Unable to resolve SPNEGO Event ID 40961 errors

L

Leythos

I have a few workstations, not all of them, that randomly start getting
security failures in their event logs, rebooting the main server and the
workstations often takes care of it, but not always. I've looked all
over the net, tried many things, but I can't seem to shake this.

Anyone have a solution path for getting rid of these errors?

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 11/25/2007
Time: 11:49:23 AM
User: N/A
Computer: WS56
Description:
The Security System could not establish a secured connection with the
server
ldap/servername.domainname.local/domainname.local@domainname.local.
No authentication protocol was available


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
J

Joe D

is there something "wrong"? or are you just thinking something is wrong
because you see these events?



"Leythos" <void@nowhere.lan> wrote in message
news:MPG.21b380ce7a4bbcd398984c@Adfree.usenet.com...
>I have a few workstations, not all of them, that randomly start getting
> security failures in their event logs, rebooting the main server and the
> workstations often takes care of it, but not always. I've looked all
> over the net, tried many things, but I can't seem to shake this.
>
> Anyone have a solution path for getting rid of these errors?
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 11/25/2007
> Time: 11:49:23 AM
> User: N/A
> Computer: WS56
> Description:
> The Security System could not establish a secured connection with the
> server
> ldap/servername.domainname.local/domainname.local@domainname.local.
> No authentication protocol was available
>
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)
 
L

Leythos

In article <OyV8oD5LIHA.3976@TK2MSFTNGP03.phx.gbl>, n@n.com says...
> is there something "wrong"? or are you just thinking something is wrong
> because you see these events?

I'm assuming that since I get an Authentication Error in the security
event log, that there should be something wrong.

Any user that logs onto the problem machine will cause a Security Event
entry showing logon authentication failure, but they can login without
any problem.

I don't see this in any of the other domains we manage, just this one
and only on some workstations.

The SPNEGRO error is common for the ones that fail, if I disjoin from
the domain, delete the computer account, and rejoin it, it goes away 90%
of the time and doesn't return - but once in a while I have a computer
that doesn't seem to resolve that problem.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
M

Meinolf Weber

Hello Leythos,

Did you have a reverse lookup zone created in DNS console? If not create
it, should help you.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> In article <OyV8oD5LIHA.3976@TK2MSFTNGP03.phx.gbl>, n@n.com says...
>
>> is there something "wrong"? or are you just thinking something is
>> wrong because you see these events?
>>
> I'm assuming that since I get an Authentication Error in the security
> event log, that there should be something wrong.
>
> Any user that logs onto the problem machine will cause a Security
> Event entry showing logon authentication failure, but they can login
> without any problem.
>
> I don't see this in any of the other domains we manage, just this one
> and only on some workstations.
>
> The SPNEGRO error is common for the ones that fail, if I disjoin from
> the domain, delete the computer account, and rejoin it, it goes away
> 90% of the time and doesn't return - but once in a while I have a
> computer that doesn't seem to resolve that problem.
>
 
L

Leythos

In article <ff16fb666edac8c9fdccf49b4ffa@msnews.microsoft.com>, Meinolf
Weber <meiweb(nospam)@gmx.de> says...
> Hello Leythos,
>
> Did you have a reverse lookup zone created in DNS console? If not create
> it, should help you.

Yes, for all 6 subnets (we have a few branch offices that register their
DNS, but the ones (workstations) that cause the problem are the local
subnet ones.

What if I remove the records in the reverse LUZ?


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
M

Meinolf Weber

Hello Leythos,

Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients?
Also you can try to remove/reinstall MS client for networking on the workstations.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> In article <ff16fb666edac8c9fdccf49b4ffa@msnews.microsoft.com>,
> Meinolf Weber <meiweb(nospam)@gmx.de> says...
>
>> Hello Leythos,
>>
>> Did you have a reverse lookup zone created in DNS console? If not
>> create it, should help you.
>>
> Yes, for all 6 subnets (we have a few branch offices that register
> their DNS, but the ones (workstations) that cause the problem are the
> local subnet ones.
>
> What if I remove the records in the reverse LUZ?
>
 
L

Leythos

In article <ff16fb666edca8c9fdd0f6943cfa@msnews.microsoft.com>, Meinolf
Weber <meiweb(nospam)@gmx.de> says...
> Hello Leythos,
>
> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients?
> Also you can try to remove/reinstall MS client for networking on the workstations.

Thanks for the ideas - I'll check on this on Monday when I have more
time. Have a good evening.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
J

Joe D

if it only happens on one machine, check the system time AND time zone on
that machine. could be a kerberos issue caused by a time difference between
the pc and the authenticating dc




"Leythos" <void@nowhere.lan> wrote in message
news:MPG.21b3d8d6299b919e989853@Adfree.usenet.com...
> In article <ff16fb666edca8c9fdd0f6943cfa@msnews.microsoft.com>, Meinolf
> Weber <meiweb(nospam)@gmx.de> says...
>> Hello Leythos,
>>
>> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the
>> clients?
>> Also you can try to remove/reinstall MS client for networking on the
>> workstations.
>
> Thanks for the ideas - I'll check on this on Monday when I have more
> time. Have a good evening.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)
 
L

Leythos

In article <uk8WwW8LIHA.2208@TK2MSFTNGP06.phx.gbl>, n@n.com says...
> if it only happens on one machine, check the system time AND time zone on
> that machine. could be a kerberos issue caused by a time difference between
> the pc and the authenticating dc

It happens on one or two machines at a time, and once fixed, normally by
a disjoin from domain, delete computer account on server, rejoin to
domain, it doesn't come back, but it crops up from time to time.

