Troubleshooting: Event ID:40961

Community,

A few of my Machines are causing this problem. I thought the connection was
with a specific user but it does appear to happen now with multiple
people/same desktop. All my XP boxes are SP2, some have moved to SP3 due to
WSUS not keeping the update as Declined. However, all these errors result
from SP2 boxes.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 01/12/2008
Time: 11:00:51 PM
User: N/A
Computer: CS04
Description:
The Security System could not establish a secured connection with the server
cifs/ser-domain.local. No authentication protocol was available.

Generally, the next process logged in and around the same time is:

vent Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 02/12/2008
Time: 10:49:05 AM
User: SCOTIANGOLD\username
Computer: CS04
Description:
Windows cannot query for the list of Group Policy objects. A message that
describes the reason for this was previously logged by the policy engine

Workstations: SP2 with recent updates
Server: SBS 2003 Standard SP2 - been up for a bit
All machines can access the network resources without issue.

Any suggestions on how to troubleshoot this?

>A few of my Machines are causing this problem. I thought the connection was
>with a specific user but it does appear to happen now with multiple
>people/same desktop. All my XP boxes are SP2, some have moved to SP3 due to
>WSUS not keeping the update as Declined. However, all these errors result
>from SP2 boxes.
>
>Event Type: Warning
>Event Source: LSASRV
>Event Category: SPNEGO (Negotiator)
>Event ID: 40961
>Date: 01/12/2008
>Time: 11:00:51 PM
>User: N/A
>Computer: CS04
>Description:
>The Security System could not establish a secured connection with the server
>cifs/ser-domain.local. No authentication protocol was available.
>
>Generally, the next process logged in and around the same time is:
>
>vent Type: Error
>Event Source: Userenv
>Event Category: None
>Event ID: 1030
>Date: 02/12/2008
>Time: 10:49:05 AM
>User: SCOTIANGOLD\username
>Computer: CS04
>Description:
>Windows cannot query for the list of Group Policy objects. A message that
>describes the reason for this was previously logged by the policy engine
>
>Workstations: SP2 with recent updates
>Server: SBS 2003 Standard SP2 - been up for a bit
>All machines can access the network resources without issue.
>
>Any suggestions on how to troubleshoot this?

Someone here
http://www.eventid.net/display.asp?e...LsaSrv&phase=1
mentions it being related to the kerberos.dll.

- Thee Chicago Wolf

Hello Chris,

Are the machines installed from images? Are the images sysprepped?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Community,
>
> A few of my Machines are causing this problem. I thought the
> connection was with a specific user but it does appear to happen now
> with multiple people/same desktop. All my XP boxes are SP2, some have
> moved to SP3 due to WSUS not keeping the update as Declined. However,
> all these errors result from SP2 boxes.
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 01/12/2008
> Time: 11:00:51 PM
> User: N/A
> Computer: CS04
> Description:
> The Security System could not establish a secured connection with the
> server
> cifs/ser-domain.local. No authentication protocol was available.
> Generally, the next process logged in and around the same time is:
>
> vent Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1030
> Date: 02/12/2008
> Time: 10:49:05 AM
> User: SCOTIANGOLD\username
> Computer: CS04
> Description:
> Windows cannot query for the list of Group Policy objects. A message
> that
> describes the reason for this was previously logged by the policy
> engine
> Workstations: SP2 with recent updates
> Server: SBS 2003 Standard SP2 - been up for a bit
> All machines can access the network resources without issue.
> Any suggestions on how to troubleshoot this?
>

Negative,

I wish I could use an image, that would make life so much more easier.

However, I work for an organization that purchases computer only when needed
- ie: still got 98 and 2000 machines. All the licenses are OEM from Dell and
they will not let me get volume licensing do to cost. My experiences with
dealing with OEM licenses and an image have not been favorable.

Like most things in a small business - the fight to get the funding is
fruitless. My boss is also the accountant of the business. It's all about $$$
and not about anything else.

