|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Unable to resolve SPNEGO Event ID 40961 errors
security failures in their event logs, rebooting the main server and the workstations often takes care of it, but not always. I've looked all over the net, tried many things, but I can't seem to shake this. Anyone have a solution path for getting rid of these errors? Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40961 Date: 11/25/2007 Time: 11:49:23 AM User: N/A Computer: WS56 Description: The Security System could not establish a secured connection with the server ldap/servername.domainname.local/domainname.local@domainname.local. No authentication protocol was available -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) is there something "wrong"? or are you just thinking something is wrong
because you see these events? Show quote "Leythos" <v***@nowhere.lan> wrote in message news:MPG.21b380ce7a4bbcd398984c@Adfree.usenet.com... >I have a few workstations, not all of them, that randomly start getting > security failures in their event logs, rebooting the main server and the > workstations often takes care of it, but not always. I've looked all > over the net, tried many things, but I can't seem to shake this. > > Anyone have a solution path for getting rid of these errors? > > Event Type: Warning > Event Source: LSASRV > Event Category: SPNEGO (Negotiator) > Event ID: 40961 > Date: 11/25/2007 > Time: 11:49:23 AM > User: N/A > Computer: WS56 > Description: > The Security System could not establish a secured connection with the > server > ldap/servername.domainname.local/domainname.local@domainname.local. > No authentication protocol was available > > > -- > > Leythos > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address) In article <OyV8oD5LIHA.3***@TK2MSFTNGP03.phx.gbl>, n@n.com says...
> is there something "wrong"? or are you just thinking something is wrong I'm assuming that since I get an Authentication Error in the security > because you see these events? event log, that there should be something wrong. Any user that logs onto the problem machine will cause a Security Event entry showing logon authentication failure, but they can login without any problem. I don't see this in any of the other domains we manage, just this one and only on some workstations. The SPNEGRO error is common for the ones that fail, if I disjoin from the domain, delete the computer account, and rejoin it, it goes away 90% of the time and doesn't return - but once in a while I have a computer that doesn't seem to resolve that problem. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Hello Leythos,
Did you have a reverse lookup zone created in DNS console? If not create it, should help you. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm Show quote > In article <OyV8oD5LIHA.3***@TK2MSFTNGP03.phx.gbl>, n@n.com says... > >> is there something "wrong"? or are you just thinking something is >> wrong because you see these events? >> > I'm assuming that since I get an Authentication Error in the security > event log, that there should be something wrong. > > Any user that logs onto the problem machine will cause a Security > Event entry showing logon authentication failure, but they can login > without any problem. > > I don't see this in any of the other domains we manage, just this one > and only on some workstations. > > The SPNEGRO error is common for the ones that fail, if I disjoin from > the domain, delete the computer account, and rejoin it, it goes away > 90% of the time and doesn't return - but once in a while I have a > computer that doesn't seem to resolve that problem. > In article <ff16fb666edac8c9fdccf49b4***@msnews.microsoft.com>, Meinolf
Weber <meiweb(nospam)@gmx.de> says... > Hello Leythos, Yes, for all 6 subnets (we have a few branch offices that register their > > Did you have a reverse lookup zone created in DNS console? If not create > it, should help you. DNS, but the ones (workstations) that cause the problem are the local subnet ones. What if I remove the records in the reverse LUZ? -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Hello Leythos,
Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients? Also you can try to remove/reinstall MS client for networking on the workstations. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm Show quote > In article <ff16fb666edac8c9fdccf49b4***@msnews.microsoft.com>, > Meinolf Weber <meiweb(nospam)@gmx.de> says... > >> Hello Leythos, >> >> Did you have a reverse lookup zone created in DNS console? If not >> create it, should help you. >> > Yes, for all 6 subnets (we have a few branch offices that register > their DNS, but the ones (workstations) that cause the problem are the > local subnet ones. > > What if I remove the records in the reverse LUZ? > In article <ff16fb666edca8c9fdd0f6943***@msnews.microsoft.com>, Meinolf
Weber <meiweb(nospam)@gmx.de> says... > Hello Leythos, Thanks for the ideas - I'll check on this on Monday when I have more > > Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients? > Also you can try to remove/reinstall MS client for networking on the workstations. time. Have a good evening. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) if it only happens on one machine, check the system time AND time zone on
that machine. could be a kerberos issue caused by a time difference between the pc and the authenticating dc Show quote "Leythos" <v***@nowhere.lan> wrote in message news:MPG.21b3d8d6299b919e989853@Adfree.usenet.com... > In article <ff16fb666edca8c9fdd0f6943***@msnews.microsoft.com>, Meinolf > Weber <meiweb(nospam)@gmx.de> says... >> Hello Leythos, >> >> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the >> clients? >> Also you can try to remove/reinstall MS client for networking on the >> workstations. > > Thanks for the ideas - I'll check on this on Monday when I have more > time. Have a good evening. > > -- > > Leythos > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address) In article <uk8WwW8LIHA.2***@TK2MSFTNGP06.phx.gbl>, n@n.com says...
