GFI ESM GFI ESM

Event ID: Event Source:

Event ID 40961 Source LsaSrv

Event ID40961
SourceLsaSrv
TypeWarning
DescriptionThe Security System could not establish a secured connection with the server <server name>. No authentication protocol was available.
English, please! This information is only available to subscribers. An example of English, please!
Concepts to understand What is the LSA?
How is a secured connection established?
What is an authentication protocol?
What is the role of LsaSrv?
Comments Mihai Andrei (Last update 11/30/2008):
As per Microsoft: "This problem occurs because the version number of the KRBTGT account increases when you perform an authoritative restoration. The KRBTGT account is a service account that is used by the Kerberos Key Distribution Center (KDC) service". See M939820 for a hotfix applicable to Microsoft Windows Server 2003.

Microsoft article M259922 describes a situation in which this event occurs.

Also see M938702 for additional information about this event.

Vadim Rapp (Last update 9/30/2008):
We opened a support incident with Microsoft, and they sent hotfix M906681. This article is not related to this problem, but it has a newer version of kerberos.dll, which appears to be the culprit. If I am not mistaken, this new version is also included in XP SP3.

Anonymous (Last update 5/20/2008):
This problem occurs every now and then on our Windows XP SP2 systems. It used to happen a lot on SP1. Usually running a Winsock repair fixes the problem (see the link to “WinSock XP Fix 1.2”). Sometimes we also have to remove the system from the domain and rejoin it in order to fix the problem.

Anonymous (Last update 9/7/2007):
In my case, I got this event after adding a MS Windows XP SP2 workstation to a SBS 2003 R2 server. The problem was McAfee Security Center Suite, which I promptly removed.

Marina Roos (Last update 11/24/2006):
This event only occurred when a specific user logged in on a specific XP SP2 machine, together with EventID 1030 from source Userenv. The User configuration policy was unable to be applied. If another user logged in on that same machine, no errors appeared and all policies were applied.
It turned out that there was a stored password on the machine when this specific user was logged in. When that was deleted from User accounts Password Management, the errors disappeared and Folder Redirection finally happened for this user.

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Dale Smith (Last update 8/18/2006):
In my case, a WinXP workstation logged events 40960 and 40961 from source LsaSrv as well as event 1053 from source UserEnv. The problem was corrected by updating the Intel Gigabit NIC driver on the server.

Mike Pastore (Last update 8/7/2006):
We received this event along with event 1219 and 1053 in the application log. The server lost connection to the DC and all accounts in the admin group showed just as their SIDs. We found that restarting the Site Server Content Deployment (CRS) service fixed the problem.

Anonymous (Last update 5/19/2006):
If you also get EventID 14 from source Kerberos with this event, go to Control Panel -> Users Accounts, click on the Advanced tab and then on Manage Passwords. There should be an entry there relating to the server and domain\user mentioned in the event id 14 description. Update or delete the entry.
The user was being prompted to authenticate (with different account info already filled in) when trying to open a share on a specific server to which there should have been seamless access. After removing the entry, access worked normally and the errors went away.

Peter Hayden (Last update 5/19/2006):
This Event ID appeared on a Windows XP SP2 computer each time it was started. This computer could ping the domain controller but not vice versa. When the Windows XP Firewall was disabled and the computer was removed and re-joined to the domain this event stopped.

Seth Connolly (Last update 4/9/2006):
I was getting this error along with EventID 40960 from source LsaSrv and EventID 1006 from source Userenv. This was on a member server in a Windows 2003 domain. The events would all appear every two hours. It turned out that I had a user account (that was part of the admin group) still logged into the console and the password for that account had changed. Using Terminal Services Manager (since the machine is off-site), I logged that user out and had no more issues.

Anonymous (Last update 1/25/2006):
We have a domain with Win2k AD and various Win2k and XP clients. This event only occured on XP clients. Additionally, the logs showed event id 40961, 1054 and 1030. The logon process from the XP clients took forever, GPs were not applied and access to network shares was not possible. Increasing the kerberos ticket size, as suggested by MS, didn't do the trick. Recreating users and/or machine accounts didn't help either. Simple solution was to finally install SP4 for Win2k on the domain controllers which we hadn't done before. Since then everything has been running smooth.

