Troubleshooting: Event ID:40961

Discussion in 'Windows Server' started by Chris, Dec 2, 2008.

  1. Chris

    Chris Guest


    A few of my Machines are causing this problem. I thought the connection was
    with a specific user but it does appear to happen now with multiple
    people/same desktop. All my XP boxes are SP2, some have moved to SP3 due to
    WSUS not keeping the update as Declined. However, all these errors result
    from SP2 boxes.

    Event Type: Warning
    Event Source: LSASRV
    Event Category: SPNEGO (Negotiator)
    Event ID: 40961
    Date: 01/12/2008
    Time: 11:00:51 PM
    User: N/A
    Computer: CS04
    The Security System could not establish a secured connection with the server
    cifs/ser-domain.local. No authentication protocol was available.

    Generally, the next process logged in and around the same time is:

    vent Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1030
    Date: 02/12/2008
    Time: 10:49:05 AM
    User: SCOTIANGOLD\username
    Computer: CS04
    Windows cannot query for the list of Group Policy objects. A message that
    describes the reason for this was previously logged by the policy engine

    Workstations: SP2 with recent updates
    Server: SBS 2003 Standard SP2 - been up for a bit
    All machines can access the network resources without issue.

    Any suggestions on how to troubleshoot this?
    Chris, Dec 2, 2008
    1. Advertisements

  2. A few of my Machines are causing this problem. I thought the connection was
    Someone here
    mentions it being related to the kerberos.dll.

    - Thee Chicago Wolf
    Thee Chicago Wolf, Dec 2, 2008
    1. Advertisements

  3. Hello Chris,

    Are the machines installed from images? Are the images sysprepped?

    Best regards

    Meinolf Weber
    Meinolf Weber, Dec 2, 2008
  4. Chris

    Chris Guest


    I wish I could use an image, that would make life so much more easier.

    However, I work for an organization that purchases computer only when needed
    - ie: still got 98 and 2000 machines. All the licenses are OEM from Dell and
    they will not let me get volume licensing do to cost. My experiences with
    dealing with OEM licenses and an image have not been favorable.

    Like most things in a small business - the fight to get the funding is
    fruitless. My boss is also the accountant of the business. It's all about $$$
    and not about anything else.
    Chris, Dec 3, 2008
  5. Meinolf Weber, Dec 3, 2008
  6. Chris

    Chris Guest

    New finidings on this machine, posted in the article just in case someone
    doesn't look here.

    Troubleshooting: Workstation Issues - Rsop Results
    Chris, Dec 3, 2008
  7. New finidings on this machine, posted in the article just in case someone
    Was it kerberos related as I originally posted?

    - Thee Chicago Wolf
    Thee Chicago Wolf, Dec 3, 2008
  8. Chris

    Chris Guest

    I do not subscribe to this site, unable to find out more details from your
    link as the links are internal.

    Do you have MS KB artcile?
    Chris, Dec 3, 2008
  9. Chris

    Chris Guest

    5.1.2600.2698 (xpsp_sp2_gdr.050614-1522)
    Chris, Dec 3, 2008
  10. I do not subscribe to this site, unable to find out more details from your

    You don't have to be subscribed to the web site to read what others
    have posted about the event id. There's probably over two dozen posts
    at the link I provided as well as references to MS KB articles for a
    potential fix. The person at the top explicitly recommends Try it.

    Mihai Andrei (Last update 11/30/2008):
    As per Microsoft: "This problem occurs because the version number of
    the KRBTGT account increases when you perform an authoritative
    restoration. The KRBTGT account is a service account that is used by
    the Kerberos Key Distribution Center (KDC) service". See M939820 for a
    hotfix applicable to Microsoft Windows Server 2003.

    Microsoft article M259922 describes a situation in which this event

    Also see M938702 for additional information about this event.

    Vadim Rapp (Last update 9/30/2008):
    We opened a support incident with Microsoft, and they sent hotfix
    M906681. This article is not related to this problem, but it has a
    newer version of kerberos.dll, which appears to be the culprit. If I
    am not mistaken, this new version is also included in XP SP3.

    Anonymous (Last update 5/20/2008):
    This problem occurs every now and then on our Windows XP SP2 systems.
    It used to happen a lot on SP1. Usually running a Winsock repair fixes
    the problem (see the link to “WinSock XP Fix 1.2”). Sometimes we also
    have to remove the system from the domain and rejoin it in order to
    fix the problem.

    Anonymous (Last update 9/7/2007):
    In my case, I got this event after adding a MS Windows XP SP2
    workstation to a SBS 2003 R2 server. The problem was McAfee Security
    Center Suite, which I promptly removed.

