After I replaced my Windows 2003 Domain Controllers for fresh new Windows 2008 R2 domain controllers, I was starting to have problems at my remote offices.
In the eventlog on my remote pc’s, I found the following events:
Event ID: 40960
Source: LsaSrv
Type: Warning
Category: SPNEGO (Negotiator)
Description: The Security System detected an attempted downgrade attack for server <server name>. The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request. (0xc000005e)”.
Event ID: 40691
Type: Warning
Source: LSASRV
Category: SPNEGO (Negotiator)
Description:
The Security System could not establish a secured connection with the server ldap/SERVERNAME.DOMAINNAME.net. No authentication protocol was available.
Several articles and posts stated that a VPN / SSL connection may hinder the Kerberos protocol from successfully authenticating to the domain controller / global catalog server.
However, all suggestions led to nothing. At the end, the Netlogon debug mode helped me out. To enable the Netlogon Debug Mode, I created the following key on your client computer:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
“DBFlag”=dword:2080ffff (hexadecimal value)
Then open a cmd and type net stop netlogon && net start netlogon to enable the debugging mode. The Debug logging writes to C:\Windows\Debug\netlogon.log
In the netlogon.log, I found that my client on the remote location could not authenticate with Kerberos and tried to fallback to NTLM. Since Windows 2008 R2 does not have NTLM enabled by default, the authentication consequently failed.
Referring back to the VPN / SSL connection: Kerberos uses UDP and this is known to be unreliable through VPN tunnels.
Therefor, I had to force the authentication to use TCP, using the following registry key on the client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxPacketSize”=dword:00000001
Done! The LSASRV error did not occur no more in my eventviewer and the logon speed was back to 30 secondes.
Credits go to the following websites:
http://support.microsoft.com/kb/244474
http://support.microsoft.com/kb/109626
http://blogs.technet.com/b/ad/archive/2009/03/20/downgrade-attack-a-little-more-info.aspx
Thanks a lot!
[…] Slow log on from remote Windows XP with 2008 R2 Domain Controller […]
I hope this fixes our intermittent issues too. Thanks for sharing the answer.
Whew! I was pulling my hair out!
Thanks for dropping this off on the internet.
Аsking questions ɑrе in faϲt nice thing іf you are
not understanding anytɦing еntirely, Ƅut thiѕ piece of writing provides pleasant understanding үet.
Thanks so much for this.. spent many hours troubleshooting this issue and finally came across your solution 🙂
in my case it was an icmp blackhole (MTU Size Problem) possible caused by a cable modem