Event ID 40960 Source LsaSrv
| Event ID | 40960 |
| Source | LsaSrv |
| Type | Error |
| Description | The Security System detected an attempted downgrade attack for server <server name>. The failure code from authentication protocol Kerberos was "<error message> (<hex error code>)". |
| English, please! | This information is only available to subscribers. An example of English, please! |
| Concepts to understand |
What is the LSA? What is an authentication protocol? What is Kerberos? What is the role of LsaSrv? |
| Comments |
Anonymous
(Last update 4/27/2009): In our case users who would vpn in using CheckPoint Secureclient were having issues with domain authentication not working. Outlook would prompt for credentials when launched (which did not work when proper credentials were entered) and the only connection to the exchange server was through a vpn connection. Our solution was to change kerberos auth to use TCP packets instead of UDP and also to lower the MTU of the interface. When UDP kerberos packets are fragmented and received out of order, the server ignores them, but when using TCP they are re-assembled in proper order. Anonymous (Last update 11/19/2008): It might be necessary to adjust the MTU on the router interface or on the server itself. We found that we were having issues where users had slow logins when connected to a network drive and operated normally when not connected to a network drive. From the server, ping the host with the DF bit set and with various payload sizes to determine the biggest packet that can get through. After that, adjust the router interface or adjust the MTU on the server itself (default is 1500). Moki (Last update 7/2/2008): I experienced this problem over VPN from some hot-spot locations and not others. I can connect with my Cisco VPN client just fine, but both Outlook and SQL Server fail with this error when I try to connect to either at the problem hot-spots. Given M244474, the problem seems to be the way the hot-spot's routers handle the UDP packets. On the other hand, seeing as how the problem is limited to only certain locations (i.e. with certain routers), I'm not sure I'd want to fix the issue by modifying my client/laptop. Patrick (Last update 5/20/2008): I have had the issue where at random intervals one computer user would have their account locked out, with event ID 40961. This happened was on a 2003 native domain. Dale Smith fixed his problem by updating the network card driver on the server, so I decided to update the driver on the NIC in the PC and also add a delay for the Group policy time out: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "GpNetworkStartTimeoutPolicyValue"=dword:000000b4. This fixed the problem for me. Kevin Bowersock (Last update 7/10/2007): We had this issue after moving a Domain Controller. We demoted a root level DC, disjoined it from the domain, renamed it and re-promoted it as a child domain controller. At the same time, we saw 40960 errors from source LsaSrv with the description: “The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc000006d)". We fixed the problem by performing the following: 1. Stop the Kerberos Key Distribution service. 2. Set the KDC service to “Disabled”. 3. Restart the server (this forces the DC to get a Kerberos ticket from one of the other DCs). 4. Using the procedure in M325850 reset the machine account password. 5. Set the KDC service to “Automatic”. 6. Start the KDC service. 7. Restart the domain controller one final time (this may not have been required but seemed like a good idea at the time). Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Dmitry Kulshitsky (Last update 11/15/2006): We had this warning message generated on a Windows 2003 member server. Another symptom was that "net time /set" was generating "Access denied" errors. I fixed this by temporarily disabling Antivirus/Firewall services. Mark Ball (Last update 11/7/2006): - Error: "{Operation Failed} The requested operation was unsuccessful. (0xc0000001)" - This was shown on an Active Directory DC when a XP client accessed it. In my case, this was preceded by an EventID 5 stating a time sync issue. Bringing the time in line with the server removed both entries. Anonymous (Last update 9/25/2006): This event came up on a 2003 Enterprise Terminal Server but it took a few weeks of operation before the login issue to come up. Users logging in onto the domain via RDP could not be authenticated, not even the domain administrator. Logging in as the local administrator did work. The server had two network cards: a 1000mbps connection with the "private" IP, NetBIOS, gateway and DNS set, and a 100mbps connection with the network load balancing cluster option configured, with no DNS, NetBIOS or gateway set. After changing the order of the LAN interfaces in Network Connections -> Advanced -> Advanced connections, the problem went away. As it turned out, the connection with the NetBIOS enabled must be on top. On a side note, enabling NetBIOS on both interfaces will give other kerberos issues (been there), so just change the order and be done with it. In my case it took a