LSASRV 40961 error in event log

[Adam Raff]

Hi,

Over the last couple of weeks I have noticed a bunch of our Windows XP Pro
systems (SP1) getting the following error with all critical updates applied
via SUS

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 4/18/2005
Time: 6:01:46 PM
User: N/A
Computer: ADAMXP2
Description:
The Security System could not establish a secured connection with the server
cifs/test.test.net. No authentication protocol was available.

For more information,
see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I checked this error in Technet and found a reference to SP2 which we are
not running. I am not noticing any problems with the network (Windows 2000
SP4 based with AD) with Exchange 2003 on a 2003 Server. I also looked at
this error on MS site but again most point to 2003 Server or SP2

If anybody has any ideas would be a great help

Thank in advance
Adam Raff

 

[Thorsten Matzner]

Over the last couple of weeks I have noticed a bunch of our Windows XP Pro
systems (SP1) getting the following error with all critical updates applied
via SUS

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961

Did you already read this?
"LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
Domain Controller Role" (http://support.microsoft.com/?kbid=824217).

 

[Adam Raff]

Did you already read this?
"LSASRV Event IDs 40960 and 40961 When You Promote a Server to a
Domain Controller Role" (http://support.microsoft.com/?kbid=824217).

As to my previous email I am not running Windows 2003 Server as a DC. We do
have one, but it is a member server which is running our Exchange 2003.

We are running Windows 2000 SP4 Server. The servers are a clean install
which was done last year.

I went through Technet and MS Website and they all point to DC which relates
to 2003 and SP2 on a XP system which again does not relate to our setup.
Which is why I am stumped on this. Nothing points to what we have and the
errors are similar. I can still connect to the network. Hope this is
enough info

Thanks for the response
Adam Raff

 

[Frances [MSFT]]

Hello Adam,

Thanks for the post.

According to your message, I understand that you find LSASRV 40961 error in
the event log.

Event ID 40961 is a new warning event that may show up in the System log
when Windows fails to negotiate an authenticate package. Since Kerberos is
the most commonly used authentication package in XP/2003, the event is most
often Kerberos-related. Because it is new, there are few articles about it.

There are many causes that will lead to this warning. At this point, I want
to gather more information about your domain to isolate the main cause.

I understand from your messages that this is a win2k domain. Please help to
answer the following questions.
1. Does it have parent or child domain? How many DCs do you have in the
domain?
2. What about the DNS server? Does it support Kerberos?
3. Does the 40961 event happen at a regular interval, for example, does it
happen hourly?

Please also help to verify the following settings.

1. Verify Remote Procedure Call (RPC) Locator is correctly configured as
follows:

Started, Automatic - Windows 2000 domain controllers.
Stopped, Manual - Windows Server 2003 domain controllers & member servers.
Stopped, Disabled - Windows 2000 clients & member servers, XP clients.

To find the service, type "services.msc" in the Run box to open the
Services Page and locate it.

2. If the registry on the DC contains the NT4Emulator registry value in the
following registry key, set it to 0, or delete it entirely.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

3. Verify the DHCP client service is started on all machines. Even machines
with static IP addresses (including domain controllers and member servers)
need to have DHCP client service enabled because that service handles DNS
dynamic updates.

4. Verify there isn't a time skew between machines. Make sure to verify the
time, date, and year, are all the same.


Since the warning is often caused by a broken secure channel, I suggest
that we reset the security channel to check the effect. Please follow the
steps below.

1. Click Start, click Run, type "cmd" (without the quotation marks), and
then press ENTER.

2. Type "secedit /configure /cfg %windir%\repair\secsetup.inf /db
secsetup.sdb /verbose" (without the quotation marks), and then press ENTER.

Refer to the following article for more information.

313222 How To Reset Security Settings Back to the Defaults
http://support.microsoft.com/?id=313222

Do the suggestions help?

I will wait for your information to decide what to do next. Please reply to
me at your earliest convenience. I am looking forward to the reply!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Adam Raff]

Hi Frances

Thanks for the reply, I have given you the info that you wanted below your
questions. I hope I was able to answer them. The only one that was not
looked at was the last which resets the securty please read my comment on
that.

Hello Adam,

Thanks for the post.