"Meinolf Weber" wrote:

> Hello Chris,
>
> Are the machines installed from images? Are the images sysprepped?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Community,
> >
> > A few of my Machines are causing this problem. I thought the
> > connection was with a specific user but it does appear to happen now
> > with multiple people/same desktop. All my XP boxes are SP2, some have
> > moved to SP3 due to WSUS not keeping the update as Declined. However,
> > all these errors result from SP2 boxes.
> >
> > Event Type: Warning
> > Event Source: LSASRV
> > Event Category: SPNEGO (Negotiator)
> > Event ID: 40961
> > Date: 01/12/2008
> > Time: 11:00:51 PM
> > User: N/A
> > Computer: CS04
> > Description:
> > The Security System could not establish a secured connection with the
> > server
> > cifs/ser-domain.local. No authentication protocol was available.
> > Generally, the next process logged in and around the same time is:
> >
> > vent Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1030
> > Date: 02/12/2008
> > Time: 10:49:05 AM
> > User: SCOTIANGOLD\username
> > Computer: CS04
> > Description:
> > Windows cannot query for the list of Group Policy objects. A message
> > that
> > describes the reason for this was previously logged by the policy
> > engine
> > Workstations: SP2 with recent updates
> > Server: SBS 2003 Standard SP2 - been up for a bit
> > All machines can access the network resources without issue.
> > Any suggestions on how to troubleshoot this?
> >
>
>
>

Hello Chris,

Have a look here:
http://www.eventid.net/display.asp?e...LsaSrv&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Negative,
>
> I wish I could use an image, that would make life so much more easier.
>
> However, I work for an organization that purchases computer only when
> needed
> - ie: still got 98 and 2000 machines. All the licenses are OEM from
> Dell and
> they will not let me get volume licensing do to cost. My experiences
> with
> dealing with OEM licenses and an image have not been favorable.
>
> Like most things in a small business - the fight to get the funding is
> fruitless. My boss is also the accountant of the business. It's all
> about $$$ and not about anything else.
>
> "Meinolf Weber" wrote:
>
>> Hello Chris,
>>
>> Are the machines installed from images? Are the images sysprepped?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Community,
>>>
>>> A few of my Machines are causing this problem. I thought the
>>> connection was with a specific user but it does appear to happen now
>>> with multiple people/same desktop. All my XP boxes are SP2, some
>>> have moved to SP3 due to WSUS not keeping the update as Declined.
>>> However, all these errors result from SP2 boxes.
>>>
>>> Event Type: Warning
>>> Event Source: LSASRV
>>> Event Category: SPNEGO (Negotiator)
>>> Event ID: 40961
>>> Date: 01/12/2008
>>> Time: 11:00:51 PM
>>> User: N/A
>>> Computer: CS04
>>> Description:
>>> The Security System could not establish a secured connection with
>>> the
>>> server
>>> cifs/ser-domain.local. No authentication protocol was available.
>>> Generally, the next process logged in and around the same time is:
>>> vent Type: Error
>>> Event Source: Userenv
>>> Event Category: None
>>> Event ID: 1030
>>> Date: 02/12/2008
>>> Time: 10:49:05 AM
>>> User: SCOTIANGOLD\username
>>> Computer: CS04
>>> Description:
>>> Windows cannot query for the list of Group Policy objects. A message
>>> that
>>> describes the reason for this was previously logged by the policy
>>> engine
>>> Workstations: SP2 with recent updates
>>> Server: SBS 2003 Standard SP2 - been up for a bit
>>> All machines can access the network resources without issue.
>>> Any suggestions on how to troubleshoot this?

New finidings on this machine, posted in the article just in case someone
doesn't look here.

Troubleshooting: Workstation Issues - Rsop Results

"Meinolf Weber" wrote:

