Warning: Undefined array key "is_rate_editable" in /home/vhosts/itexperience.net/httpdocs/wp-content/plugins/wpdiscuz/class.WpdiscuzCore.php on line 1303
Event 40960 and 40961 after upgrade to Windows 2008 R2 domain controller - itexperience.net

Event 40960 and 40961 after upgrade to Windows 2008 R2 domain controller

After I replaced my Windows 2003 Domain Controllers for fresh new Windows 2008 R2 domain controllers, I was starting to have problems at my remote offices.
In the eventlog on my remote pc’s, I found the following events:

Event ID: 40960
Source: LsaSrv
Type: Warning
Category: SPNEGO (Negotiator)
Description: The Security System detected an attempted downgrade attack for server <server name>. The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request. (0xc000005e)”.

Event ID: 40691
Type: Warning
Source: LSASRV
Category: SPNEGO (Negotiator)
Description:
The Security System could not establish a secured connection with the server ldap/SERVERNAME.DOMAINNAME.net. No authentication protocol was available.

Several articles and posts stated that a VPN / SSL connection may hinder the Kerberos protocol from successfully authenticating to the domain controller / global catalog server.
However, all suggestions led to nothing. At the end, the Netlogon debug mode helped me out. To enable the Netlogon Debug Mode, I created the following key on your client computer:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
“DBFlag”=dword:2080ffff
   (hexadecimal value)

Then open a cmd and type net stop netlogon && net start netlogon to enable the debugging mode. The Debug logging writes to C:\Windows\Debug\netlogon.log

In the netlogon.log, I found that my client on the remote location could not authenticate with Kerberos and tried to fallback to NTLM. Since Windows 2008 R2 does not have NTLM enabled by default, the authentication consequently failed.

Referring back to the VPN / SSL connection: Kerberos uses UDP and this is known to be unreliable through VPN tunnels.
Therefor, I had to force the authentication to use TCP, using the following registry key on the client:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxPacketSize”=dword:00000001

Done! The LSASRV error did not occur no more in my eventviewer and the logon speed was back to 30 secondes.

Credits go to the following websites:
http://support.microsoft.com/kb/244474
http://support.microsoft.com/kb/109626
http://blogs.technet.com/b/ad/archive/2009/03/20/downgrade-attack-a-little-more-info.aspx

0 0 votes
Article Rating
Subscribe
Notify of
guest
7 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
abu dabi

Thanks a lot!

trackback

[…] Slow log on from remote Windows XP with 2008 R2 Domain Controller […]

Tom Elliott

I hope this fixes our intermittent issues too. Thanks for sharing the answer.

kthane

Whew! I was pulling my hair out!
Thanks for dropping this off on the internet.

free microsoft points 2014 no survey no download

Аsking questions ɑrе in faϲt nice thing іf you are
not understanding anytɦing еntirely, Ƅut thiѕ piece of writing provides pleasant understanding үet.

Nathan

Thanks so much for this.. spent many hours troubleshooting this issue and finally came across your solution 🙂

Mössler

in my case it was an icmp blackhole (MTU Size Problem) possible caused by a cable modem

7
0
Would love your thoughts, please comment.x
()
x