Re: Lsasrv Event ID 40960

Hi!

Thanxs for your answer.
I have checked my Dns zones (several times) and all my machines has the correct ptr entry... I have checked with Nslookup both my forward and recursive zones and get the correct answer every time...
Any other suggestions on how to solve this?

regards

Kbergros


Ace Fekay [MVP] skrev:
In news:OoTpvXjfGHA.4864@xxxxxxxxxxxxxxxxxxxx,
kbergros <kbergros@xxxxxxxxxxx> stated, which I commented on below:

Hi!

I'm having a problem that really disturb me.....
I get on 2 of my windows 2003 memberservers a logentry twice a day
saying the following:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date: 2006-05-21
Time: 03:43:47
User: N/A
Computer: gimli
Description:
The Security System detected an authentication error for the server
ldap/gollum.test.timber.se/test.timber.se@xxxxxxxxxxxxxxx The failure
code from authentication protocol Kerberos was "The attempted logon is
invalid. This is either due to a bad username or authentication
information. (0xc000006d)".

I checked everything according to DNS entries and everything looks OK.
I have followed the suggestions on Event id net, but no luck in
solving this problem.
Before I had a logging that also stated the 40961 event but that
logging has stopped since I upgraded to Service pack 1.

The thing is on my other windows 2003 member servers I don't get this
loggentry.

I have two Domaincontrollers one is Windows 2003 (has all FSMO roles
and the Global catalog) and one is Windows 2000 ((also has the global
catalog).
One thing that i can see that the machines that has the error logging
has the 2000 server as logon server... the other ones (without the
problem) has the windows 2003 server as logon server.... can this has
something to do with the error logging?

Regards

Kbergros


Usually creating a reverse zone for your subnet(s) and insuring all DCs (especially the 2003 DCs) have a PTR entry to eliminate this error. On 2003 systems, the SPNEGO, (the SPN identifier) uses the reverse entry to identify itself, hence "Ego".

.

Relevant Pages

  • Re: DNS with remote locations connected by WAN
    ... The remote locations B and C are using Windows NT ... > allow local Internet access and access to the new Domain ... > ISP DNS server for their local Internet access? ... for zones at location A, or conditional forwarders for zones at location A. ...
    (microsoft.public.windows.server.dns)
  • Re: nt 4 upgrade to windows 2003 server question
    ... The following procedure describes how to safely rename a Windows NT domain. ... Stop all BackOffice services such as Microsoft Exchange Server, ... This will cause the entry for the new domain to ... necessary for each BDC to successfully change to the new domain name. ...
    (microsoft.public.windows.server.general)
  • Configure Windows Time on Win Server 2003 Root Domain Controller
    ... I have reviewed all the documentation that I have located on the Windows ... Time Service in Windows Server 2003. ... The Root Domain Controller is the network's reliable time server so the ... how is the manualpeerlist entry used? ...
    (microsoft.public.windows.server.networking)
  • Re: Use DNS Server to block IPs of bad sites
    ... > Since all the PCs use the Windows 2000 Server for DNS ... For the www entry and the entry, ... Please direct all replies ONLY to the Microsoft public newsgroups ...
    (microsoft.public.win2000.dns)
  • Re: DCDIAG DNS Failure
    ... If yes then you can configure one zone, make AD integrated (If the server is ... I still see zones after disabling the advance view. ... I have looked at most of the articles you sited and I have configured DNS ... Best practices for DNS client settings in Windows 2000 Server and in ...
    (microsoft.public.windows.server.dns)