Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5000 Source: LsaSrv

Source
Level
Description
The security package <security package name> generated an exception. The package is now disabled. The exception information is the data.
Comments
 
This problem occurs because a user who belongs to more than 1, 024 Active Directory directory service groups tries to connect to a Windows 2000 member server or to an Internet Information Services (IIS) server by using NTLM authentication. The server does not permit the log on and this event is logged. See ME306748 for more information about this problem.

This problem occurs because an access violation occurs in the Lsass.exe process. If the NTLM security package is not available to the Lsass.exe process, the access violation that results may cause the Lsass.exe process to stop. See ME838656 for a hotfix applicable to Microsoft Windows Server 2003.

See "JSI Tip 6194" for additional information about this event.
I just installed Windows 2003 Enterprise Server running Exchange 2003 and IIS 6 for OWA, and it was giving me this error. After calling Microsoft, they said the reason for that was the frequent Bot attacks to IIS 6, and pointed me to install MS04-011 and MS04-007. They also suggested MS05-019 if it applied to my system. They said these patches are not been pushed as Windows updates because of some issues and they must be downloaded and installed manually. After installing those patches and rebooting the system, the event disappeared.
See ME841037 and ME896179 for two hotfixes applicable to Microsoft Windows 2000.

As per Microsoft: "This issue may occur if there is an exception that is caused by a bug in an authentication package.  To resolve this problem, restart the computer that the domain controller resides on". See ME828873 for more details.

Also check ME831726 for more details.
An SSL Vulnerability can also cause this problem. The vulnerability is discussed in MS04-011 and ME835732.
From a newsgroup post: "We experienced this type of message after installing SP2 on one of our servers. The only way we could get rid of it was to upgrade all of our domain controllers to SP2. Since then, all has been great."

Reported security packages:
- Kerberos
- MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
- Negotiate
- NTLM


Security package: "Negotiate" - See the hotfix described on ME328948.
Security package: "NTLM" - The LSASVR error is generated when a NT, 2K, .NET server has identified one SID in 1000 local groups. All Windows OS have this limitation. If one SID is in a 1000 groups then this service's DLL overruns the ipstack.dll and crashes the machine. There are no public Qs about this problem but there are private Qs which Microsoft won't release. There is a fix but you must tell them you are having this exact error message. We found out about this when we built a Win2K server with SharePoint Team Services. Every time a new project is created 5 new local groups are created for that one project. If you are an administrator for project your SID is in every one of those groups. After serveral hundred projects every time a admin logged on to the machine through project server, terminal services, or the console the machine crashed hard. Microsoft's "fix" just blockes any SID that is in 1000 groups from logging on to the machine at all.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...