Ross Smith (Last update 11/10/2005):
We spotted this event after demoting one of our domain controllers. For a couple of weeks we had problems on the network but nothing specific, just minor problems here or there. Eventually, we realized that dcpromo had not removed all the DNS entries for the old server. We still had a NS record pointing to a server that no longer existed.

Anonymous (Last update 9/17/2005):
I received this when my XP systems were connected to a Cisco switch. By default, Cisco switches take up to 20 seconds to begin passing traffic after the host brings up their Ethernet interface. You can set a particular port to start immediately using the "spanning-tree portfast" command on the port your hosts are connected to. This resolved the issue for me.

Joe Donner (Last update 7/24/2005):
I started to get this event on an SBS 2003 server every hour or so after I changed the domain administrator's password. The DHCP server used the same credentials, so when I also changed the password in DHCP's properties, the warnings stopped appearing.

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Rodney Buike (Last update 2/22/2005):
I installed a new ISA 2004 server and I started to receive many errors of this type. In my case, the server referenced in the event description was an external DNS server from my ISP. I disabled DNS registration on the WAN NIC and the error went away.

Ionut Marin (Last update 2/20/2005):
See M885887 for a hotfix applicable to Microsoft Windows XP Professional Service Pack 2.

As per Microsoft: "The Negotiate package could not select a secure authentication protocol because the user provided incorrect credentials or because the domain controller was temporarily unavailable". See MSW2KDB for more details on this event.

This can occur if the File Replication Service (Ntfrs.exe) tries to authenticate before the directory service has started. See M824217 to troubleshoot this problem.

From a newsgroup post: "In my case, this error occurred because the credentials specified in my DHCP server on “DC1” for dynamic DNS registration were misspelled".

From a newsgroup post: "1. If the 40960/40961 events only happen at boot, it is likely that M823712 and M824217 will help you to fix this problem.
2. If the 40960/40961 events happen at a regular interval (i.e., hourly), try to determine what service may be need to authenticate at that interval. For example, if a XP/2003 machine is pointed directly at a DNS server that doesn't support Kerberos, secure dynamic updates will generate 40960/40961 events. Even if the XP/2003 machine is pointed to a 2000/2003 DNS server, if the SOA for the zone is a non-Microsoft DNS server that doesn't support Kerberos, the 40960/40961 events can still be generated.
3. Get a list of the computer names of the DCs in the domain, and compare that to a list of all machine accounts in the forest to see if there is a name conflict. For example, if NTSERVER is a member server in the parent domain, and NTSERVER is a DC in the child domain, you can see 40960/40961 events because of the name conflict.
4. Verify RPC Locator is correctly configured:
Started, Automatic - Windows 2000 domain controllers.
Stopped, Manual   - Windows Server 2003 domain controllers & member servers.
Stopped, Disabled - Windows 2000 clients & member servers, XP clients.
5. If the registry on the DC contains the NT4Emulator registry value in the following registry key, set it to 0, or delete it entirely.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
6. Verify the DHCP client service is started on all machines. Even machines with static IP addresses (including domain controllers and member servers) need to have DHCP client service enabled because that service handles DNS dynamic updates.
7. Verify there is not a time skew between machines. Make sure to verify the time, date, and year, are all the same. Appendix A of the Troubleshooting Kerberos Errors white paper shows a sample trace where clock skew breaks Kerberos.
8. Kerberos UDP packet fragmentation can result in Kerberos failure. Appendix A of the Troubleshooting Kerberos Errors white paper shows a sample trace where UDP fragmentation breaks Kerberos.

2003 - RTM defaults to MaxPacketSize of 1465 bytes.
2000 - RTM defaults to 2000 bytes. With hotfix 315150 or SP4, default is 1465
XP - RTM defaults to 2000 bytes. With SP2, default is 1465. There is no hotfix, SP2 is the only way to get the 1465 default without manually setting the MaxPacketSize registry value to 1465. See M315150 and M244474 for details.
9. Reset the secure channel.
10. Create a reverse lookup zone and add the DNS server to it. The step is included here because it was the fix in a customer verified solution object, but more information is needed to understand why this would resolve the 40960/40961 events.
11. Verify the necessary SPNs are registered, based on the information in the event description.
12. Clear cached credentials.
2003 - Control Panel, Stored User Names and Passwords, Remove them all.
13. Based on the information in the event description, verify that the SAM account name of one account is not the same as the UPN of another account".