I've checked the time zone, time, ensured that they are all set by DHCP,
ensured that the time service is reachable, etc....

The main server was an SBS 2003 server migrated (swing) to Win 2003 Std
R2, but everything seems to work without any errors other than that.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
R

Roger Abell [MVP]

It is quite odd that they trigger the message, but then do manage
to get authenticated. If you are logging successful logins, what
is showing as the authentication provider? NTLM when this
happens (msgs but success anyway) whereas normally you see
that Kerberos is being used?

Later you say the main server was SBS03, never migrated.
So doesn't that mean still SBS03? If so, could it be some
odd SBS hardcoded limit (max clients) you are hitting?

Roger

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.21b396e8c3eb611098984e@Adfree.usenet.com...
> In article <OyV8oD5LIHA.3976@TK2MSFTNGP03.phx.gbl>, n@n.com says...
>> is there something "wrong"? or are you just thinking something is wrong
>> because you see these events?
>
> I'm assuming that since I get an Authentication Error in the security
> event log, that there should be something wrong.
>
> Any user that logs onto the problem machine will cause a Security Event
> entry showing logon authentication failure, but they can login without
> any problem.
>
> I don't see this in any of the other domains we manage, just this one
> and only on some workstations.
>
> The SPNEGRO error is common for the ones that fail, if I disjoin from
> the domain, delete the computer account, and rejoin it, it goes away 90%
> of the time and doesn't return - but once in a while I have a computer
> that doesn't seem to resolve that problem.
>
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)
 
L

Leythos

In article <MPG.21b3d8d6299b919e989853@Adfree.usenet.com>,
void@nowhere.lan says...
> In article <ff16fb666edca8c9fdd0f6943cfa@msnews.microsoft.com>, Meinolf
> Weber <meiweb(nospam)@gmx.de> says...
> > Hello Leythos,
> >
> > Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients?
> > Also you can try to remove/reinstall MS client for networking on the workstations.
>
> Thanks for the ideas - I'll check on this on Monday when I have more
> time. Have a good evening.

I've found a quick way to resolve it for the Windows XP computers,
reinstalling SP2 seem to have cleared up the problem on the machines in
question.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
M

Meinolf Weber

Hello Leythos,

Thanks, for posting back your solution.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> In article <MPG.21b3d8d6299b919e989853@Adfree.usenet.com>,
> void@nowhere.lan says...
>
>> In article <ff16fb666edca8c9fdd0f6943cfa@msnews.microsoft.com>,
>> Meinolf Weber <meiweb(nospam)@gmx.de> says...
>>
>>> Hello Leythos,
>>>
>>> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on
>>> the clients? Also you can try to remove/reinstall MS client for
>>> networking on the workstations.
>>>
>> Thanks for the ideas - I'll check on this on Monday when I have more
>> time. Have a good evening.
>>
> I've found a quick way to resolve it for the Windows XP computers,
> reinstalling SP2 seem to have cleared up the problem on the machines
> in question.
>
 
L

Leythos

In article <eg$3yMLMIHA.3400@TK2MSFTNGP03.phx.gbl>, mvpNoSpam@asu.edu
says...
> It is quite odd that they trigger the message, but then do manage
> to get authenticated. If you are logging successful logins, what
> is showing as the authentication provider? NTLM when this
> happens (msgs but success anyway) whereas normally you see
> that Kerberos is being used?
>
> Later you say the main server was SBS03, never migrated.
> So doesn't that mean still SBS03? If so, could it be some
> odd SBS hardcoded limit (max clients) you are hitting?

The main server "was" SBS 2003, used a Swing to a new IBM server with
Win 2003 Std and 150 CAL, there was no upgrade, just a swing of the AD
structure....

Reinstalling SP2 (and every machine already had it) on the XP
workstations fixed it for those machines.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
You must log in or register to reply here.

Similar threads

G
event ID 40961
Replies
0
Views
2K
GADavies
G
S
LSASRV & SPNEGO (Negotiator)
Replies
0
Views
268
Scott
S
L
Need to give NON-Admin ability to use TS Manager to Remote Contol others sessions
Replies
10
Views
496
Vera Noest [MVP]
V
L
Good content blocker/site blocker for Vista workstation?
2
Replies
23
Views
641
cooldeal
C
B
Weird LDAP Errors... Tried many things.
Replies
1
Views
219
Elliott Gaskill
E
Back
Top Bottom