Windows 2000/XP gets locked out

Hello,

Unusual activity on my network where users are already logged in but get
locked out all of a sudden. This has happend to 5 people already. They dont
even attempt to try to change the password or are not logging in anywhere
else. Their account just gets locked out during they day. Here are event
errors.

Source: LSASRV
Catgory: SPNEGO (Negotiator)
Event ID: 40960

The Security System detected an attempted downgrade attack for server
cifs/PHXCRP99DC3. The failure code from authentication protocol Kerberos was
"The user account has been automatically locked because too many invalid
logon attempts or password change attempts have been requested.
(0xc0000234)".

This also follows:

Source: LSASRV
Catgory: SPNEGO (Negotiator)
Event ID: 40961
The Security System could not establish a secured connection with the server
cifs/PHXCRP99DC3. No authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Anyone have idead why this is happening?

Jimmy K

Pls check.

http://eventid.net/display.asp?even...=LsaSrv&phase=1

http://eventid.net/display.asp?even...=LsaSrv&phase=1

br,
Denis

"Jimmy K" <JimmyK@discussions.microsoft.com> wrote in message
news:0D6BDBA3-2CA7-4975-A03A-9B410D9BC13B@microsoft.com...
> Hello,
>
> Unusual activity on my network where users are already logged in but get
> locked out all of a sudden. This has happend to 5 people already. They
dont
> even attempt to try to change the password or are not logging in anywhere
> else. Their account just gets locked out during they day. Here are event
> errors.
>
> Source: LSASRV
> Catgory: SPNEGO (Negotiator)
> Event ID: 40960
>
> The Security System detected an attempted downgrade attack for server
> cifs/PHXCRP99DC3. The failure code from authentication protocol Kerberos
was
> "The user account has been automatically locked because too many invalid
> logon attempts or password change attempts have been requested.
> (0xc0000234)".
>
> This also follows:
>
> Source: LSASRV
> Catgory: SPNEGO (Negotiator)
> Event ID: 40961
> The Security System could not establish a secured connection with the
server
> cifs/PHXCRP99DC3. No authentication protocol was available.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Anyone have idead why this is happening?
>
> Jimmy K
>

Jimmy,

What OS are these users running? If they are using 9x, there is a bug that
does 3-5 logon attempts in the normal logon process and so errors in logons
are amplified and users get logged out.

Also, this can be one of the first tell-tale signs of virus and spyware as
repeated logon attempts by the virus are attempted against well-known
accounts. Look at your security logs for repeated attempts by specific
computers and deal with those.

--
Ryan Hanisco
MCSE, MCDBA
FlagShip Integration Services
Chicago, IL

"Jimmy K" <JimmyK@discussions.microsoft.com> wrote in message
news:0D6BDBA3-2CA7-4975-A03A-9B410D9BC13B@microsoft.com...
> Hello,
>
> Unusual activity on my network where users are already logged in but get
> locked out all of a sudden. This has happend to 5 people already. They
> dont
> even attempt to try to change the password or are not logging in anywhere
> else. Their account just gets locked out during they day. Here are event
> errors.
>
> Source: LSASRV
> Catgory: SPNEGO (Negotiator)
> Event ID: 40960
>
> The Security System detected an attempted downgrade attack for server
> cifs/PHXCRP99DC3. The failure code from authentication protocol Kerberos
> was
> "The user account has been automatically locked because too many invalid
> logon attempts or password change attempts have been requested.
> (0xc0000234)".
>
> This also follows:
>
> Source: LSASRV
> Catgory: SPNEGO (Negotiator)
> Event ID: 40961
> The Security System could not establish a secured connection with the
> server
> cifs/PHXCRP99DC3. No authentication protocol was available.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> Anyone have idead why this is happening?
>
> Jimmy K
>