> Hello Chris,
>
> Have a look here:
> http://www.eventid.net/display.asp?e...LsaSrv&phase=1
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Negative,
> >
> > I wish I could use an image, that would make life so much more easier.
> >
> > However, I work for an organization that purchases computer only when
> > needed
> > - ie: still got 98 and 2000 machines. All the licenses are OEM from
> > Dell and
> > they will not let me get volume licensing do to cost. My experiences
> > with
> > dealing with OEM licenses and an image have not been favorable.
> >
> > Like most things in a small business - the fight to get the funding is
> > fruitless. My boss is also the accountant of the business. It's all
> > about $$$ and not about anything else.
> >
> > "Meinolf Weber" wrote:
> >
> >> Hello Chris,
> >>
> >> Are the machines installed from images? Are the images sysprepped?
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> Community,
> >>>
> >>> A few of my Machines are causing this problem. I thought the
> >>> connection was with a specific user but it does appear to happen now
> >>> with multiple people/same desktop. All my XP boxes are SP2, some
> >>> have moved to SP3 due to WSUS not keeping the update as Declined.
> >>> However, all these errors result from SP2 boxes.
> >>>
> >>> Event Type: Warning
> >>> Event Source: LSASRV
> >>> Event Category: SPNEGO (Negotiator)
> >>> Event ID: 40961
> >>> Date: 01/12/2008
> >>> Time: 11:00:51 PM
> >>> User: N/A
> >>> Computer: CS04
> >>> Description:
> >>> The Security System could not establish a secured connection with
> >>> the
> >>> server
> >>> cifs/ser-domain.local. No authentication protocol was available.
> >>> Generally, the next process logged in and around the same time is:
> >>> vent Type: Error
> >>> Event Source: Userenv
> >>> Event Category: None
> >>> Event ID: 1030
> >>> Date: 02/12/2008
> >>> Time: 10:49:05 AM
> >>> User: SCOTIANGOLD\username
> >>> Computer: CS04
> >>> Description:
> >>> Windows cannot query for the list of Group Policy objects. A message
> >>> that
> >>> describes the reason for this was previously logged by the policy
> >>> engine
> >>> Workstations: SP2 with recent updates
> >>> Server: SBS 2003 Standard SP2 - been up for a bit
> >>> All machines can access the network resources without issue.
> >>> Any suggestions on how to troubleshoot this?
>
>
>

>New finidings on this machine, posted in the article just in case someone
>doesn't look here.
>
>Troubleshooting: Workstation Issues - Rsop Results

Was it kerberos related as I originally posted?

- Thee Chicago Wolf

I do not subscribe to this site, unable to find out more details from your
link as the links are internal.

Do you have MS KB artcile?

"Thee Chicago Wolf" wrote:

> >New finidings on this machine, posted in the article just in case someone
> >doesn't look here.
> >
> >Troubleshooting: Workstation Issues - Rsop Results
>
> Was it kerberos related as I originally posted?
>
> - Thee Chicago Wolf
>

kerberos.dll
5.1.2600.2698 (xpsp_sp2_gdr.050614-1522)

On this particular machine - which matches the same on my own machine.



"Thee Chicago Wolf" wrote:

> >New finidings on this machine, posted in the article just in case someone
> >doesn't look here.
> >
> >Troubleshooting: Workstation Issues - Rsop Results
>
> Was it kerberos related as I originally posted?
>
> - Thee Chicago Wolf
>

>I do not subscribe to this site, unable to find out more details from your
>link as the links are internal.
>
>Do you have MS KB artcile?

Chris,

You don't have to be subscribed to the web site to read what others
have posted about the event id. There's probably over two dozen posts
at the link I provided as well as references to MS KB articles for a
potential fix. The person at the top explicitly recommends
http://support.microsoft.com/kb/939820. Try it.


Mihai Andrei (Last update 11/30/2008):
As per Microsoft: "This problem occurs because the version number of
the KRBTGT account increases when you perform an authoritative
restoration. The KRBTGT account is a service account that is used by
the Kerberos Key Distribution Center (KDC) service". See M939820 for a
hotfix applicable to Microsoft Windows Server 2003.

Microsoft article M259922 describes a situation in which this event
occurs.

Also see M938702 for additional information about this event.

Vadim Rapp (Last update 9/30/2008):
We opened a support incident with Microsoft, and they sent hotfix
M906681. This article is not related to this problem, but it has a
newer version of kerberos.dll, which appears to be the culprit. If I
am not mistaken, this new version is also included in XP SP3.

Anonymous (Last update 5/20/2008):
This problem occurs every now and then on our Windows XP SP2 systems.
It used to happen a lot on SP1. Usually running a Winsock repair fixes
the problem (see the link to “WinSock XP Fix 1.2”). Sometimes we also
have to remove the system from the domain and rejoin it in order to
fix the problem.

Anonymous (Last update 9/7/2007):
In my case, I got this event after adding a MS Windows XP SP2
workstation to a SBS 2003 R2 server. The problem was McAfee Security
Center Suite, which I promptly removed.

Marina Roos (Last update 11/24/2006):
This event only occurred when a specific user logged in on a specific
XP SP2 machine, together with EventID 1030 from source Userenv. The
User configuration policy was unable to be applied. If another user
logged in on that same machine, no errors appeared and all policies
were applied.
It turned out that there was a stored password on the machine when
this specific user was logged in. When that was deleted from User
accounts Password Management, the errors disappeared and Folder
Redirection finally happened for this user.

