
It might be necessary to adjust the MTU on the router interface or on the server itself. We found that we were having issues where users had slow logins when connected to a network drive and operated normally when not connected to a network drive. From the server, ping the host with the DF bit set and with various payload sizes to determine the biggest packet that can get through. After that, adjust the router interface or adjust the MTU on the server itself (default is 1500).
In our case, there were two domains, with a selective trust. In one domain, in which the users of the other domain had to authenticate, there were three DCs. Two of them were replaced by more powerful machines. While replacing, we had forgotten to allow authentication for users of the trusted domain. After allowing that, the errors disappeared.
Error: The attempted logon is invalid. This is either due to a bad username or authentication information. Code: 0xc000006d. - One common service/server mentioned when this event is recorded is DNS/prisoner.iana.org. This DNS server, "prisoner.iana.org" is one of the RFC 1918 "blackhole" servers setup to answer requests related to private IP addresses (RFC 1918) like 192.168.0.0 or 10.0.0.0 that normally should not go out on the Internet for resolution. Most probably, one service running on the local computer is trying to resolve the host associated with an private IP address but the local DNS server is not configured with a reverse zone for this private block of IPs so it sends the request on the Internet root servers (and from there redirected to the bogus prisoner.iana.org). So this event is caused by a misconfiguration of your network. To resolve this issue create the proper reverse lookup zones for the private IP subnets used on your network.

If the server is not prisoner.iana.org but the local DNS server then it is possible that one of the services that is registering DNS records is running with an invalid account. In one case that I have encountered, this event was recorded once per hour. This was happening on a server that used to be a domain controller for an old domain but had AD removed and then reinstated as a domain controller for a new domain. We found that the service causing this event as the DHCP Client service that by default runs with the "NT Authority/NetworkService" account. Since this server had a static IP address we disabled the "DHCP Client" service and the error stopped being recorded in the event log.

Error: There are currently no logon servers available to service the logon request. Code: 0xc000005e - As per ME823712, this behavior occurs when you restart a Windows 2003 server that was promoted to a domain controller.

* * *

From a newsgroup post: "An authenticated connection was requested but the negotiation to find a mutually agreeable security provider (SPNEGO) failed."

As per ME823712, on a Windows 2003 server, this behavior occurs when you restart the server that was promoted to a domain controller. In this scenario, the Windows Time service (W32Time) tries to authenticate before Directory Services has started. There are no adverse effects on computers that experience the warning events that are described in the "Symptoms" section.

Error: The attempted logon is invalid. This is either due to a bad username or authentication information. Code: 0xc000006d. - One common service/server mentioned when this event is recorded is DNS/prisoner.iana.org. This DNS server, "prisoner.iana.org" is one of the RFC 1918 "blackhole" servers setup to answer requests related to private IP addresses (RFC 1918) like 192.168.0.0 or 10.0.0.0 that normally should not go out on the Internet for resolution. Most probably, one service running on the local computer is trying to resolve the host associated with an private IP address but the local DNS server is not configured with a reverse zone for this private block of IPs so it sends the request on the Internet root servers (and from there redirected to the bogus prisoner.iana.org). So this event is caused by a misconfiguration of your network. To resolve this issue create the proper reverse lookup zones for the private IP subnets used on your network.
I experienced this problem over VPN from some hot-spot locations and not others. I can connect with my Cisco VPN client just fine, but both Outlook and SQL Server fail with this error when I try to connect to either at the problem hot-spots. Given ME244474, the problem seems to be the way the hot-spot's routers handle the UDP packets. On the other hand, seeing as how the problem is limited to only certain locations (i.e. with certain routers), I'm not sure I'd want to fix the issue by modifying my client/laptop.
In our case, Kerberos authentication failed because the firewall was blocking TCP/UDP ports 88 and 389 to all of the domain controllers of the domain.
I have had the issue where at random intervals one computer user would have their account locked out, with event ID 40961. This happened was on a 2003 native domain. Dale Smith fixed his problem by updating the network card driver on the server, so I decided to update the driver on the NIC in the PC and also add a delay for the Group policy time out:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GpNetworkStartTimeoutPolicyValue"=dword:000000b4. This fixed the problem for me.