minute or so for all problems to vanish. Vlastimil Bandik (Last update 9/20/2006): In my case, there was a difference of time beetwen the PDC and the BDC. You can check it by typing: net time /querysntp - For NTP server settings nltest /dclist: domain name - To find the PDC in the domain At the end, compare the time on both serves. There could be a difference of maximum 5 minutes. Adrian Grigorof (Last update 8/24/2006): From a newsgroup post: "An authenticated connection was requested but the negotiation to find a mutually agreeable security provider (SPNEGO) failed." As per M823712, on a Windows 2003 server, this behavior occurs when you restart the server that was promoted to a domain controller. In this scenario, the Windows Time service (W32Time) tries to authenticate before Directory Services has started. There are no adverse effects on computers that experience the warning events that are described in the "Symptoms" section. Error: The attempted logon is invalid. This is either due to a bad username or authentication information. Code: 0xc000006d. - One common service/server mentioned when this event is recorded is DNS/prisoner.iana.org. This DNS server, "prisoner.iana.org" is one of the RFC 1918 "blackhole" servers setup to answer requests related to private IP addresses (RFC 1918) like 192.168.0.0 or 10.0.0.0 that normally should not go out on the Internet for resolution. Most probably, one service running on the local computer is trying to resolve the host associated with an private IP address but the local DNS server is not configured with a reverse zone for this private block of IPs so it sends the request on the Internet root servers (and from there redirected to the bogus prisoner.iana.org). So this event is caused by a misconfiguration of your network. To resolve this issue create the proper reverse lookup zones for the private IP subnets used on your network. Dale Smith (Last update 8/18/2006): In my case, a WinXP workstation logged events 40960 and 40961 from source LsaSrv as well as event 1053 from source UserEnv. The problem was corrected by updating the Intel Gigabit NIC driver on the server. Anonymous (Last update 6/20/2006): If you are getting this combined with event id 40961 from source LsaSrv, check for a missing Client for Microsoft Networks in your network components. Peter Hayden (Last update 5/19/2006): - Error: "No authentication protocol was available" - This Event ID appeared on a Windows XP SP2 computer each time it was started. This computer could ping the domain controller but not vice versa. When the Windows XP Firewall was disabled and the computer was removed and re-joined to the domain this event stopped. - Error: "There are currently no logon servers available to service the logon request" - In one case, this event appeared in hundreds on a Windows 2003 SP1 computer. It appeared after "CHKDSK C: /F /S" was run on the computer on which Windows swap file configuration changes had been made. The C: drive was restored from an image made prior to running CHKDSK. The computer then started normally. Rob vd Knaap (Last update 5/4/2006): We were receiving this event on a Windows 2003 Server SP1. This error showed up (along with Event 40961 from source LsaSrv, Event 1006 from source Userenv, and Event 1030 from source Userenv) with 1.5 hour intervals. The 1006 and 1030 events showed me a disconnected user still logged onto this server, through his terminal server session. Using Terminal server manager, we logged off that user and it solved the case for us. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Ingo Wittig (Last update 3/14/2006): I was receiving this event on a Dell Optiplex running Windows XP SP2 that was set up for 24 hour access to the network. This error showed up (along with 40960 LSASRV, 1006 and 1030 USERENV) every night for at least 6 hours at about 1.5 hour intervals. Further investigation revealed that the NIC was going into sleep mode and it was generating the errors. Going into Device Manager and properties of the NIC, under the Power Management tab, I cleared the checkbox that states "Allow the computer to turn of this device to save power". I have not received any more errors since doing this. Anonymous (Last update 1/25/2006): We have a domain with Win2k AD and various Win2k and XP clients. This event only occured on XP clients. Additionally, the logs showed event id 40961, 1054 and 1030. The logon process from the XP clients took forever, GPs were not applied and access to network shares was not possible. Increasing the kerberos ticket size, as suggested by MS, didn't do the trick. Recreating users and/or machine accounts didn't help either. Simple solution was to finally install SP4 for Win2k on the domain controllers which we hadn't done before. Since then everything has been running smooth. Mihai Andrei (Last update 1/19/2006): This event might occur if a scheduled task cannot access a shared network resource. See M887572 for a hotfix applicable to Microsoft Windows XP. - Error: "The attempted logon is invalid. This is either due to a bad username or authentication information (0xc000006d)" - From a newsgroup post: "I've had the same problem, and I am almost positive I found a working fix (it works on my systems). I had previously tried all the other mentioned solutions, including disabling Dynamic DNS, turning on or off the option for the network adapters to request registration in DNS, adding reverse lookup zones, etc, but to no avail. My solution is probably only applicable to domain controllers running the DNS server service. These errors seem to be generated by programs trying to resolve domain names to connect back to the server to authenticate, but can't find it if the DNS server service hasn't started yet, failing the request. The solution seems to be adding DNS as a dependency to these services. On a clean Windows 2003 installation, promoted to a DC, with IIS installed, I needed to make W32Time (Windows Time Service), NtFrs (File Replication Service), and SMTPSVC (Simple Mail Transfer Protocol (SMTP)) dependent upon DNS (DNS Server). See M193888 for details on how to do this". Matthew C. Miller (Last update 11/24/2005): The error in our server (domain controller) System Event Log was: "The Security System detected an authentication error for the server <server>. The failure code from authentication protocol Kerberos was "{Operation Failed} The requested operation was unsuccessful. (0xc0000001)". This issue occurs if the Network Service security account does not have sufficient privileges to access the following registry subkeys when you upgrade to Windows Server 2003: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip To resolve this issue, assign the Network Service account full control access to the mentioned registry subkeys. PaulD (Last update 11/4/2005): My AD environment is as follows: Site1-PIX-VPN-PIX-Site2. All DCs for domain.com in Site1. All DCs for child.domain.com in Site2. Comp1 is a Win2k3 SP1+latest hotfixes member server of domain.com. Comp1 is located in Site1. User1 is a member of child.domain.com. User1 is trying to logon via Remote Desktop to Comp1 and is getting an Access Denied error (Error code 5). The System log contains EventID 40960 from source LsaSrv, message “No authority could be contacted for authentication. (0x80090311)”. The Application log contains EventID 1219 from source Winlogon, message “Logon rejected for <user name>. Unable to obtain Terminal Server User Configuration. Error: Access Denied”. It turns out that the error was caused by a PIX configuration on the Site1 side. We had class-map defined as class_http, and this class contained ports TCP 88 and 80 to inspect as http traffic. Removing Kerberos (TCP 88) port from http inspection resolved problem. Anonymous (Last update 11/3/2005): We were getting the error "The Security System detected an authentication error for the server ldap/<PDC Emulator>" along with time errors, even though the time was correct. The problem was that the Regional Settings for this one server were GMT Monrovia and the rest of the servers were GMT UK. Changing the setting resolved the issues. Anonymous (Last update 9/30/2005): In our case, this error came every 90 minutes, together with event id 40961. The code was 0xc0000064 (Error code 0xC0000064) = "User does not exist". In the system event log there was an error event 1053: "Windows cannot determine user or computer name. (User does not exist). Group Policy processing aborted". It turned out that there was a disconnected terminal services session still open on the server for an account that had been deleted. Every 90 minutes Windows was trying to refresh the policy for this user, which generated the error. Logging off the session and removing the user profile for the deleted account solved the problem. Ionut Marin (Last update 2/20/2005): As per Microsoft: "Use the error code in the message to determine the cause of the problem. For example, a STATUS_NO_LOGON_SERVER error code (0xC000005e) indicates that the domain controller was temporarily unavailable". See MSW2KDB for more details on this event. This can also occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started. See M824217 to troubleshoot this problem. Also seeing the Kerberos FAQ might be of some help. See M891559 for more details on this event. Peter Van Gils (Last update 12/14/2004): According to a newsgroup post, this error might be caused by problems with the W32time service. Check your time settings throughout the forest and solve all W32time errors and warnings first. Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Christopher Kurdian (Last update 10/5/2004): As per PK’s comments (see below), in order to make this event log entry disappear, simply make NETLOGON depend on DNS. This can be done in the registry easily, just go to “\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon”, and add the string “DNS” to the key "DependOnService" (place it under LanmanServer). Martin Eisermann (Last update 8/25/2004): One of our customers got this error on two of his Windows XP workstation. The workstations could initially be connected to the Windows Small Business Server 2003 domain, but after a reboot, the domain was not accessible (logon, network drive mapping, etc.). The resolve this problem we replaced the client’s network card. The old card was an Acer network adapter that had no drivers for Windows XP but worked fine with the Intel standard driver and the existing NT 4.0 domain. However, Kerberos authentication with SBS 2003 domain was impossible. K-Man (Last update 7/7/2004): I experienced this problem on Windows XP workstations, when users logged into a terminal server and terminal sessions were disconnected (but not terminated). To fix this problem I configured the terminal server to end disconnected sessions, and end sessions where users were idle for more than a specified amount of time. PK (Last update 2/25/2004): We were also getting this error on a Windows 2003 Member Server (in a Windows 2003 AD) which had its own DNS Server Service Running. The problem was that the server was booting up and several services were trying to run (including NETLOGON) before the Member Servers DNS Server Service had started. This resulted in no name lookup for the Active Directory Domain and hence could not contact any Domain Controllers. Vazy Gee (Last update 8/5/2003): I had this event for users were connecting to our RRAS service. The end user could connect to RRAS and could ping hosts, nslookup hosts, tracert, etc... However, when the user tried to access any network resources in our Windows 2003 Active Directory that actually required authentication, it would fail. After a support call with Microsoft, it was determined that somewhere between his home machine and our RRAS server, the Kerberos UDP packets were being fragmented, hence any authentication was failing (recall he could ping, nslookup, etc). We set the following reg key to a value of 1 to force Kerberos authentication to use TCP instead of UDP and everything worked perfectly. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaKerberos\Parameters\MaxPacketSize=1 Note: On his XP Professional w/SP1 client, I had to create the Parameters subkey and MaxPacketSize DWORD value manually. See M244474. Greg Martin Had this on a WinXP workstation which could no longer access domain resources. The fix was changing the DNS settings to point to a Win2k DNS which was tied into Active Directory. Apparently the workstation could no longer locate SVR records for the kerberos authentication server. These records were not in our UNIX DNS but were in the Win2k DNS. Related directly to Event 40961 - LsaSrv Anonymous In our case, one of our customer reports that they are periodically seeing slow logon times, (defined as the time between entering the password and hitting enter on the “Logon on to Windows Screen” and the disappearing of that screen) sometimes1 -3 minutes on Windows XP SP1. Windows 2000 Pro computers are unaffected. The domain these computers are logging onto is a Windows 2000 AD Native Mode Domain with AD Integrated DNS zones. Checking the event log of a machine reveals these 40960 errors in the system log. Soluton: User Logon Failures must be enabled. By looking at the logon failure audit event logged at the same time as the SPNEGO event, more information about the logon failure can be obtained. Windows XP performs a reverse lookup on the DNS Server it is configured for as part of its own blackhole router detection. In the case where the DNS Server used does not have the Reverse Lookup Zone and/or no PTR Record for their DNS Server, the request gets forwarded out to the Internet. The response comes back with one of the following server names: prisoner.iana.org blackhole-1.iana.org blackhole-2.iana.org These servers own the public PTR records for the 192.168.x.x zones. Since they have no record of your DNS Server, they reply with a "Server does not exist" reply, which causes LSASRV to log the error. Solution: On the local DNS Server, create a Reverse Lookup Zone, and enter a record for your DNS Server. Anothe case: The client was pointed to the ISP's DNS servers which contained a zone for the customer's domain. We removed the External DNS server addresses and ensured that DHCP was only assigning the Internal DNS server address. For testing we manually configured the DNS server address on a workstation which overrides the DHCP values. We can reference the following Knowledge Base Articles - M291382 Frequently Asked Questions About Windows 2000 DNS. Another case: Check the time on the workstation. Ensure that the day, time, time zone, AM/PM, year are correct. In my case the year was incorrect everything else was correct. Last case: In this situation they actually were not authenticating to the DC. They were being logged in with cached credentials. |
| Links | M244474, M291382, M325850, M823712, M824217, M887572, M891559, Error code 5, Error code 0xC0000064, Kerberos FAQ, EventID 40961 from source LsaSrv, EventID 1219 from source Winlogon, MSW2KDB, Security Incidents: Re: prisoner.iana.org, RFC 1918 |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Custom search | The custom search information is available to subscribers only. |
| Feedback | Send comments - Notify me when updated |
| Print version |