LsaSrv and Userenv events

[Stephen Quist]

Hi All,

I and several other users on my network have a persistent reoccurrence of a
pair of events. These events have the same timestamp.

In the System event log I see
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 5/8/2006
Time: 3:08:11 PM
User: N/A
Computer: ALAMOSA
Description:
The Security System could not establish a secured connection with the server
ldap/tincup.rockies.msei-co.com/[email protected]. No
authentication protocol was available.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

In the Application log I get the paired event:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 5/8/2006
Time: 3:08:11 PM
User: ROCKIES\quists
Computer: ALAMOSA
Description:
Windows cannot query for the list of Group Policy objects. A message that
describes the reason for this was previously logged by the policy engine.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I've used Google to try to find enlightenment on these events. Most of the
responses have to do with an event I don't see -40960.
Also, so far the only network resource that seems to be unavailable is the
group policy.
I've gone through the list of suggestions at eventid.net. None of them
seemed particularly appropriate. These events are logged on workstations,
not on the server. I have a pair of WS2003 servers on the network. The
workstations are all XP. All machines are up to date with their patches.
Another part of the puzzle is that there are some workstations that do not
get these messages. I have been unsuccessful in trying to figure out what is
different between the machines that have the problem and the ones that
don't.

Any and all suggestions or recommendations are appreciated.

Steve

 

[Wesley Vogel]

Event Source: LSASRV
Event ID: 40961
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=40961&EvtSrc=lsasrv&LCID=1033

Event Source: Userenv
Event ID: 1030
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=1030&EvtSrc=Userenv&LCID=1033

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Stephen Quist]

Thanks for the tips. I have been through these pages before.

Event Source: LSASRV
Event ID: 40961
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=40961&EvtSrc=lsasrv&LCID=1033

For the first and second bullets, I don't get event 40960 and in any event
the logs are on workstations, not
the servers.

As near as I can tell the third bullet does not apply. I don't get the 40960
entry in the event log
The fourth bullet does not seem to apply because most network resources are
available. Also, the
problem survives logoffs and reboots, contrary to the workaround in
http://support.microsoft.com/kb/885887/en-us.

The fifth bullet is not applicable.

Event Source: Userenv
Event ID: 1030
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=1030&EvtSrc=Userenv&LCID=1033

A lot of these indicate I would see event 1058 logged. I don't. Ever.

There is one thing in the recommendations that I cannot check. I can't run
netdiag.
I get a dialog box that says, "The procedure entry point
DnsGetPrimaryDomainName_UTF8 could not be located in the
dynamic link library DNSAPI.dll."

How in the hell do I reinstall netdiag?
When I run gpupdate manually, it appears to complete normally.

Steve

 

[Guest]

I just searched for LsaSrv, and this error seems to be a common topic.

It occurs on my office computers every single day bewteen 5:19 PM and 6 PM.
When my applications lock up, I power down the computer and go home for the
night. The next morning, I am good to go.

Yesterday, I had some documents that had to be saved (eventually Excel gives
up looking for the missing hard drive and lets you save locally). I tried
rebooting the server at roughly 5:30 PM. Today, I received the error at
roughly 4:30, which is the earliest it has ever occured. I am not sure if
this is a coincidence, but I figure MS could use whatever clues are
available. If it happens Monday at 4:30ish, I am going to reboot the machine
at 7PM.

This error has absolutley nothing to do with the current KB articles of the
computer rebooting before the server is online. Our computer loses their
connections in the same hourly timeframe every day that I am on at that time.
I will be busily working away when it locks mid-task.

If I need to continue working, then rebooting the client PC will fix it
until tomorrow.

Bryon

 

[Stephen Quist]

It sounds like your situation is a lot worse than mine. The only loss of
functionality that I can observe is a message in the Application event log
that says:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 5/12/2006
Time: 2:26:59 PM
User: ROCKIES\quists
Computer: ALAMOSA
Description:
Windows cannot query for the list of Group Policy objects. A message that
describes the reason for this was previously logged by the policy engine.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

These are always associated with the LSASRV events so I presume the
LSASRV event is the reason mentioned. An odd part is that if I make a change
to the GPO, that change does show up on my workstation.

Further, the events show up quasi-regularly. For instance, on the 11th, the
events were logged at
1:29:58 AM
3:10:01 AM
4:46:03 AM
6:16:05 AM
7:53:08 AM
9:27:10 AM
10:59:13 AM
12:58:15 PM
2:39:18 PM
4:33:21 PM
6:09:23 PM
11:18:27 PM

Something is happening but not metronomically. I haven't figured out what
triggers the negotiation. The successful queries of the GPO are not logged,
so I can't tell what fraction of the queries are unsuccessful.

Just on a suspicion that there may be some stale domain configuration data
contaminating the LDAP negotiation, I might try dropping my WS from the
domain and adding it back again.

Good luck with your problem. If the problem occurs at the same time every
day, there must be a trigger you can track down. If you are part of a larger
network or you have some active connections, for instance, trusts, it may be
that a network partner is doing something at that time. If so then perhaps
you can figure a way out.


Steve