In our case, description of the warning related to some time problem: The Security System detected an authentication error for the server ldap/nadc2.<site>.domain.net. The failure code from authentication protocol Kerberos was "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount. (0xc0000133)".
We ran the DCdiag tool in verbose mode (/e /v /c /f) for the entire forest and found that one site (<site> - indicated in the above description) had misconfigured time-server settings and their time was off by more than 5 minutes. Once the site admin removed time-server settings from the DC so it could synchronize time with a root DC, all was OK.
- Error: "The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)" - See ME938702.
- Error: "The name or SID of the domain specified is inconsistent with the trust information for that domain. (0xc000019b)" - See ME931192 for hotfixes applicable to Microsoft Windows Server 2003 and Microsoft Windows XP.

See MSW2KDB for additional information on this event.
We had this issue after moving a Domain Controller. We demoted a root level DC, disjoined it from the domain, renamed it and re-promoted it as a child domain controller. At the same time, we saw 40960 errors from source LsaSrv with the description: “The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)".

We fixed the problem by performing the following:
1. Stop the Kerberos Key Distribution service.
2. Set the KDC service to “Disabled”.
3. Restart the server (this forces the DC to get a Kerberos ticket from one of the other DCs).
4. Using the procedure in ME325850 reset the machine account password.
5. Set the KDC service to “Automatic”.
6. Start the KDC service.
7. Restart the domain controller one final time (this may not have been required but seemed like a good idea at the time).
- Error code: 0xc000006d - In our case, the problem was caused by one of our administrators that had logged on, locked the server at the console, and then changed his domain password the following day. Once he logged off the error stopped appearing.
We had this warning message generated on a Windows 2003 member server. Another symptom was that "net time /set" was generating "Access denied" errors. I fixed this by temporarily disabling Antivirus/Firewall services.
- Error: "{Operation Failed} The requested operation was unsuccessful. (0xc0000001)" - This was shown on an Active Directory DC when a XP client accessed it. In my case, this was preceded by an EventID 5 stating a time sync issue. Bringing the time in line with the server removed both entries.
This event came up on a 2003 Enterprise Terminal Server but it took a few weeks of operation before the login issue to come up. Users logging in onto the domain via RDP could not be authenticated, not even the domain administrator. Logging in as the local administrator did work. The server had two network cards: a 1000mbps connection with the "private" IP, NetBIOS, gateway and DNS set, and a 100mbps connection with the network load balancing cluster option configured, with no DNS, NetBIOS or gateway set. After changing the order of the LAN interfaces in Network Connections -> Advanced -> Advanced connections, the problem went away. As it turned out, the connection with the NetBIOS enabled must be on top. On a side note, enabling NetBIOS on both interfaces will give other kerberos issues (been there), so just change the order and be done with it. In my case it took a minute or so for all problems to vanish.
In my case, there was a difference of time beetwen the PDC and the BDC. You can check it by typing:

net time /querysntp - For NTP server settings
nltest /dclist: domain name - To find the PDC in the domain

At the end, compare the time on both serves. There could be a difference of maximum 5 minutes.
In my case, a WinXP workstation logged events 40960 and 40961 from source LsaSrv as well as event 1053 from source UserEnv. The problem was corrected by updating the Intel Gigabit NIC driver on the server.


If you are getting this combined with event id 40961 from source LsaSrv, check for a missing Client for Microsoft Networks in your network components.
- Error: "No authentication protocol was available" - This Event ID appeared on a Windows XP SP2 computer each time it was started. This computer could ping the domain controller but not vice versa. When the Windows XP Firewall was disabled and the computer was removed and re-joined to the domain this event stopped.

