for a hotfix applicable to Microsoft Windows XP Professional Service Pack 2.
As per Microsoft: "The Negotiate package could not select a secure authentication protocol because the user provided incorrect credentials or because the domain controller was temporarily unavailable". See MSW2KDB
for more details on this event.
This can occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started. See ME824217
to troubleshoot this problem.
From a newsgroup post: "In my case, this error occurred because the credentials specified in my DHCP server on “DC1” for dynamic DNS registration were misspelled".
From a newsgroup post: "1. If the 40960/40961 events only happen at boot, it is likely that ME823712
will help you to fix this problem.
2. If the 40960/40961 events happen at a regular interval (i.e., hourly), try to determine what service may be need to authenticate at that interval. For example, if a XP/2003 machine is pointed directly at a DNS server that doesn't support Kerberos, secure dynamic updates will generate 40960/40961 events. Even if the XP/2003 machine is pointed to a 2000/2003 DNS server, if the SOA for the zone is a non-Microsoft DNS server that doesn't support Kerberos, the 40960/40961 events can still be generated.
3. Get a list of the computer names of the DCs in the domain, and compare that to a list of all machine accounts in the forest to see if there is a name conflict. For example, if NTSERVER is a member server in the parent domain, and NTSERVER is a DC in the child domain, you can see 40960/40961 events because of the name conflict.
4. Verify RPC Locator is correctly configured:
Started, Automatic - Windows 2000 domain controllers.
Stopped, Manual - Windows Server 2003 domain controllers & member servers.
Stopped, Disabled - Windows 2000 clients & member servers, XP clients.
5. If the registry on the DC contains the NT4Emulator registry value in the following registry key, set it to 0, or delete it entirely.
6. Verify the DHCP client service is started on all machines. Even machines with static IP addresses (including domain controllers and member servers) need to have DHCP client service enabled because that service handles DNS dynamic updates.
7. Verify there is not a time skew between machines. Make sure to verify the time, date, and year, are all the same. Appendix A of the Troubleshooting Kerberos Errors white paper shows a sample trace where clock skew breaks Kerberos.
8. Kerberos UDP packet fragmentation can result in Kerberos failure. Appendix A of the Troubleshooting Kerberos Errors white paper shows a sample trace where UDP fragmentation breaks Kerberos.
2003 - RTM defaults to MaxPacketSize of 1465 bytes.
2000 - RTM defaults to 2000 bytes. With hotfix 315150 or SP4, default is 1465
XP - RTM defaults to 2000 bytes. With SP2, default is 1465. There is no hotfix, SP2 is the only way to get the 1465 default without manually setting the MaxPacketSize registry value to 1465. See ME315150
9. Reset the secure channel.
10. Create a reverse lookup zone and add the DNS server to it. The step is included here because it was the fix in a customer verified solution object, but more information is needed to understand why this would resolve the 40960/40961 events.
11. Verify the necessary SPNs are registered, based on the information in the event description.
12. Clear cached credentials.
2003 - Control Panel, Stored User Names and Passwords, Remove them all.
13. Based on the information in the event description, verify that the SAM account name of one account is not the same as the UPN of another account".
From a newsgroup post: "I was having this problem when using Microsoft’s Virtual PC 2004 with Windows 2003. I keep getting messages that the server’s clock on the virtual machine is out of sync with my physical box running Windows Server 2003. In the end, I just noticed that the date on my other box was 7/26, but the date on the virtual machine was 7/25. After making the necessary adjustments, the problem disappeared".
From a newsgroup post: "If this server is joined to a domain called mydomain.com and you have two adapters, configure both adapters to point to your Active Directory DNS server or disable DNS registration on the second adapter. See ME246804
for information on how to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003".
From a newsgroup post: "Other posts in various newsgroups suggested that a problem with a user’s profile could be the cause of failures to apply GPOs, which is the root cause of My Documents redirection failures. This was consistent with what I was seeing. I was not using roaming profiles, so User A’s profile on PC01 was (potentially) different than it is on PC02. Furthermore, PC01 was installed with Windows XP Pro from scratch while PC02 ran Windows XP Home for 2 years and then was upgraded to Windows XP Pro. User A's profile on PC01 was created "fresh" while on PC02 it was migrated when PC02 was joined to the domain.
I did not find specific information concerning what gets screwed up in the profile or why it causes GPO failures. However, the fix steps were reasonably uniform:
1. Logon to the problematic PC as Administrator.
2. Backup the profile of the problem user. (E.g., copy it elsewhere. Be sure hidden and system files are copied. For example, \Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook often contains “.OST” and/or “.PST” files. I compared the total size and number of files in the original and backup before proceeding to Step 3.)
3. Delete the problematic profile. (Right-click My Computer -> Properties -> Advanced Tab -> User Profiles [Settings] button. Select the profile to be deleted with care.
4. Logoff as Administrator and logon as the problem (domain) user to recreate the profile.
5. Restore (copy back) the files from the backed-up profile. (Be careful about what gets overwritten.)
When I did this for User A on PC02, the 1030 and 40961 events stopped and My Documents redirection worked".
also provides information about this event.
for additional information on this event.