Event ID 5000 Source LsaSrv
| Event ID | 5000 |
| Source | LsaSrv |
| Type | Error |
| Description | The security package <security package name> generated an exception. The package is now disabled. The exception information is the data. |
| English, please! | Request a translation of the event description in plain English. |
| Concepts to understand |
What is the LSA? What is the role of LsaSrv? |
| Comments |
Mihai Andrei
This problem occurs because a user who belongs to more than 1, 024 Active Directory directory service groups tries to connect to a Windows 2000 member server or to an Internet Information Services (IIS) server by using NTLM authentication. The server does not permit the log on and this event is logged. See M306748 for more information about this problem. This problem occurs because an access violation occurs in the Lsass.exe process. If the NTLM security package is not available to the Lsass.exe process, the access violation that results may cause the Lsass.exe process to stop. See M838656 for a hotfix applicable to Microsoft Windows Server 2003. See "JSI Tip 6194" for additional information about this event. Ray Fernandez I just installed Windows 2003 Enterprise Server running Exchange 2003 and IIS 6 for OWA, and it was giving me this error. After calling Microsoft, they said the reason for that was the frequent Bot attacks to IIS 6, and pointed me to install MS04-011 and MS04-007. They also suggested MS05-019 if it applied to my system. They said these patches are not been pushed as Windows updates because of some issues and they must be downloaded and installed manually. After installing those patches and rebooting the system, the event disappeared. Ionut Marin See M841037 and M896179 for two hotfixes applicable to Microsoft Windows 2000. As per Microsoft: "This issue may occur if there is an exception that is caused by a bug in an authentication package. To resolve this problem, restart the computer that the domain controller resides on". See M828873 for more details. Also check M831726 for more details. B. Harmon An SSL Vulnerability can also cause this problem. The vulnerability is discussed in MS04-011 and M835732. Adrian Grigorof From a newsgroup post: "We experienced this type of message after installing SP2 on one of our servers. The only way we could get rid of it was to upgrade all of our domain controllers to SP2. Since then, all has been great." Reported security packages: - Kerberos - MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 - Negotiate - NTLM Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here! Anonymous Security package: "Negotiate" - See the hotfix described on M328948. Grogster Security package: "NTLM" - The LSASVR error is generated when a NT, 2K, .NET server has identified one SID in 1000 local groups. All Windows OS have this limitation. If one SID is in a 1000 groups then this service's DLL overruns the ipstack.dll and crashes the machine. There are no public Qs about this problem but there are private Qs which Microsoft won't release. There is a fix but you must tell them you are having this exact error message. We found out about this when we built a Win2K server with SharePoint Team Services. Every time a new project is created 5 new local groups are created for that one project. If you are an administrator for project your SID is in every one of those groups. After serveral hundred projects every time a admin logged on to the machine through project server, terminal services, or the console the machine crashed hard. Microsoft's "fix" just blockes any SID that is in 1000 groups from logging on to the machine at all. |
| Links | M306748, M328948, M828873, M831726, M835732, M838656, M841037, M896179, MS04-007, MS04-009, MS04-011, MS05-019, JSI Tip 6194 |
| Search | Google Web - Microsoft Support - Bing - EventID.Net Queue - More links... |
| Custom search | The custom search information is available to subscribers only. |
| Feedback | Send comments - Notify me when updated |
| Print version |