- Error: "There are currently no logon servers available to service the logon request" - In one case, this event appeared in hundreds on a Windows 2003 SP1 computer. It appeared after "CHKDSK C: /F /S" was run on the computer on which Windows swap file configuration changes had been made. The C: drive was restored from an image made prior to running CHKDSK. The computer then started normally.
We were receiving this event on a Windows 2003 Server SP1. This error showed up (along with Event 40961 from source LsaSrv, Event 1006 from source Userenv, and Event 1030 from source Userenv) with 1.5 hour intervals. The 1006 and 1030 events showed me a disconnected user still logged onto this server, through his terminal server session. Using Terminal server manager, we logged off that user and it solved the case for us.
I was receiving this event on a Dell Optiplex running Windows XP SP2 that was set up for 24 hour access to the network. This error showed up (along with 40960 LSASRV, 1006 and 1030 USERENV) every night for at least 6 hours at about 1.5 hour intervals. Further investigation revealed that the NIC was going into sleep mode and it was generating the errors. Going into Device Manager and properties of the NIC, under the Power Management tab, I cleared the checkbox that states "Allow the computer to turn of this device to save power". I have not received any more errors since doing this.
We have a domain with Win2k AD and various Win2k and XP clients. This event only occured on XP clients. Additionally, the logs showed event id 40961, 1054 and 1030. The logon process from the XP clients took forever, GPs were not applied and access to network shares was not possible. Increasing the kerberos ticket size, as suggested by MS, didn't do the trick. Recreating users and/or machine accounts didn't help either. Simple solution was to finally install SP4 for Win2k on the domain controllers which we hadn't done before. Since then everything has been running smooth.
This event might occur if a scheduled task cannot access a shared network resource. See ME887572 for a hotfix applicable to Microsoft Windows XP.

- Error: "The attempted logon is invalid. This is either due to a bad username or authentication information (0xc000006d)" - From a newsgroup post: "I've had the same problem, and I am almost positive I found a working fix (it works on my systems). I had previously tried all the other mentioned solutions, including disabling Dynamic DNS, turning on or off the option for the network adapters to request registration in DNS, adding reverse lookup zones, etc, but to no avail. My solution is probably only applicable to domain controllers running the DNS server service. These errors seem to be generated by programs trying to resolve domain names to connect back to the server to authenticate, but can't find it if the DNS server service hasn't started yet, failing the request. The solution seems to be adding DNS as a dependency to these services. On a clean Windows 2003 installation, promoted to a DC, with IIS installed, I needed to make W32Time (Windows Time Service), NtFrs (File Replication Service), and SMTPSVC (Simple Mail Transfer Protocol (SMTP)) dependent upon DNS (DNS Server). See ME193888 for details on how to do this".
The error in our server (domain controller) System Event Log was: "The Security System detected an authentication error for the server <server>. The failure code from authentication protocol Kerberos was "{Operation Failed} The requested operation was unsuccessful. (0xc0000001)". This issue occurs if the Network Service security account does not have sufficient privileges to access the following registry subkeys when you upgrade to Windows Server 2003:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

To resolve this issue, assign the Network Service account full control access to the mentioned registry subkeys.
My AD environment is as follows:
Site1-PIX-VPN-PIX-Site2.
All DCs for domain.com in Site1.
All DCs for child.domain.com in Site2.
Comp1 is a Win2k3 SP1+latest hotfixes member server of domain.com. Comp1 is located in Site1. User1 is a member of child.domain.com.
User1 is trying to logon via Remote Desktop to Comp1 and is getting an Access Denied error (Error code 5).
The System log contains EventID 40960 from source LsaSrv, message “No authority could be contacted for authentication. (0x80090311)”.
The Application log contains EventID 1219 from source Winlogon, message “Logon rejected for <user name>. Unable to obtain Terminal Server User Configuration. Error: Access Denied”.
It turns out that the error was caused by a PIX configuration on the Site1 side. We had class-map defined as class_http, and this class contained ports TCP 88 and 80 to inspect as http traffic. Removing Kerberos (TCP 88) port from http inspection resolved problem.
We were getting the error "The Security System detected an authentication error for the server ldap/<PDC Emulator>" along with time errors, even though the time was correct. The problem was that the Regional Settings for this one server were GMT Monrovia and the rest of the servers were GMT UK.  Changing the setting resolved the issues.


In our case, this error came every 90 minutes, together with event id 40961. The code was 0xc0000064 (Error code 0xC0000064) = "User does not exist". In the system event log there was an error event 1053: "Windows cannot determine user or computer name. (User does not exist). Group Policy processing aborted".
It turned out that there was a disconnected terminal services session still open on the server for an account that had been deleted. Every 90 minutes Windows was trying to refresh the policy for this user, which generated the error. Logging off the session and removing the user profile for the deleted account solved the problem.
As per Microsoft: "Use the error code in the message to determine the cause of the problem. For example, a STATUS_NO_LOGON_SERVER error code (0xC000005e) indicates that the domain controller was temporarily unavailable". See MSW2KDB for more details on this event.