According to your message, I understand that you find LSASRV 40961 error in
the event log.

Event ID 40961 is a new warning event that may show up in the System log
when Windows fails to negotiate an authenticate package. Since Kerberos is
the most commonly used authentication package in XP/2003, the event is most
often Kerberos-related. Because it is new, there are few articles about it.

There are many causes that will lead to this warning. At this point, I want
to gather more information about your domain to isolate the main cause.

I understand from your messages that this is a win2k domain. Please help to
answer the following questions.
1. Does it have parent or child domain? How many DCs do you have in the
domain?

No child we have just one domain. Called Test (this is not the real name)
We have three DC that are Win2000 based. These will soon be upgraded to
2003

2. What about the DNS server? Does it support Kerberos?

We have a DNS server which runs on a DC on 2000 not sure if it
support Kerberos

3. Does the 40961 event happen at a regular interval, for example, does it
happen hourly? No

Please also help to verify the following settings. (Please note that we

may need this running for one of our Software packages)

1. Verify Remote Procedure Call (RPC) Locator is correctly configured as
follows:

Started, Automatic - Windows 2000 domain controllers. Yes
Stopped, Manual - Windows Server 2003 domain controllers & member servers.

Manual on 2003, Service Started and Running Nas Server (2000 member
server)

Stopped, Disabled - Windows 2000 clients & member servers, XP clients. Manual

To find the service, type "services.msc" in the Run box to open the
Services Page and locate it.

2. If the registry on the DC contains the NT4Emulator registry value in the
following registry key, set it to 0, or delete it entirely.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters No it is not there

3. Verify the DHCP client service is started on all machines. Even machines
with static IP addresses (including domain controllers and member servers)
need to have DHCP client service enabled because that service handles DNS
dynamic updates. Yes it's running

4. Verify there isn't a time skew between machines. Make sure to verify the
time, date, and year, are all the same. Seems to be Ok


Since the warning is often caused by a broken secure channel, I suggest
that we reset the security channel to check the effect. Please follow the
steps below.

This part I will have to look into since it could be damaging. Our
clients are production systems. Can you please give me more info on this.
What will this do to a working system. Can it prevent a user from
working?

 

[Frances [MSFT]]

Hello Adam,

Thanks for the reply.

After my further research, I find that if the 40961 event only happens at
boot, it is likely to be caused by a service attempting to authenticate
before the directory service is available. In that scenario, the events can
be ignored. There is no fix planned for XP for that scenario.

If this is not the case, please do the following steps and check the effect.

Step 1: Stop the Remote Procedure Call (RPC) Locator service on the winXP
machine.
=====================================================================
To do so, follow the steps below.
1. Locate the Remote Procedure Call (RPC) Locator service in the services
page.

2. Double click the service and click the "stop" button.

Please check the effect.

Step 2: Reset the security channel.
=======================
Please note: After security settings are applied, you cannot undo the
changes without restoring from a backup. If you are uncertain about
resetting your security settings back to the default security settings, you
must make a complete backup that includes the "System State" (the registry
files). Items that are reset include NTFS file system files and folders,
the registry, policies, services, privilege rights, and group membership.

As for your concern, please backup the system state first, and then do this
step. By resetting the security channel, we reset the following things to
default:

1. SECURITYPOLICY - Local policy and domain policy for the system,
including account policies, audit policies, and so on.

2. GROUP_MGMT - Restricted group settings for any groups specified in the
security template

3. USER_RIGHTS - User logon rights and granting of privileges

4. REGKEYS - Security on local registry keys

5. FILESTORE - Security on local file storage

6. SERVICES - Security for all defined services


For detailed information, please refer to the following KB article:

How To Reset Security Settings Back to the Defaults
http://support.microsoft.com/?id=313222


If you have any other concern, please feel free to let us know.

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Frances [MSFT]]

Hello Adam,

We haven't heard from you. How is it going on the 40961 error? Please feel
free to respond to the newsgroups if you need additional help.

Have a great day!

Best regards,

Frances He


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Kelly]

What a quaint service. This post was dated on the 19th.

--

All the Best,
Kelly (MS-MVP)

Troubleshooting Windows XP
http://www.kellys-korner-xp.com