LsaSrv EventID 5000

[Guest]

Hi,

I'm getting the following event in Eventviewer:

Event Type: Error
Event Source: LsaSrv
Event Category: Devices
Event ID: 5000
Date: date
Time: time
User: N/A
Computer: SERVERNAME
Description:
The security package Negotiate generated an exception. The package is now
disabled.
The exception information is the data.

Data:

0000: c0000005 00000000 00000000 77f83941
0010: 00000002 00000001 00000010 0001003f
0020: 00000000 00000000 00000000 00000000
0030: 00000000 00000000 ffff027f ffff0000
0040: ffffffff 00000000 00780000 00000000

Can anyone give me some pointers how to solve this ?
It is a Win2k server with SP4, exchange Enterprise 2003.
Furthermore Routing and Remote Access is running on the server.

Since this is the main SMTP access to my network, the problem is painful.
Restarting the server takes 25-40 minutes and than it works for approx. 5-10
min. and fails again. None of the applications are willing to work. The
server simply locks down and you have to hardware reset it to get some basic
functioning.

Any pointers anyone, I'm getting desparate.

Kind regards,

David

 

[Chris Malone]

What is the value of
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages on that
server?

chris

 

[Chris Malone]

As well as HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security
Packages?

chris

 

[Guest]

The requested keys are:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages :
"kerberos msv1_0 schannel"

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages :
"FPNWCLNT KDCSVC scecli RASSFM"

Hope this helps

 

[Guest]

I don't know if it has anything to do with it but I'm also getting loads of
MRXSMB errors in eventviewer. "Could not initialize the security context"
regards
david

 

[Guest]

David

Looks like a security problem... 000005 means access denied.

Run exchange setup with /domainprep this will reset most security issues
between exchange and the AD. also make sure you exchange server is pointing
to two a DNS servers which have GC registered with them.Keep me posted...!!!

 

[Guest]

David

aslo look at the following articles
http://support.microsoft.com/default.aspx?scid=kb;en-us;328948
http://support.microsoft.com/default.aspx?scid=kb;en-us;831726

Also try service packing the server... more info...

The Local Security Authentication Subsystem (LSASS) process is designed to
help protect itself from bugs in authentication packages. It identifies the
exception that the bug causes and then terminates the thread that caused the
exception. Additionally, the package is not loaded again in the same instance
of LSASS. Because exceptions are generally access violations, the integrity
of the LSASS process cannot be guaranteed, and therefore Microsoft recommends
that you restart the computer. The exception does not create a memory dump
file, and the context of the exception is lost after the event is logged.

 

[Glenn LeCheminant]

maybe a dumb question, but do you have MS04-011 and MS04-007 installed?