    Marina Roos (Last update 11/24/2006):
    This event only occurred when a specific user logged in on a specific
    XP SP2 machine, together with EventID 1030 from source Userenv. The
    User configuration policy was unable to be applied. If another user
    logged in on that same machine, no errors appeared and all policies
    were applied.
    It turned out that there was a stored password on the machine when
    this specific user was logged in. When that was deleted from User
    accounts Password Management, the errors disappeared and Folder
    Redirection finally happened for this user.

    Dale Smith (Last update 8/18/2006):
    In my case, a WinXP workstation logged events 40960 and 40961 from
    source LsaSrv as well as event 1053 from source UserEnv. The problem
    was corrected by updating the Intel Gigabit NIC driver on the server.

    Mike Pastore (Last update 8/7/2006):
    We received this event along with event 1219 and 1053 in the
    application log. The server lost connection to the DC and all accounts
    in the admin group showed just as their SIDs. We found that restarting
    the Site Server Content Deployment (CRS) service fixed the problem.

    Anonymous (Last update 5/19/2006):
    If you also get EventID 14 from source Kerberos with this event, go to
    Control Panel -> Users Accounts, click on the Advanced tab and then on
    Manage Passwords. There should be an entry there relating to the
    server and domain\user mentioned in the event id 14 description.
    Update or delete the entry.
    The user was being prompted to authenticate (with different account
    info already filled in) when trying to open a share on a specific
    server to which there should have been seamless access. After removing
    the entry, access worked normally and the errors went away.

    Peter Hayden (Last update 5/19/2006):
    This Event ID appeared on a Windows XP SP2 computer each time it was
    started. This computer could ping the domain controller but not vice
    versa. When the Windows XP Firewall was disabled and the computer was
    removed and re-joined to the domain this event stopped.

    Seth Connolly (Last update 4/9/2006):
    I was getting this error along with EventID 40960 from source LsaSrv
    and EventID 1006 from source Userenv. This was on a member server in a
    Windows 2003 domain. The events would all appear every two hours. It
    turned out that I had a user account (that was part of the admin
    group) still logged into the console and the password for that account
    had changed. Using Terminal Services Manager (since the machine is
    off-site), I logged that user out and had no more issues.

    Anonymous (Last update 1/25/2006):
    We have a domain with Win2k AD and various Win2k and XP clients. This
    event only occured on XP clients. Additionally, the logs showed event
    id 40961, 1054 and 1030. The logon process from the XP clients took
    forever, GPs were not applied and access to network shares was not
    possible. Increasing the kerberos ticket size, as suggested by MS,
    didn't do the trick. Recreating users and/or machine accounts didn't
    help either. Simple solution was to finally install SP4 for Win2k on
    the domain controllers which we hadn't done before. Since then
    everything has been running smooth.

    Ross Smith (Last update 11/10/2005):
    We spotted this event after demoting one of our domain controllers.
    For a couple of weeks we had problems on the network but nothing
    specific, just minor problems here or there. Eventually, we realized
    that dcpromo had not removed all the DNS entries for the old server.
    We still had a NS record pointing to a server that no longer existed.

    Anonymous (Last update 9/17/2005):
    I received this when my XP systems were connected to a Cisco switch.
    By default, Cisco switches take up to 20 seconds to begin passing
    traffic after the host brings up their Ethernet interface. You can set
    a particular port to start immediately using the "spanning-tree
    portfast" command on the port your hosts are connected to. This
    resolved the issue for me.

    Joe Donner (Last update 7/24/2005):
    I started to get this event on an SBS 2003 server every hour or so
    after I changed the domain administrator's password. The DHCP server
    used the same credentials, so when I also changed the password in
    DHCP's properties, the warnings stopped appearing.

    Rodney Buike (Last update 2/22/2005):
    I installed a new ISA 2004 server and I started to receive many errors
    of this type. In my case, the server referenced in the event
    description was an external DNS server from my ISP. I disabled DNS
    registration on the WAN NIC and the error went away.

    Ionut Marin (Last update 2/20/2005):
    See M885887 for a hotfix applicable to Microsoft Windows XP
    Professional Service Pack 2.

    As per Microsoft: "The Negotiate package could not select a secure
    authentication protocol because the user provided incorrect
    credentials or because the domain controller was temporarily
    unavailable". See MSW2KDB for more details on this event.

    This can occur if the File Replication Service (Ntfrs.exe) tries to
    authenticate before the directory service has started. See M824217 to
    troubleshoot this problem.