Dale Smith (Last update 8/18/2006):
In my case, a WinXP workstation logged events 40960 and 40961 from
source LsaSrv as well as event 1053 from source UserEnv. The problem
was corrected by updating the Intel Gigabit NIC driver on the server.

Mike Pastore (Last update 8/7/2006):
We received this event along with event 1219 and 1053 in the
application log. The server lost connection to the DC and all accounts
in the admin group showed just as their SIDs. We found that restarting
the Site Server Content Deployment (CRS) service fixed the problem.

Anonymous (Last update 5/19/2006):
If you also get EventID 14 from source Kerberos with this event, go to
Control Panel -> Users Accounts, click on the Advanced tab and then on
Manage Passwords. There should be an entry there relating to the
server and domain\user mentioned in the event id 14 description.
Update or delete the entry.
The user was being prompted to authenticate (with different account
info already filled in) when trying to open a share on a specific
server to which there should have been seamless access. After removing
the entry, access worked normally and the errors went away.

Peter Hayden (Last update 5/19/2006):
This Event ID appeared on a Windows XP SP2 computer each time it was
started. This computer could ping the domain controller but not vice
versa. When the Windows XP Firewall was disabled and the computer was
removed and re-joined to the domain this event stopped.

Seth Connolly (Last update 4/9/2006):
I was getting this error along with EventID 40960 from source LsaSrv
and EventID 1006 from source Userenv. This was on a member server in a
Windows 2003 domain. The events would all appear every two hours. It
turned out that I had a user account (that was part of the admin
group) still logged into the console and the password for that account
had changed. Using Terminal Services Manager (since the machine is
off-site), I logged that user out and had no more issues.

Anonymous (Last update 1/25/2006):
We have a domain with Win2k AD and various Win2k and XP clients. This
event only occured on XP clients. Additionally, the logs showed event
id 40961, 1054 and 1030. The logon process from the XP clients took
forever, GPs were not applied and access to network shares was not
possible. Increasing the kerberos ticket size, as suggested by MS,
didn't do the trick. Recreating users and/or machine accounts didn't
help either. Simple solution was to finally install SP4 for Win2k on
the domain controllers which we hadn't done before. Since then
everything has been running smooth.

Ross Smith (Last update 11/10/2005):
We spotted this event after demoting one of our domain controllers.
For a couple of weeks we had problems on the network but nothing
specific, just minor problems here or there. Eventually, we realized
that dcpromo had not removed all the DNS entries for the old server.
We still had a NS record pointing to a server that no longer existed.

Anonymous (Last update 9/17/2005):
I received this when my XP systems were connected to a Cisco switch.
By default, Cisco switches take up to 20 seconds to begin passing
traffic after the host brings up their Ethernet interface. You can set
a particular port to start immediately using the "spanning-tree
portfast" command on the port your hosts are connected to. This
resolved the issue for me.

Joe Donner (Last update 7/24/2005):
I started to get this event on an SBS 2003 server every hour or so
after I changed the domain administrator's password. The DHCP server
used the same credentials, so when I also changed the password in
DHCP's properties, the warnings stopped appearing.

Rodney Buike (Last update 2/22/2005):
I installed a new ISA 2004 server and I started to receive many errors
of this type. In my case, the server referenced in the event
description was an external DNS server from my ISP. I disabled DNS
registration on the WAN NIC and the error went away.

Ionut Marin (Last update 2/20/2005):
See M885887 for a hotfix applicable to Microsoft Windows XP
Professional Service Pack 2.

As per Microsoft: "The Negotiate package could not select a secure
authentication protocol because the user provided incorrect
credentials or because the domain controller was temporarily
unavailable". See MSW2KDB for more details on this event.

This can occur if the File Replication Service (Ntfrs.exe) tries to
authenticate before the directory service has started. See M824217 to
troubleshoot this problem.

From a newsgroup post: "In my case, this error occurred because the
credentials specified in my DHCP server on “DC1” for dynamic DNS
registration were misspelled".

