Re: SPNEGO 40960 errors
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Wed, 28 Jun 2006 21:06:37 -0400
How are you checking the time? And have you checked the time zones? How
about to see if the client has configured the DC's to have different time
sources?
My current favorite would be different time zones though, based on you
symptoms. :)
"jdn" <jdn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:47DE368C-F82E-4371-B5EC-E91B0D277FCF@xxxxxxxxxxxxxxxx
Yes.
"Jorge Silva" wrote:
did you read:
http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"jdn" <jdn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C015BED5-CB66-4FD8-A14A-43CDC6BA911C@xxxxxxxxxxxxxxxx
Those are different 40960 errors. We do not get logon server or
secured
connection errors. It is the specific error message that the time on
the
primary and backup domain controllers are too far apart, but when
checking,
they are in sync.
jdn
"Jorge Silva" wrote:
Hi
A reverse lookup is not required for proper AD function.
However,
without a reverse lookup zone and PTRs, you may see 40960 and 40961
events
due to Win2k3 and WinXP trying to make a secure PTR registration at
the
External DNS that is Authoritative over the reverse lookup of the IP
on
the
machine's local interface. If it's a private address it will say
cannot
establish a secured connection with the server prisoner.iana.org.
Also, nslookup will report "Can't find server name for address
<IPAddressOfDNSServer>"
The response comes back with one of the following server names:
prisoner.iana.org
blackhole-1.iana.org
blackhole-2.iana.org
These servers own the public PTR records for the 192.168.x.x zones.
Since
they have no record of your DNS Server, they reply with a "Server does
not
exist" reply, which causes LSASRV to log the error.
Solution: On the local DNS Server, create a Reverse Lookup Zone, and
enter a
record for your DNS Server.
also check:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823712&sd=ee
http://support.microsoft.com/default.aspx?scid=kb;en-us;824217&sd=ee
http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows
Operating System&ProdVer=5.2&EvtID=40960&EvtSrc=lsasrv&LCID=1033
http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"jdn" <jdn@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4AFB029F-ED4E-4A72-8B29-8B3574FB5EF5@xxxxxxxxxxxxxxxx
A client I am working at is having intermittent "Cannot generate SSPI
context" errors, which have to do with delegation from a web
services
machine
to a SQL server.
In the event log of the machine that hosts the web service, there
will
be
an
LLSRV error message stating that the time between the primary domain
controller and the backup domain controller are too far out of sync
(which
causes a kerberos failure), but a check of the times on the machines
seem
to
match.
Moreover, the issue is intermittent. If the times were out of sync
then
this error should happen consistently not once or twice a week for
15-30
minutes.
Has anyone experienced something like this? Search of google, etc.
is
pretty blank, but these sorts of random errors bother me (must be
residue
from my old days as an operations manager).
TIA.
.
- Follow-Ups:
- Re: SPNEGO 40960 errors
- From: jdn
- Re: SPNEGO 40960 errors
- References:
- Re: SPNEGO 40960 errors
- From: Jorge Silva
- Re: SPNEGO 40960 errors
- From: jdn
- Re: SPNEGO 40960 errors
- From: Jorge Silva
- Re: SPNEGO 40960 errors
- From: jdn
- Re: SPNEGO 40960 errors
- Prev by Date: "Active Directory" "user object" lost "Allow Inheritable" check problem
- Next by Date: "Active Directory" "user object" lost "Allow Inheritable" check problem
- Previous by thread: Re: SPNEGO 40960 errors
- Next by thread: Re: SPNEGO 40960 errors
- Index(es):
Relevant Pages
|
Loading
