Events 40960 & 40961

[eetchells]

I have an XP Pro SP3 32 bit workstation that has one user that is having slow
(20-30min) logons. The screen sits at applying user settings.

The two following events are registered in the event logs when the user in
question tries to logon:

Event 40960 (The security system detected an attempted downgrade attack for
server LDAP/server.domain.com. The failure code from authentication protocol
kerberos was "There currently are no logon servers available to service the
logon request.

Event 40961 (The security system could not establish a secured connection
with the server LDAP/server.domain.com. No authentication protocol was
available.


This makes no sense because right before or after this logon attempt, two
other users with standard rights were able to logon without issue.

If we wait about 20-30 minutes, the users desktop finally comes up.
Sometimes the mapped drives are there and work, sometimes they are not.

It is a Windows 2008 domain with a single 2008 server 64 bit.

Other users on the XP workstation have no problems.

The user that has the problem has admin rights and can logon to the server
and other workstations without any problems.

The issue started several days ago and none of the articles on eventid.net
or MS KB seem applicable. I eventually gave up on the XP workstation,
formatted it and rebuilt it from scratch. It ran fine for 2 days and now the
problem is back...exact same scenario. No new software has been installed,
etc.

Does anyone have any ideas...this one is very strange.

Thx
Ed

 

[Gurpreet Singh]

Set the machine to use kerberos authentication. Follow kb
http://support.microsoft.com/kb/244474.

Also Enable WINLOGON LOGGING and USERENV LOGGING
1. Start Registry Editor (Regedt32.exe).
2. Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions
\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}.
3. On the Edit menu, click Add Value, and then add the following registry
value:
Value name: ExtensionDebugLevel
Data type: DWORD
Value data: 2
4. Quit Registry Editor.

The Winlogon.log file is created in the Windows_folder\Security\Logs folder.
USER ENV LOGGING

Use Registry Editor to add or to modify the following registry entry:
Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)
UserEnvDebugLevel can have the following values:
The UserEnv Log is located as Windows\Debug\UserMode RESTART THE MACHINE TO
GET


You can also follow to get logs which will help you find the cause behind
the events you are getting

221833 How to enable user environment debug logging in retail builds of
Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

245422 How to Enable Logging for Security Configuration Client Processing in
Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;245422

 

[eetchells]

OK...So I added the MaxPacketSize key per KB244474
I turned on the winlogon and userenv logging
I also installed UPH Clean
I added MaxTokenSize per KB263693

I'm still having the same issue for the one user (who is a domain
admin)...very weird.

I'm also seeing event id 1053: Windows cannot determine the user or
computer name...(an internal error occurred) Group Policy Processing Aborted.

I did see some other folks that had the 1053 event that had the same exact
issue but their fixes did not work here or they have not posted any
resolutions.

What am I looking for in the winlogon and userenv logging ?

 

[eetchells]

OK...I am parsing the winlogon.log and the userenv.log
I don't see any errors or anything that jumps out in the winlogon.log

There are a number of things that look to be issues from the userenv.log:

USERENV(248.268) 09:31:28:448 ImpersonateUser: Failed to impersonate user
with 5.
USERENV(248.268) 09:31:28:448 GetUserNameAndDomain Failed to impersonate user

USERENV(210.214) 21:38:03:921 CUserProfile::CleanupUserProfile: Ref Count is
not 0
USERENV(210.3c4) 21:38:26:453 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(210.38c) 21:43:54:515 MyGetUserName: GetUserNameEx failed with 1359.

USERENV(2b4.2b8) 11:16:44:713 Profile was loaded but the Ref Count is 1 !!!
USERENV(2b4.638) 11:16:45:385 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(2b4.2b8) 11:25:07:803 UnloadUserProfileP: Didn't unload user profile
<err = 19>
USERENV(2b4.2b8) 11:25:07:803 UnLoadClassHive: failed to unload classes key
with 13

USERENV(2bc.50c) 19:21:50:788 GetUserGuid: Failed to get user guid with 1355.
USERENV(2bc.50c) 19:21:50:788 ProcessGPOs: The DC for domain ETCHELLS is not
available. aborting
USERENV(2bc.dc4) 19:24:49:491 GetGPOInfo: Local GPO's gpt.ini is not
accessible, assuming default state.
USERENV(2bc.dc4) 19:24:49:507 ComparePolicyState: Failed Registry operation
with 2
USERENV(2bc.dc4) 19:24:49:507 ProcessGPOs: ComparePolicyState failed 2,
assuming policy changed.
USERENV(2bc.a64) 19:39:32:836 PingComputer: GetBestInterface with 1003

USERENV(fc.1d4) 10:54:21:249 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(d4.e8) 10:54:34:061 LoadUserProfileI: LoadUserProfileP failed with 21
USERENV(fc.294) 10:54:34:061 LoadUserProfile: Calling LoadUserProfileI
failed. err = 21


I'm not sure what all these errors mean but it certainly looks like whenever
the user etchee attempts to logon from workstation WS1, that the machine is
not able to communicate with AD/DNS. Why I am not sure as there are three
other users that can do so fine from this workstation. Further, user etchee
can logon to the server as well as from another workstation without any
issues whatsoever. The issue is isolated to this user on this workstation
only.

Any further ideas?