From a newsgroup post: "1. If the 40960/40961 events only happen at
boot, it is likely that M823712 and M824217 will help you to fix this
problem.
2. If the 40960/40961 events happen at a regular interval (i.e.,
hourly), try to determine what service may be need to authenticate at
that interval. For example, if a XP/2003 machine is pointed directly
at a DNS server that doesn't support Kerberos, secure dynamic updates
will generate 40960/40961 events. Even if the XP/2003 machine is
pointed to a 2000/2003 DNS server, if the SOA for the zone is a
non-Microsoft DNS server that doesn't support Kerberos, the
40960/40961 events can still be generated.
3. Get a list of the computer names of the DCs in the domain, and
compare that to a list of all machine accounts in the forest to see if
there is a name conflict. For example, if NTSERVER is a member server
in the parent domain, and NTSERVER is a DC in the child domain, you
can see 40960/40961 events because of the name conflict.
4. Verify RPC Locator is correctly configured:
Started, Automatic - Windows 2000 domain controllers.
Stopped, Manual - Windows Server 2003 domain controllers & member
servers.
Stopped, Disabled - Windows 2000 clients & member servers, XP clients.
5. If the registry on the DC contains the NT4Emulator registry value
in the following registry key, set it to 0, or delete it entirely.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
6. Verify the DHCP client service is started on all machines. Even
machines with static IP addresses (including domain controllers and
member servers) need to have DHCP client service enabled because that
service handles DNS dynamic updates.
7. Verify there is not a time skew between machines. Make sure to
verify the time, date, and year, are all the same. Appendix A of the
Troubleshooting Kerberos Errors white paper shows a sample trace where
clock skew breaks Kerberos.
8. Kerberos UDP packet fragmentation can result in Kerberos failure.
Appendix A of the Troubleshooting Kerberos Errors white paper shows a
sample trace where UDP fragmentation breaks Kerberos.

2003 - RTM defaults to MaxPacketSize of 1465 bytes.
2000 - RTM defaults to 2000 bytes. With hotfix 315150 or SP4, default
is 1465
XP - RTM defaults to 2000 bytes. With SP2, default is 1465. There is
no hotfix, SP2 is the only way to get the 1465 default without
manually setting the MaxPacketSize registry value to 1465. See M315150
and M244474 for details.
9. Reset the secure channel.
10. Create a reverse lookup zone and add the DNS server to it. The
step is included here because it was the fix in a customer verified
solution object, but more information is needed to understand why this
would resolve the 40960/40961 events.
11. Verify the necessary SPNs are registered, based on the information
in the event description.
12. Clear cached credentials.
2003 - Control Panel, Stored User Names and Passwords, Remove them
all.
13. Based on the information in the event description, verify that the
SAM account name of one account is not the same as the UPN of another
account".

From a newsgroup post: "I was having this problem when using
Microsoft’s Virtual PC 2004 with Windows 2003. I keep getting messages
that the server’s clock on the virtual machine is out of sync with my
physical box running Windows Server 2003. In the end, I just noticed
that the date on my other box was 7/26, but the date on the virtual
machine was 7/25. After making the necessary adjustments, the problem
disappeared".

From a newsgroup post: "If this server is joined to a domain called
mydomain.com and you have two adapters, configure both adapters to
point to your Active Directory DNS server or disable DNS registration
on the second adapter. See M246804 for information on how to enable or
disable dynamic DNS registrations in Windows 2000 and in Windows
Server 2003".

From a newsgroup post: "Other posts in various newsgroups suggested
that a problem with a user’s profile could be the cause of failures to
apply GPOs, which is the root cause of My Documents redirection
failures. This was consistent with what I was seeing. I was not using
roaming profiles, so User A’s profile on PC01 was (potentially)
different than it is on PC02. Furthermore, PC01 was installed with
Windows XP Pro from scratch while PC02 ran Windows XP Home for 2 years
and then was upgraded to Windows XP Pro. User A's profile on PC01 was
created "fresh" while on PC02 it was migrated when PC02 was joined to
the domain.
I did not find specific information concerning what gets screwed up in
the profile or why it causes GPO failures. However, the fix steps were
reasonably uniform:
1. Logon to the problematic PC as Administrator.
2. Backup the profile of the problem user. (E.g., copy it elsewhere.
Be sure hidden and system files are copied. For example, \Documents
and Settings\<username>\Local Settings\Application
Data\Microsoft\Outlook often contains “.OST” and/or “.PST” files. I
compared the total size and number of files in the original and backup
before proceeding to Step 3.)
3. Delete the problematic profile. (Right-click My Computer ->
Properties -> Advanced Tab -> User Profiles [Settings] button. Select
the profile to be deleted with care.
4. Logoff as Administrator and logon as the problem (domain) user to
recreate the profile.
5. Restore (copy back) the files from the backed-up profile. (Be
careful about what gets overwritten.)
When I did this for User A on PC02, the 1030 and 40961 events stopped
and My Documents redirection worked".