    From a newsgroup post: "In my case, this error occurred because the
    credentials specified in my DHCP server on “DC1” for dynamic DNS
    registration were misspelled".

    From a newsgroup post: "1. If the 40960/40961 events only happen at
    boot, it is likely that M823712 and M824217 will help you to fix this
    2. If the 40960/40961 events happen at a regular interval (i.e.,
    hourly), try to determine what service may be need to authenticate at
    that interval. For example, if a XP/2003 machine is pointed directly
    at a DNS server that doesn't support Kerberos, secure dynamic updates
    will generate 40960/40961 events. Even if the XP/2003 machine is
    pointed to a 2000/2003 DNS server, if the SOA for the zone is a
    non-Microsoft DNS server that doesn't support Kerberos, the
    40960/40961 events can still be generated.
    3. Get a list of the computer names of the DCs in the domain, and
    compare that to a list of all machine accounts in the forest to see if
    there is a name conflict. For example, if NTSERVER is a member server
    in the parent domain, and NTSERVER is a DC in the child domain, you
    can see 40960/40961 events because of the name conflict.
    4. Verify RPC Locator is correctly configured:
    Started, Automatic - Windows 2000 domain controllers.
    Stopped, Manual - Windows Server 2003 domain controllers & member
    Stopped, Disabled - Windows 2000 clients & member servers, XP clients.
    5. If the registry on the DC contains the NT4Emulator registry value
    in the following registry key, set it to 0, or delete it entirely.

    6. Verify the DHCP client service is started on all machines. Even
    machines with static IP addresses (including domain controllers and
    member servers) need to have DHCP client service enabled because that
    service handles DNS dynamic updates.
    7. Verify there is not a time skew between machines. Make sure to
    verify the time, date, and year, are all the same. Appendix A of the
    Troubleshooting Kerberos Errors white paper shows a sample trace where
    clock skew breaks Kerberos.
    8. Kerberos UDP packet fragmentation can result in Kerberos failure.
    Appendix A of the Troubleshooting Kerberos Errors white paper shows a
    sample trace where UDP fragmentation breaks Kerberos.

    2003 - RTM defaults to MaxPacketSize of 1465 bytes.
    2000 - RTM defaults to 2000 bytes. With hotfix 315150 or SP4, default
    is 1465
    XP - RTM defaults to 2000 bytes. With SP2, default is 1465. There is
    no hotfix, SP2 is the only way to get the 1465 default without
    manually setting the MaxPacketSize registry value to 1465. See M315150
    and M244474 for details.
    9. Reset the secure channel.
    10. Create a reverse lookup zone and add the DNS server to it. The
    step is included here because it was the fix in a customer verified
    solution object, but more information is needed to understand why this
    would resolve the 40960/40961 events.
    11. Verify the necessary SPNs are registered, based on the information
    in the event description.
    12. Clear cached credentials.
    2003 - Control Panel, Stored User Names and Passwords, Remove them
    13. Based on the information in the event description, verify that the
    SAM account name of one account is not the same as the UPN of another

    From a newsgroup post: "I was having this problem when using
    Microsoft’s Virtual PC 2004 with Windows 2003. I keep getting messages
    that the server’s clock on the virtual machine is out of sync with my
    physical box running Windows Server 2003. In the end, I just noticed
    that the date on my other box was 7/26, but the date on the virtual
    machine was 7/25. After making the necessary adjustments, the problem

    From a newsgroup post: "If this server is joined to a domain called and you have two adapters, configure both adapters to
    point to your Active Directory DNS server or disable DNS registration
    on the second adapter. See M246804 for information on how to enable or
    disable dynamic DNS registrations in Windows 2000 and in Windows
    Server 2003".

    From a newsgroup post: "Other posts in various newsgroups suggested
    that a problem with a user’s profile could be the cause of failures to
    apply GPOs, which is the root cause of My Documents redirection
    failures. This was consistent with what I was seeing. I was not using
    roaming profiles, so User A’s profile on PC01 was (potentially)
    different than it is on PC02. Furthermore, PC01 was installed with
    Windows XP Pro from scratch while PC02 ran Windows XP Home for 2 years
    and then was upgraded to Windows XP Pro. User A's profile on PC01 was
    created "fresh" while on PC02 it was migrated when PC02 was joined to
    the domain.
    I did not find specific information concerning what gets screwed up in
    the profile or why it causes GPO failures. However, the fix steps were
    reasonably uniform:
    1. Logon to the problematic PC as Administrator.
    2. Backup the profile of the problem user. (E.g., copy it elsewhere.
    Be sure hidden and system files are copied. For example, \Documents
    and Settings\<username>\Local Settings\Application
    Data\Microsoft\Outlook often contains “.OST” and/or “.PST” files. I
    compared the total size and number of files in the original and backup
    before proceeding to Step 3.)
    3. Delete the problematic profile. (Right-click My Computer ->
    Properties -> Advanced Tab -> User Profiles [Settings] button. Select
    the profile to be deleted with care.
    4. Logoff as Administrator and logon as the problem (domain) user to
    recreate the profile.
    5. Restore (copy back) the files from the backed-up profile. (Be
    careful about what gets overwritten.)
    When I did this for User A on PC02, the 1030 and 40961 events stopped
    and My Documents redirection worked".

