Lsasrv Event ID 40960

  • Thread starter Thread starter kbergros
  • Start date Start date
K

kbergros

Hi!

I'm having a problem that really disturb me.....
I get on 2 of my windows 2003 memberservers a logentry twice a day
saying the following:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 2006-05-21
Time: 03:43:47
User: N/A
Computer: gimli
Description:
The Security System detected an authentication error for the server
ldap/gollum.test.timber.se/[email protected]. The failure
code from authentication protocol Kerberos was "The attempted logon is
invalid. This is either due to a bad username or authentication information.
(0xc000006d)".

I checked everything according to DNS entries and everything looks OK.
I have followed the suggestions on Event id net, but no luck in solving
this problem.
Before I had a logging that also stated the 40961 event but that logging
has stopped since I upgraded to Service pack 1.

The thing is on my other windows 2003 member servers I don't get this
loggentry.

I have two Domaincontrollers one is Windows 2003 (has all FSMO roles and
the Global catalog) and one is Windows 2000 ((also has the global catalog).

One thing that i can see that the machines that has the error logging
has the 2000 server as logon server... the other ones (without the
problem) has the windows 2003 server as logon server.... can this has
something to do with the error logging?

Regards

Kbergros
 
In
kbergros said:
Hi!

I'm having a problem that really disturb me.....
I get on 2 of my windows 2003 memberservers a logentry twice a day
saying the following:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 2006-05-21
Time: 03:43:47
User: N/A
Computer: gimli
Description:
The Security System detected an authentication error for the server
ldap/gollum.test.timber.se/[email protected]. The failure
code from authentication protocol Kerberos was "The attempted logon is
invalid. This is either due to a bad username or authentication
information. (0xc000006d)".

I checked everything according to DNS entries and everything looks OK.
I have followed the suggestions on Event id net, but no luck in
solving this problem.
Before I had a logging that also stated the 40961 event but that
logging has stopped since I upgraded to Service pack 1.

The thing is on my other windows 2003 member servers I don't get this
loggentry.

I have two Domaincontrollers one is Windows 2003 (has all FSMO roles
and the Global catalog) and one is Windows 2000 ((also has the global
catalog).
One thing that i can see that the machines that has the error logging
has the 2000 server as logon server... the other ones (without the
problem) has the windows 2003 server as logon server.... can this has
something to do with the error logging?

Regards

Kbergros
Click to expand...

Usually creating a reverse zone for your subnet(s) and insuring all DCs
(especially the 2003 DCs) have a PTR entry to eliminate this error. On 2003
systems, the SPNEGO, (the SPN identifier) uses the reverse entry to identify
itself, hence "Ego".

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy. - [Me]
 
Hi!

Thanxs for your answer.
I have checked my Dns zones (several times) and all my machines has the
correct ptr entry... I have checked with Nslookup both my forward and
recursive zones and get the correct answer every time...
Any other suggestions on how to solve this?

regards

Kbergros


Ace Fekay [MVP] skrev:
 
Hi!

Thanxs for your answer.
I have checked my Dns zones (several times) and all my machines has the
correct ptr entry... I have checked with Nslookup both my forward and
recursive zones and get the correct answer every time...
Any other suggestions on how to solve this?

regards

Kbergros

kbergros skrev:
 
In
kbergros said:
Hi!

Thanxs for your answer.
I have checked my Dns zones (several times) and all my machines has
the correct ptr entry... I have checked with Nslookup both my forward
and recursive zones and get the correct answer every time...
Any other suggestions on how to solve this?

regards

Kbergros
Click to expand...

Looking again at your original post, the description part of the error says:

Description:
The Security System detected an authentication error for the server
ldap/gollum.test.timber.se/[email protected]. The failure
code from authentication protocol Kerberos was "The attempted logon is
invalid. This is either due to a bad username or authentication information.
(0xc000006d)".

This indicates to me that you are possibly pointing to your ISP's DNS in IP
properties. Now if AD is trying to coorespond it's SPNEGO by contacting them
for a PTR for the internal IP range, then I can understand why this is
happening.

The cardinal rule is in any AD infrastructure, no matter how small or large,
NEVER use the ISP's DNS in IP properties of ANY machine that is part of AD
(DCs servers and clients). If not sure what I'm talking about, please post
an unedited ipconfig /all to better assist you and we can point out any
problems in your config.

Ace
 
Hi Ace!