JSI Tip 5612 also provides information about this event.

See M891559 for additional information on this event.

Peter (Last update 2/17/2005):
See M810207 for information on IPSec default exemptions.

Anonymous (Last update 1/19/2005):
I started getting this error message on Windows XP workstations on our
network after I promoted our Domain Controller from WinNT to Win2k. I
noticed that the problem was occurring right after EventID 35 from
source W32time. Basically what was happening was that the XP
workstations affected were set to sync to an external time source
rather than with their domain controller. Run the following while
logged on as administrator to get rid of this log entry:
1. Stop the Windows time service by going to Control panel/Admin
tools/Services.
2. Open a command prompt and type “net time /setsntp: <IP address of
domain controller>”.
3. Restart the Windows time service and the message should go away.

Anonymous (Last update 10/21/2004):
- Data: 0000: c000018b = STATUS_NO_TRUST_SAM_ACCOUNT - This error code
means the computer account has been deleted.

Micheal (Last update 9/29/2004):
What I discovered, for our situation, is that the credentials for DNS
dynamic updates were invalid. These credentials are entered in the
DHCP snap-in.

1. Launch the DHCP snap-in.
2. Right-click the Domain and select Properties.
3. Click once on the Advanced tab.
4. Towards the bottom of the dialogue box, you will see a button
labeled "Credentials". Click on the button.
5. Enter a user, which has been created for this purpose and is a
member of the "DnsUpdateProxy" group.
6. Click on "Apply".
7. Click on "OK" and the problem should disappear.

K-Man (Last update 7/7/2004):
I experienced this problem on Windows XP workstations, when users
logged into a terminal server and terminal sessions were disconnected
(but not terminated). To fix this problem I configured the terminal
server to end disconnected sessions, and end sessions where users were
idle for more than a specified amount of time.

Montana Pete (Last update 4/3/2004):
This happened to me when I installed new drivers for the internal DSL
modem. This would probably also apply to any network card connected to
the internet through any modem or router. The default settings were to
"Register this connection's address in DNS". When registration was
attempted I got the "Security System could not establish a secured
connection with the server DNS/<host name>". Why a connection was
attempted with that name server rather than the ISP's I'll never know.
Unchecking "Register this connection's address" solved the problem.

Peter Kaufman (Last update 1/27/2004):
This error may result from securing Client-to-Domain Controller and
Domain Controller-to-Domain Controller traffic with IPSec. This is
unsupported as per M254949.

Yvette Lian (Last update 1/2/2004):
I came across this problem after installing two Windows 2003 DCs onto
our Windows 2000 network. The user was attempting to map a drive to an
OS400 V5R2 machine. This had worked previously, but stopped working
after the introduction of the new DCs. The connection attempt would
eventually timeout instead of asking for credentials. I modified
default domain GPO to disable the following setting: "Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options\Microsoft Network Server: Digitally sign
communications (always)".

PK (Last update 1/2/2004):
We were also getting this error along with Event ID 40960 on a Windows
2003 Member Server (in a Windows 2003 AD) which had its own DNS Server
Service Running. The problem was that the server was booting up and
several services were trying to run (including NETLOGON) before the
Member Servers DNS Server Service had started. This resulted in no
name lookup for the Active Directory Domain and hence could not
contact any Domain Controllers.

Penny Yao (Last update 11/19/2003):
I saw this event accompnies with 40960 in pair on a Windows Server
2003 acting as member server in a Windows 2000 domain. The errors
appear in the log, when some users try to access the web server, IE
will prompt for credential, even if the credential is correct, the
users are denied access. The problem seems to be resolved after
restarting NETLOGON service.

Darren Monahan (Last update 10/26/2003):
If this warning appears by itself on an hourly basis, check that the
credentials assigned to the DHCP server to register DNS dynamic
updates are valid. Spelling errors or incorrect passwords and/or
domain names can be to blame. To do this in Windows Server 2003, open
the DHCP snap-in, open the properties for your DHCP server, select the
"Advanced" tab, and click the "Credentials" button. Verify the
username, password, and domain listed here are valid.