    JSI Tip 5612 also provides information about this event.

    See M891559 for additional information on this event.

    Peter (Last update 2/17/2005):
    See M810207 for information on IPSec default exemptions.

    Anonymous (Last update 1/19/2005):
    I started getting this error message on Windows XP workstations on our
    network after I promoted our Domain Controller from WinNT to Win2k. I
    noticed that the problem was occurring right after EventID 35 from
    source W32time. Basically what was happening was that the XP
    workstations affected were set to sync to an external time source
    rather than with their domain controller. Run the following while
    logged on as administrator to get rid of this log entry:
    1. Stop the Windows time service by going to Control panel/Admin
    2. Open a command prompt and type “net time /setsntp: <IP address of
    domain controller>”.
    3. Restart the Windows time service and the message should go away.

    Anonymous (Last update 10/21/2004):
    - Data: 0000: c000018b = STATUS_NO_TRUST_SAM_ACCOUNT - This error code
    means the computer account has been deleted.

    Micheal (Last update 9/29/2004):
    What I discovered, for our situation, is that the credentials for DNS
    dynamic updates were invalid. These credentials are entered in the
    DHCP snap-in.

    1. Launch the DHCP snap-in.
    2. Right-click the Domain and select Properties.
    3. Click once on the Advanced tab.
    4. Towards the bottom of the dialogue box, you will see a button
    labeled "Credentials". Click on the button.
    5. Enter a user, which has been created for this purpose and is a
    member of the "DnsUpdateProxy" group.
    6. Click on "Apply".
    7. Click on "OK" and the problem should disappear.

    K-Man (Last update 7/7/2004):
    I experienced this problem on Windows XP workstations, when users
    logged into a terminal server and terminal sessions were disconnected
    (but not terminated). To fix this problem I configured the terminal
    server to end disconnected sessions, and end sessions where users were
    idle for more than a specified amount of time.

    Montana Pete (Last update 4/3/2004):
    This happened to me when I installed new drivers for the internal DSL
    modem. This would probably also apply to any network card connected to
    the internet through any modem or router. The default settings were to
    "Register this connection's address in DNS". When registration was
    attempted I got the "Security System could not establish a secured
    connection with the server DNS/<host name>". Why a connection was
    attempted with that name server rather than the ISP's I'll never know.
    Unchecking "Register this connection's address" solved the problem.

    Peter Kaufman (Last update 1/27/2004):
    This error may result from securing Client-to-Domain Controller and
    Domain Controller-to-Domain Controller traffic with IPSec. This is
    unsupported as per M254949.

    Yvette Lian (Last update 1/2/2004):
    I came across this problem after installing two Windows 2003 DCs onto
    our Windows 2000 network. The user was attempting to map a drive to an
    OS400 V5R2 machine. This had worked previously, but stopped working
    after the introduction of the new DCs. The connection attempt would
    eventually timeout instead of asking for credentials. I modified
    default domain GPO to disable the following setting: "Computer
    Configuration\Windows Settings\Security Settings\Local
    Policies\Security Options\Microsoft Network Server: Digitally sign
    communications (always)".

    PK (Last update 1/2/2004):
    We were also getting this error along with Event ID 40960 on a Windows
    2003 Member Server (in a Windows 2003 AD) which had its own DNS Server
    Service Running. The problem was that the server was booting up and
    several services were trying to run (including NETLOGON) before the
    Member Servers DNS Server Service had started. This resulted in no
    name lookup for the Active Directory Domain and hence could not
    contact any Domain Controllers.

    Penny Yao (Last update 11/19/2003):
    I saw this event accompnies with 40960 in pair on a Windows Server
    2003 acting as member server in a Windows 2000 domain. The errors
    appear in the log, when some users try to access the web server, IE
    will prompt for credential, even if the credential is correct, the
    users are denied access. The problem seems to be resolved after
    restarting NETLOGON service.

