Re: Critical Errors in Security Log
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Sun, 25 Sep 2005 23:46:15 GMT
HI Waj,
Thanks for updates.
I am glad to hear that you have resolved the problem by follow up my
suggestions. Please feel free here.
Have a nice day!
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: Critical Errors in Security Log
| thread-index: AcXAMo8kBl7ZJxxuQHiCleTB1wcBMg==
| X-WBNR-Posting-Host: 82.68.131.206
| From: =?Utf-8?B?V2Fq?= <Waj@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <94A16F40-04E8-498A-8C73-CF25197080E3@xxxxxxxxxxxxx>
<#UOvIxnuFHA.3864@xxxxxxxxxxxxxxxxxxxx>
<D02FD55E-E00C-4628-B455-6AB6E5E32616@xxxxxxxxxxxxx>
<murayFLvFHA.768@xxxxxxxxxxxxxxxxxxxxx>
<9D470D02-5FC4-4DFB-9E42-578612F4B6C8@xxxxxxxxxxxxx>
<UahEME9vFHA.768@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Critical Errors in Security Log
| Date: Fri, 23 Sep 2005 04:33:03 -0700
| Lines: 311
| Message-ID: <11C21796-ECBA-4ACF-9373-22D942672A20@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155861
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Charles.
|
| Thanks for your help. The errors have been resolved by deleting the
cached
| credential directly.
| --
| Thanks.
| Waj Shah
|
|
| ""Charles Yang [MSFT]"" wrote:
|
| > HI Waj,
| >
| > Thanks for letting us know that my solution works for one of the
problem.
| > The error 1030 is the group policy is not successfully applied, if only
| > 1030 error occurs, you do not need to worry about that, it relate to
cache
| > credential on your computer, you can refer to my steps below to clean
it,
| > this does not relate to 40690 error:
| >
| > I. You can configure this security setting by opening the appropriate
| > policy and expanding the console tree as such: Computer
| > Configuration\Windows Settings\Security Settings\Local
Policies\Security
| > Options Network access:
| >
| > Do not allow storage of credentials or .NET Passports for network
| > authentication
| >
| > II. Following Registry value removes the "Remember My Password" option
from
| > all prompts for authentication:
| >
| > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
| > Value Name: disabledomaincreds
| > Value Type: REG_DWORD
| > Values: 0 = allow domain credentials to be stored
| > 1 = do not store domain credentials
| > Set the disabledomaincreds value to "0" to restore the "Remember My
| > Password" checkbox on the prompt for authentication.
| >
| > III. Set Kerberos to use TCP
| >
| > 244474 How to force Kerberos to use TCP instead of UDP in Windows
Server
| > 2003,
| > http://support.microsoft.com/?id=244474
| >
| >
| > The steps #1 and #2 I introduced in my last reply are all used to
delete
| > the store credential. The step #1 could be applied to group policy that
| > cover the SBS server such as domain controller policy and you will find
the
| > policy below
| >
| > Computer Configuration\Windows Settings\Security Settings\Local
| > Policies\Security Options\Network access: Do not allow storage of
| > credentials or .NET Passports for network authentication
| >
| > The step #2 is used registry key way. The "0" is the default value.
When
| > you set this key to 1, to purge the original credential to clear the
store
| > and restart the machine.
| >
| > If you do not want the above steps, you could use the following way to
| > delete the cached credential directly.
| >
| > 1. On the SBS server open control panel
| >
| > 2. Open 'Stored User Names and Passwords'
| >
| > 3. Remove all entries in the list, as the problem could be caused by
the
| > incorrect credential cached here.
| >
| >
| > If the problem could not be resolved, we may need to set the Kerberos
to
| > TCP only, because of the following reasons.
| >
| > The Windows Kerberos authentication package is the default
authentication
| > package in Microsoft Windows Server 2003. By default, the maximum size
of
| > datagram packets for which Windows Server 2003 uses UDP is 1,465 bytes.
| > Depending on a variety of factors including security identifier (SID)
| > history and group membership, some accounts will have larger Kerberos
| > authentication packet sizes. Depending on hardware of your SBS network,
| > these larger packets may have to be fragmented when going through. The
| > problem is caused by fragmentation of these large UDP Kerberos packets.
| > Because UDP is a connectionless protocol, fragmented UDP packets will
be
| > dropped if they arrive at the destination out of order.
| >
| > Then, this issue could be occur that you logon to the SBS server
remotely,
| > and the UDP package is dropped at this situation. So, we could set the
| > Kerberos to use TCP only, as Kerberos is designed to work under both
UDP
| > and TCP.
| >
| > For the error, you could not edit group policy, it should relate to
| > updates, you have not applied, please refer to my suggestion below:
(This
| > should be the article that refer to your issue)
| >
| > 839499 You cannot open file shares or Group Policy snap-ins when you
disable
| > http://support.microsoft.com/?id=839499
| >
| > Hope the above information helpful. I am glad to help you.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: Critical Errors in Security Log
| > | thread-index: AcW/cuTdSFDHrQRXQlGztA2gmnb8Rw==
| > | X-WBNR-Posting-Host: 82.68.131.206
| > | From: =?Utf-8?B?V2Fq?= <Waj@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | References: <94A16F40-04E8-498A-8C73-CF25197080E3@xxxxxxxxxxxxx>
| > <#UOvIxnuFHA.3864@xxxxxxxxxxxxxxxxxxxx>
| > <D02FD55E-E00C-4628-B455-6AB6E5E32616@xxxxxxxxxxxxx>
| > <murayFLvFHA.768@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: Critical Errors in Security Log
| > | Date: Thu, 22 Sep 2005 05:41:03 -0700
| > | Lines: 341
| > | Message-ID: <9D470D02-5FC4-4DFB-9E42-578612F4B6C8@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155546
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi Charles.