From a newsgroup post: "I was having this problem when using Microsoft’s Virtual PC 2004 with Windows 2003. I keep getting messages that the server’s clock on the virtual machine is out of sync with my physical box running Windows Server 2003. In the end, I just noticed that the date on my other box was 7/26, but the date on the virtual machine was 7/25. After making the necessary adjustments, the problem disappeared".

From a newsgroup post: "If this server is joined to a domain called mydomain.com and you have two adapters, configure both adapters to point to your Active Directory DNS server or disable DNS registration on the second adapter. See M246804 for information on how to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003".

From a newsgroup post: "Other posts in various newsgroups suggested that a problem with a user’s profile could be the cause of failures to apply GPOs, which is the root cause of My Documents redirection failures. This was consistent with what I was seeing. I was not using roaming profiles, so User A’s profile on PC01 was (potentially) different than it is on PC02. Furthermore, PC01 was installed with Windows XP Pro from scratch while PC02 ran Windows XP Home for 2 years and then was upgraded to Windows XP Pro. User A's profile on PC01 was created "fresh" while on PC02 it was migrated when PC02 was joined to the domain.
I did not find specific information concerning what gets screwed up in the profile or why it causes GPO failures. However, the fix steps were reasonably uniform:
1. Logon to the problematic PC as Administrator.
2. Backup the profile of the problem user. (E.g., copy it elsewhere. Be sure hidden and system files are copied. For example, \Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook often contains “.OST” and/or “.PST” files. I compared the total size and number of files in the original and backup before proceeding to Step 3.)
3. Delete the problematic profile. (Right-click My Computer -> Properties -> Advanced Tab -> User Profiles [Settings] button. Select the profile to be deleted with care.
4. Logoff as Administrator and logon as the problem (domain) user to recreate the profile.
5. Restore (copy back) the files from the backed-up profile. (Be careful about what gets overwritten.)
When I did this for User A on PC02, the 1030 and 40961 events stopped and My Documents redirection worked".

JSI Tip 5612 also provides information about this event.

See M891559 for additional information on this event.

Peter (Last update 2/17/2005):
See M810207 for information on IPSec default exemptions.

Anonymous (Last update 1/19/2005):
I started getting this error message on Windows XP workstations on our network after I promoted our Domain Controller from WinNT to Win2k. I noticed that the problem was occurring right after EventID 35 from source W32time. Basically what was happening was that the XP workstations affected were set to sync to an external time source rather than with their domain controller. Run the following while logged on as administrator to get rid of this log entry:
1. Stop the Windows time service by going to Control panel/Admin tools/Services.
2. Open a command prompt and type “net time /setsntp: <IP address of domain controller>”.
3. Restart the Windows time service and the message should go away.

Anonymous (Last update 10/21/2004):
- Data: 0000: c000018b = STATUS_NO_TRUST_SAM_ACCOUNT - This error code means the computer account has been deleted.

Micheal (Last update 9/29/2004):
What I discovered, for our situation, is that the credentials for DNS dynamic updates were invalid. These credentials are entered in the DHCP snap-in.

1. Launch the DHCP snap-in.
2. Right-click the Domain and select Properties.
3. Click once on the Advanced tab.
4. Towards the bottom of the dialogue box, you will see a button labeled "Credentials". Click on the button.
5. Enter a user, which has been created for this purpose and is a member of the "DnsUpdateProxy" group.
6. Click on "Apply".
7. Click on "OK" and the problem should disappear.

K-Man (Last update 7/7/2004):
I experienced this problem on Windows XP workstations, when users logged into a terminal server and terminal sessions were disconnected (but not terminated). To fix this problem I configured the terminal server to end disconnected sessions, and end sessions where users were idle for more than a specified amount of time.

Montana Pete (Last update 4/3/2004):
This happened to me when I installed new drivers for the internal DSL modem. This would probably also apply to any network card connected to the internet through any modem or router. The default settings were to "Register this connection's address in DNS". When registration was attempted I got the "Security System could not establish a secured connection with the server DNS/<host name>". Why a connection was attempted with that name server rather than the ISP's I'll never know. Unchecking "Register this connection's address" solved the problem.

Peter Kaufman (Last update 1/27/2004):
This error may result from securing Client-to-Domain Controller and Domain Controller-to-Domain Controller traffic with IPSec. This is unsupported as per M254949.