    Darren Monahan (Last update 10/26/2003):
    If this warning appears by itself on an hourly basis, check that the
    credentials assigned to the DHCP server to register DNS dynamic
    updates are valid. Spelling errors or incorrect passwords and/or
    domain names can be to blame. To do this in Windows Server 2003, open
    the DHCP snap-in, open the properties for your DHCP server, select the
    "Advanced" tab, and click the "Credentials" button. Verify the
    username, password, and domain listed here are valid.

    Anonymous (Last update 10/26/2003):
    We had the same problem on one of the workstations that had a long
    logon timeout. This has worked for us:
    1. logon as an admin.
    2. remove from domain.
    3. add to domain.
    4. restart.

    Adrian Grigorof (Last update 8/12/2003):
    From a newsgroup post: "If there is there a matching 40960 event then
    it is more likely a forward lookup zone issue in DNS. If not, it
    probably is that Windows is looking for a reverse lookup zone."

    As per M823712, this may occur when you restart the server that was
    promoted to a domain controller.

    DweezMon (Last update 8/12/2003):
    If the server name is, or, this is just telling you that Windows could not
    perform a reverse lookup on the IP address configured as a DNS server.
    These names are used to respond with "server does not exist" when you
    use a private IP range, for example This can be quickly
    cleared up by adding a Reverse Lookup zone, and adding a record for
    your DNS Server.

    Adrian Florin Moisei (Last update 5/23/2003):
    From a newsgroup post: "If the system is Win XP and if the errors were
    not occuring under a different profile the folowing steps can solve
    the problem:
    1. Log on as a different user
    2. Back up the profile in mention.
    3. Delete the profile.
    4. Create a new profile by logging on.
    5. Restore the files from the backed up profile."

    Gunnar Carlson (Last update 5/18/2003):
    I get this error on all DC's that I upgrade to Windows 2003 Server. I
    upgraded one DC from W2k3 beta3 to the released version, and the
    events immediately started to show up. After I created the reverse
    lookup zones for the network they stopped.

    Anonymous (Last update 5/10/2003):
    This happened when machines were trying to register PTR records, and
    we didn't have reverse lookup zones. The solution was to add them for
    all our subnets.

    DJ (Last update 5/2/2003):
    I'm on a small home test network with Win2k domain behind a Linksys 4
    port DSL router. The router handles DNS. A power failure sacked my
    domain controllers. After some restores and GP resets, my DCs were up
    and talking. But my workstation could not access AD Users and
    computers. The problem was the order of DNS in the Lynksys. After
    putting my local DNS server first in the list on the Linksys, I was
    able to get to AD.

    Greg Martin
    Had this on a WinXP workstation which could no longer access domain
    resources. The fix was changing the DNS settings to point to a Win2k
    DNS which was tied into Active Directory. Apparently the workstation
    could no longer locate SVR records for the kerberos authentication
    server. These records were not in our UNIX DNS but were in the Win2k
    DNS. Related directly to Event 40960 - LsaSrv.

    - Thee Chicago Wolf
    Thee Chicago Wolf, Dec 3, 2008
  11. kerberos.dll
    Since you say your SP3 machine connect fine, is moving your SP2
    machines to SP3 not an option?

    You could try updating kerberos.dll on your SP2 client to a newer one
    from one of the below KB articles.

    This is the newest kerberos.dll for XP SP2.
    Kerberos.dll 5.1.2600.3192 299,008 08-Aug-2007
    Kerberos.dll 5.1.2600.3087 299,008 20-Feb-2007
    Kerberos.dll 5.1.2600.3048 298,496 11-Dec-2006
    Kerberos.dll 5.1.2600.2920 298,496 01-Jun-2006
    Kerberos.dl 5.1.2600.2749 298,496 30-Aug-2005
    Kerberos.dll 5.1.2600.2745 297,984 24-Aug-2005


    The newest kerberos.dll for XP SP3.
    Kerberos.dll 5.1.2600.5615 299,520 05-Jun-2008

    - Thee Chicago Wolf
    Thee Chicago Wolf, Dec 3, 2008
  12. Chris

    Chris Guest

    Thnaks TCW.

    a) Found issue with the eventid website - not displaying properly on all our
    machines. RDP'd to home machine (different isp) and it worked fine.

    Tried different machines here at the office - same result - even flushing
    cache etc from IE. Tried on a laptop with Firefox - same deal. By passed our
    router and connected directly - same deal - so something with ISP's caching
    server probably.

    I will review these findings and try and see if it resolves the issue.

    As for SP3

    No, our accounting software does not work with the changes. Their
    recomendations are to move to Vista over XP SP3. Rather stay with SP2 tyvm :)

    Chris, Dec 4, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.