> if it only happens on one machine, check the system time AND time zone on It happens on one or two machines at a time, and once fixed, normally by > that machine. could be a kerberos issue caused by a time difference between > the pc and the authenticating dc a disjoin from domain, delete computer account on server, rejoin to domain, it doesn't come back, but it crops up from time to time. I've checked the time zone, time, ensured that they are all set by DHCP, ensured that the time service is reachable, etc.... The main server was an SBS 2003 server migrated (swing) to Win 2003 Std R2, but everything seems to work without any errors other than that. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) In article <MPG.21b3d8d6299b919e989***@Adfree.usenet.com>,
v***@nowhere.lan says... > In article <ff16fb666edca8c9fdd0f6943***@msnews.microsoft.com>, Meinolf I've found a quick way to resolve it for the Windows XP computers, > Weber <meiweb(nospam)@gmx.de> says... > > Hello Leythos, > > > > Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients? > > Also you can try to remove/reinstall MS client for networking on the workstations. > > Thanks for the ideas - I'll check on this on Monday when I have more > time. Have a good evening. reinstalling SP2 seem to have cleared up the problem on the machines in question. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address) Hello Leythos,
Thanks, for posting back your solution. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm Show quote > In article <MPG.21b3d8d6299b919e989***@Adfree.usenet.com>, > v***@nowhere.lan says... > >> In article <ff16fb666edca8c9fdd0f6943***@msnews.microsoft.com>, >> Meinolf Weber <meiweb(nospam)@gmx.de> says... >> >>> Hello Leythos, >>> >>> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on >>> the clients? Also you can try to remove/reinstall MS client for >>> networking on the workstations. >>> >> Thanks for the ideas - I'll check on this on Monday when I have more >> time. Have a good evening. >> > I've found a quick way to resolve it for the Windows XP computers, > reinstalling SP2 seem to have cleared up the problem on the machines > in question. > It is quite odd that they trigger the message, but then do manage
to get authenticated. If you are logging successful logins, what is showing as the authentication provider? NTLM when this happens (msgs but success anyway) whereas normally you see that Kerberos is being used? Later you say the main server was SBS03, never migrated. So doesn't that mean still SBS03? If so, could it be some odd SBS hardcoded limit (max clients) you are hitting? Roger Show quote "Leythos" <v***@nowhere.lan> wrote in message news:MPG.21b396e8c3eb611098984e@Adfree.usenet.com... > In article <OyV8oD5LIHA.3***@TK2MSFTNGP03.phx.gbl>, n@n.com says... >> is there something "wrong"? or are you just thinking something is wrong >> because you see these events? > > I'm assuming that since I get an Authentication Error in the security > event log, that there should be something wrong. > > Any user that logs onto the problem machine will cause a Security Event > entry showing logon authentication failure, but they can login without > any problem. > > I don't see this in any of the other domains we manage, just this one > and only on some workstations. > > The SPNEGRO error is common for the ones that fail, if I disjoin from > the domain, delete the computer account, and rejoin it, it goes away 90% > of the time and doesn't return - but once in a while I have a computer > that doesn't seem to resolve that problem. > > > -- > > Leythos > - Igitur qui desiderat pacem, praeparet bellum. > - Calling an illegal alien an "undocumented worker" is like calling a > drug dealer an "unlicensed pharmacist" > spam999free@rrohio.com (remove 999 for proper email address) In article <eg$3yMLMIHA.3***@TK2MSFTNGP03.phx.gbl>, mvpNoSpam@asu.edu
says... > It is quite odd that they trigger the message, but then do manage The main server "was" SBS 2003, used a Swing to a new IBM server with > to get authenticated. If you are logging successful logins, what > is showing as the authentication provider? NTLM when this > happens (msgs but success anyway) whereas normally you see > that Kerberos is being used? > > Later you say the main server was SBS03, never migrated. > So doesn't that mean still SBS03? If so, could it be some > odd SBS hardcoded limit (max clients) you are hitting? Win 2003 Std and 150 CAL, there was no upgrade, just a swing of the AD structure.... Reinstalling SP2 (and every machine already had it) on the XP workstations fixed it for those machines. -- Leythos - Igitur qui desiderat pacem, praeparet bellum. - Calling an illegal alien an "undocumented worker" is like calling a drug dealer an "unlicensed pharmacist" spam999free@rrohio.com (remove 999 for proper email address)  |
|||||||||||||||||||||||
Other interesting topics