Anonymous (Last update 10/26/2003):
We had the same problem on one of the workstations that had a long
logon timeout. This has worked for us:
1. logon as an admin.
2. remove from domain.
3. add to domain.
4. restart.

Adrian Grigorof (Last update 8/12/2003):
From a newsgroup post: "If there is there a matching 40960 event then
it is more likely a forward lookup zone issue in DNS. If not, it
probably is that Windows is looking for a reverse lookup zone."

As per M823712, this may occur when you restart the server that was
promoted to a domain controller.

DweezMon (Last update 8/12/2003):
If the server name is prisoner.iana.org, blackhole-1.iana.org or
blackhole-2.iana.org, this is just telling you that Windows could not
perform a reverse lookup on the IP address configured as a DNS server.
These names are used to respond with "server does not exist" when you
use a private IP range, for example 192.168.1.0. This can be quickly
cleared up by adding a Reverse Lookup zone, and adding a record for
your DNS Server.

Adrian Florin Moisei (Last update 5/23/2003):
From a newsgroup post: "If the system is Win XP and if the errors were
not occuring under a different profile the folowing steps can solve
the problem:
1. Log on as a different user
2. Back up the profile in mention.
3. Delete the profile.
4. Create a new profile by logging on.
5. Restore the files from the backed up profile."

Gunnar Carlson (Last update 5/18/2003):
I get this error on all DC's that I upgrade to Windows 2003 Server. I
upgraded one DC from W2k3 beta3 to the released version, and the
events immediately started to show up. After I created the reverse
lookup zones for the network they stopped.

Anonymous (Last update 5/10/2003):
This happened when machines were trying to register PTR records, and
we didn't have reverse lookup zones. The solution was to add them for
all our subnets.

DJ (Last update 5/2/2003):
I'm on a small home test network with Win2k domain behind a Linksys 4
port DSL router. The router handles DNS. A power failure sacked my
domain controllers. After some restores and GP resets, my DCs were up
and talking. But my workstation could not access AD Users and
computers. The problem was the order of DNS in the Lynksys. After
putting my local DNS server first in the list on the Linksys, I was
able to get to AD.

Greg Martin
Had this on a WinXP workstation which could no longer access domain
resources. The fix was changing the DNS settings to point to a Win2k
DNS which was tied into Active Directory. Apparently the workstation
could no longer locate SVR records for the kerberos authentication
server. These records were not in our UNIX DNS but were in the Win2k
DNS. Related directly to Event 40960 - LsaSrv.

- Thee Chicago Wolf

>kerberos.dll
>5.1.2600.2698 (xpsp_sp2_gdr.050614-1522)
>
>On this particular machine - which matches the same on my own machine.

Since you say your SP3 machine connect fine, is moving your SP2
machines to SP3 not an option?

You could try updating kerberos.dll on your SP2 client to a newer one
from one of the below KB articles.

This is the newest kerberos.dll for XP SP2.
http://support.microsoft.com/kb/939850
Kerberos.dll 5.1.2600.3192 299,008 08-Aug-2007



http://support.microsoft.com/KB/931192
Kerberos.dll 5.1.2600.3087 299,008 20-Feb-2007

http://support.microsoft.com/kb/929624
Kerberos.dll 5.1.2600.3048 298,496 11-Dec-2006

http://support.microsoft.com/kb/920183
Kerberos.dll 5.1.2600.2920 298,496 01-Jun-2006

http://support.microsoft.com/kb/906681
Kerberos.dl 5.1.2600.2749 298,496 30-Aug-2005

http://support.microsoft.com/kb/906524
Kerberos.dll 5.1.2600.2745 297,984 24-Aug-2005

============================================

The newest kerberos.dll for XP SP3.
http://support.microsoft.com/kb/953760
Kerberos.dll 5.1.2600.5615 299,520 05-Jun-2008

- Thee Chicago Wolf

Thnaks TCW.

a) Found issue with the eventid website - not displaying properly on all our
machines. RDP'd to home machine (different isp) and it worked fine.

Tried different machines here at the office - same result - even flushing
cache etc from IE. Tried on a laptop with Firefox - same deal. By passed our
router and connected directly - same deal - so something with ISP's caching
server probably.

I will review these findings and try and see if it resolves the issue.


As for SP3

No, our accounting software does not work with the changes. Their
recomendations are to move to Vista over XP SP3. Rather stay with SP2 tyvm :)

Cheers,
Chris