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Yvette Lian (Last update 1/2/2004):
I came across this problem after installing two Windows 2003 DCs onto our Windows 2000 network. The user was attempting to map a drive to an OS400 V5R2 machine. This had worked previously, but stopped working after the introduction of the new DCs. The connection attempt would eventually timeout instead of asking for credentials. I modified default domain GPO to disable the following setting: "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)".

PK (Last update 1/2/2004):
We were also getting this error along with Event ID 40960 on a Windows 2003 Member Server (in a Windows 2003 AD) which had its own DNS Server Service Running. The problem was that the server was booting up and several services were trying to run (including NETLOGON) before the Member Servers DNS Server Service had started. This resulted in no name lookup for the Active Directory Domain and hence could not contact any Domain Controllers.

Penny Yao (Last update 11/19/2003):
I saw this event accompnies with 40960 in pair on a Windows Server 2003 acting as member server in a Windows 2000 domain. The errors appear in the log, when some users try to access the web server, IE will prompt for credential, even if the credential is correct, the users are denied access. The problem seems to be resolved after restarting NETLOGON service.

Darren Monahan (Last update 10/26/2003):
If this warning appears by itself on an hourly basis, check that the credentials assigned to the DHCP server to register DNS dynamic updates are valid. Spelling errors or incorrect passwords and/or domain names can be to blame. To do this in Windows Server 2003, open the DHCP snap-in, open the properties for your DHCP server, select the "Advanced" tab, and click the "Credentials" button. Verify the username, password, and domain listed here are valid.

Anonymous (Last update 10/26/2003):
We had the same problem on one of the workstations that had a long logon timeout. This has worked for us:
1. logon as an admin.
2. remove from domain.
3. add to domain.
4. restart.

Adrian Grigorof (Last update 8/12/2003):
From a newsgroup post: "If there is there a matching 40960 event then it is more likely a forward lookup zone issue in DNS. If not, it probably is that Windows is looking for a reverse lookup zone."

As per M823712, this may occur when you restart the server that was promoted to a domain controller.

DweezMon (Last update 8/12/2003):
If the server name is prisoner.iana.org, blackhole-1.iana.org or blackhole-2.iana.org, this is just telling you that Windows could not perform a reverse lookup on the IP address configured as a DNS server. These names are used to respond with "server does not exist" when you use a private IP range, for example 192.168.1.0. This can be quickly cleared up by adding a Reverse Lookup zone, and adding a record for your DNS Server.

Adrian Florin Moisei (Last update 5/23/2003):
From a newsgroup post: "If the system is Win XP and if the errors were not occuring under a different profile the folowing steps can solve the problem:
1. Log on as a different user
2. Back up the profile in mention.
3. Delete the profile.
4. Create a new profile by logging on.
5. Restore the files from the backed up profile."

Gunnar Carlson (Last update 5/18/2003):
I get this error on all DC's that I upgrade to Windows 2003 Server. I upgraded one DC from W2k3 beta3 to the released version, and the events immediately started to show up. After I created the reverse lookup zones for the network they stopped.

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Anonymous (Last update 5/10/2003):
This happened when machines were trying to register PTR records, and we didn't have reverse lookup zones. The solution was to add them for all our subnets.

DJ (Last update 5/2/2003):
I'm on a small home test network with Win2k domain behind a Linksys 4 port DSL router. The router handles DNS. A power failure sacked my domain controllers. After some restores and GP resets, my DCs were up and talking. But my workstation could not access AD Users and computers. The problem was the order of DNS in the Lynksys. After putting my local DNS server first in the list on the Linksys, I was able to get to AD.

Greg Martin
Had this on a WinXP workstation which could no longer access domain resources. The fix was changing the DNS settings to point to a Win2k DNS which was tied into Active Directory. Apparently the workstation could no longer locate SVR records for the kerberos authentication server. These records were not in our UNIX DNS but were in the Win2k DNS. Related  directly to Event 40960 - LsaSrv.
LinksM244474, M246804, M254949, M259922, M315150, M823712, M824217, M885887, M891559, M906681, M938702, M939820, JSI Tip 5612, Troubleshooting Kerberos Errors, WinSock XP Fix 1.2, EventID 40960 from source LsaSrv, EventID 1006 from source Userenv, EventID 1030 from source Userenv, MSW2KDB
Search Google Web - Microsoft Support - Bing - EventID.Net Queue - More links...
Custom search The custom search information is available to subscribers only.
Feedback Send comments - Notify me when updated
 Print version