| > |
| > | The w32Time issue has been resolved, thanks for your help.
| > |
| > | There is another problem in the Event viewer as follows:
| > |
| > | In the Application log there is the following Error:
| > | Source: Userenv
| > | Event: 1030
| > | "Windows cannot query for the list of Group Policy objects. Check the
| > event
| > | log for possible messages previously logged by the policy engine that
| > | describes the reason for this."
| > |
| > | which I think are in relation to the following entries in the System
| > event
| > | Log:
| > | Source:LsaSrv
| > | Category:SPNEGO(Negotiator)
| > | Event:40960
| > | "The Security System detected an authentication error for the server
| > |
ldap/bruce.InstantSearch.local/InstantSearch.local@xxxxxxxxxxxxxxxxxxxx
| > The
| > | failure code from authentication protocol Kerberos was "The attempted
| > logon
| > | is invalid. This is either due to a bad username or authentication
| > | information.
| > | (0xc000006d)"."
| > |
| > | Also the following
| > | Source: Kerberos
| > | Event:14
| > |
| > | "There were password errors using the Credential Manager. To remedy,
| > launch
| > | the Stored User Names and Passwords control panel applet, and reenter
the
| > | password for the credential INSTANTSEARCH\wajid."
| > |
| > | Can you help?
| > | --
| > | Thanks.
| > | Waj Shah
| > |
| > |
| > | ""Charles Yang [MSFT]"" wrote:
| > |
| > | > Hi Waj,
| > | >
| > | > Thanks for updates.
| > | >
| > | > Personally, this issue is by design. The account to start the
Windows
| > Time
| > | > service is "localsystem" before you installing win2k3 SP1, however,
| > win2k3
| > | > SP1 has change the start up account to "local service" for the
security
| > | > reason. Local Service account has not been granted "Change the
system
| > time"
| > | > permissions. Windows Server 2003 SP1 changes the startup
configuration
| > of
| > | > the Windows Time service from LocalSystem to LocalService.
Therefore,
| > the
| > | > startup account that the Windows Time service uses must have
"Change
| > the
| > | > system time" permissions.
| > | >
| > | > By default, the LocalService account is not a member of the
| > Administrators
| > | > group and does not have "Change the system time" permissions.
| > Therefore,
| > | > the Windows Time service does not start, and event 7023 is logged
in
| > the
| > | > System log. More details is addressed in the article below:
| > | >
| > | > The Windows Time service may generate event ID 7023 after you
upgrade
| > to
| > | > Windows Server 2003 Service Pack 1
| > | > http://support.microsoft.com/?kbid=892501&SD=tech
| > | >
| > | > With regards to the commend-line to view the account permission, I
| > suggest
| > | > you take a look at the command-line called svcacls, which can grant
| > user
| > | > rights to start and stop individual services. I exact the following
| > usage
| > | > information from the Help information of svcacls:
| > | >
| > | > Usage Examples
| > | > ==============
| > | > svcacls (gives help)
| > | >
| > | > svcacls browser (lists permissions on the browser
| > service
| > | > on the local machine)
| > | >
| > | > svcacls \\computername\browser (list permissions on the browser
| > service on
| > | > machine computername)
| > | >
| > | > svcacls browser g:username:rx (grants the Read and Execute
| > permissions
| > | > for user username on the browser service, adding to the user's
current
| > | > permissions)
| > | >
| > | > svcacls browser s:username:rx (sets permissions for user username
to
| > Read
| > | > and Execute on the browser service, replacing the user's current
| > | > permissions)
| > | >
| > | > svcacls browser r:username (revokes user username's
permissions on
| > the
| > | > browser service on the local machine)
| > | >
| > | > svcacls browser d:username (explicitly denies access to user
| > username
| > | > on the browser service)
| > | >
| > | > You can use generic permissions (R, W, X, F) or specific
permissions.
| > | >
| > | > You can chain several commands on one line:
| > | >
| > | > svcacls browser r:username g:username:riu
| > | >
| > | > For more details, please refer to the following article:
| > | >
| > | > 325349 HOW TO: Grant Users Rights to Manage Services in Windows
Server
| > 2003
| > | > http://support.microsoft.com/?id=325349
| > | >
| > | > Hope the above information helpful, if you have any further
concerns,
| > | > please feel free to let me know. I will be here waiting for your
| > updates.
| > | >
| > | >
| > | >
| > | > Best regards,
| > | >
| > | > Charles Yang (MSFT)
| > | >
| > | > Microsoft CSS Online Newsgroup Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > ======================================================
|
.
- References:
- Re: Critical Errors in Security Log
- From: Charles
- Re: Critical Errors in Security Log
- Prev by Date: Re: NetBT Error
- Next by Date: Re: ASR Backup set
- Previous by thread: Re: Critical Errors in Security Log
- Next by thread: Re: Pop3 Connector Event ID 1015
- Index(es):
Relevant Pages
|