This can also occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started. See ME824217 to troubleshoot this problem. Also seeing the Kerberos FAQ might be of some help.

See ME891559 for more details on this event.
According to a newsgroup post, this error might be caused by problems with the W32time service. Check your time settings throughout the forest and solve all W32time errors and warnings first.
As per PK’s comments (see below), in order to make this event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer).
One of our customers got this error on two of his Windows XP workstation. The workstations could initially be connected to the Windows Small Business Server 2003 domain, but after a reboot, the domain was not accessible (logon, network drive mapping, etc.). The resolve this problem we replaced the client’s network card. The old card was an Acer network adapter that had no drivers for Windows XP but worked fine with the Intel standard driver and the existing NT 4.0 domain. However, Kerberos authentication with SBS 2003 domain was impossible.
I experienced this problem on Windows XP workstations, when users logged into a terminal server and terminal sessions were disconnected (but not terminated). To fix this problem I configured the terminal server to end disconnected sessions, and end sessions where users were idle for more than a specified amount of time.
We were also getting this error on a Windows 2003 Member Server (in a Windows 2003 AD) which had its own DNS Server Service Running. The problem was that the server was booting up and several services were trying to run (including NETLOGON) before the Member Servers DNS Server Service had started. This resulted in no name lookup for the Active Directory Domain and hence could not contact any Domain Controllers.
I had this event for users were connecting to our RRAS service. The end user could connect to RRAS and could ping hosts, nslookup hosts, tracert, etc... However, when the user tried to access any network resources in our Windows 2003 Active Directory that actually required authentication, it would fail. After a support call with Microsoft, it was determined that somewhere between his home machine and our RRAS server, the Kerberos UDP packets were being fragmented, hence any authentication was failing (recall he could ping, nslookup, etc). We set the following reg key to a value of 1 to force Kerberos authentication to use TCP instead of UDP and everything worked perfectly.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaKerberos\Parameters\MaxPacketSize=1

Note: On his XP Professional w/SP1 client, I had to create the Parameters subkey and MaxPacketSize DWORD value manually.

See ME244474.
Had this on a WinXP workstation which could no longer access domain resources. The fix was changing the DNS settings to point to a Win2k DNS which was tied into Active Directory. Apparently the workstation could no longer locate SVR records for the kerberos authentication server. These records were not in our UNIX DNS but were in the Win2k DNS. Related  directly to Event 40961 - LsaSrv


In our case, one of our customer reports that they are periodically seeing slow logon times, (defined as the time between entering the password and hitting enter on the “Logon on to Windows Screen” and the disappearing of that screen) sometimes1 -3 minutes on Windows XP SP1. Windows 2000 Pro computers are unaffected. The domain these computers are logging onto is a Windows 2000 AD Native Mode Domain with AD Integrated DNS zones. Checking the event log of a machine reveals these 40960 errors in the system log.

Soluton: User Logon Failures must be enabled.
By looking at the logon failure audit event logged at the same time as the SPNEGO event, more  information about the logon failure can be obtained. Windows XP performs a reverse lookup on the DNS Server it is configured for as part of its own blackhole router detection. In the case where the DNS Server used does not have the Reverse Lookup Zone and/or no PTR Record for their DNS Server, the request gets forwarded out to the Internet.

The response comes back with one of the following server names:
prisoner.iana.org
blackhole-1.iana.org
blackhole-2.iana.org

These servers own the public PTR records for the 192.168.x.x zones. Since they have no record of your DNS Server, they reply with a "Server does not exist" reply, which causes LSASRV to log the error.

Solution: On the local DNS Server, create a Reverse Lookup Zone, and enter a record for your DNS Server.

Anothe case: The client was pointed to the ISP's DNS servers which contained a zone for the customer's domain. We removed the External DNS server addresses and ensured that DHCP was only assigning the Internal DNS server address. For testing we manually configured the DNS server address on a workstation which overrides the DHCP values. We can reference the following Knowledge Base Articles - ME291382 Frequently Asked Questions About Windows 2000 DNS.

Another case: Check the time on the workstation. Ensure that the day, time, time zone, AM/PM, year are correct. In my case the year was incorrect everything else was correct.

Last case: In this situation they actually were not authenticating to the DC. They were being logged in with cached credentials.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...