And thanks for your replays!
Here comes an ipconfig /all from one of the memberservers with the 40960
logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC and is also
acting as our DNS servers (i'm not pointing to any ISP DNS).
I had one missing PTR record that I discovered and added, but the error
is still being logged...


Windows IP Configuration

Host Name . . . . . . . . . . . . : gimli
Primary Dns Suffix . . . . . . . : test.timber.se
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.timber.se


Ethernet adapter Teamadapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-14-5E-36-11-82
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.3.202
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
DNS Servers . . . . . . . . . . . : 192.168.3.3
192.168.3.4



Ace Fekay [MVP] skrev:
 
In
kbergros said:
Hi Ace!

And thanks for your replays!
Here comes an ipconfig /all from one of the memberservers with the
40960 logging. The ipadresses 192.168.3.3 and 192.168.3.4 is my DC
and is also acting as our DNS servers (i'm not pointing to any ISP
DNS). I had one missing PTR record that I discovered and added, but the
error is still being logged...


Windows IP Configuration

Host Name . . . . . . . . . . . . : gimli
Primary Dns Suffix . . . . . . . : test.timber.se
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : test.timber.se


Ethernet adapter Teamadapter:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-14-5E-36-11-82
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.3.202
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
DNS Servers . . . . . . . . . . . : 192.168.3.3
192.168.3.4
Click to expand...

Well that looks fine. Mixed 2000 and 2003 DCs? Which holds the Schema and
DNM roles? Is the 2003 a GC (which should also hold the DNM)?

The reverse zone thing usually takes care of this issue for 2003, but if
2000 is involved, I haven't see that yet because 2000 doesn't use the SPN
Ego for self-identification (Kerberos authentication). Take a look at these
articles to see if they better help out:
http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1
http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1

Ace
 
Hi!

Thanks for your replay!
The windows 2003 server holds all of the FSMO roles and both the 2003 DC
and The 2000 DC holds the global catalog.

Regards

Kbergros

Ace Fekay [MVP] skrev:
 
In
kbergros said:
Hi!

Thanks for your replay!
The windows 2003 server holds all of the FSMO roles and both the 2003
DC and The 2000 DC holds the global catalog.

Regards

Kbergros
Click to expand...

No problem for the reply, and thank you for yours. But did you check out
those links? Did those links help you out? Did they apply to your scenario?

Can I assume the 2000 DC is SP4 and the 2003 is SP1? Any errors on the 2000
machine? How about the clients?

As I said, I haven't seen this before with a mixed situation. Maybe I can
suggest to get the GC off the 2000 machine.

Ace
 
Ace Fekay [MVP] skrev:
In


No problem for the reply, and thank you for yours. But did you check out
those links? Did those links help you out? Did they apply to your scenario?

Can I assume the 2000 DC is SP4 and the 2003 is SP1? Any errors on the 2000
machine? How about the clients?

As I said, I haven't seen this before with a mixed situation. Maybe I can
suggest to get the GC off the 2000 machine.

Ace
Click to expand...

Hi!

Yes. the 2000 dc has SP4 and the 2003 DC has SP1.
Have no other errors on any of the DC's and memberservers (both w2k and
win2003) (except some w32time errors)
I will check the links and come back with the result!

Regards

Kbergros
 
In
kbergros said:
Hi!

Yes. the 2000 dc has SP4 and the 2003 DC has SP1.
Have no other errors on any of the DC's and memberservers (both w2k
and win2003) (except some w32time errors)
Click to expand...

Are the clocks all synched in the domain - meaning same time zone and clocks
withing 5 minutes skew, or even same relative Zulu time? (Important for
Kerberos).
I will check the links and come back with the result!
Click to expand...

Very good.

Ace
 
Hi!

Now I haven't had any errorlogging since 31/5, it seems like the problem
has been solved.
One thing that probably resolved this issue was the lack of a ptr record
for one of teh servers. After I added that record and also did a
change regarding the Dns client settings on my Windows 2000 DC/DNS (Was
pointing against itself, i pointed it against The 2003 DC/DNS). The
error logging stopped.

Kbergros



Ace Fekay [MVP] skrev:
 
In
kbergros said:
Hi!

Now I haven't had any errorlogging since 31/5, it seems like the
problem has been solved.
One thing that probably resolved this issue was the lack of a ptr
record for one of teh servers. After I added that record and also
did a change regarding the Dns client settings on my Windows 2000 DC/DNS
(Was pointing against itself, i pointed it against The 2003 DC/DNS).
The error logging stopped.

Kbergros
Click to expand...

Very good to hear.
 
Back
Top