Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player
spacer
05.13.2009

Windows XP event log messages Event ID 40960 Event ID 4 SPNEGO; KRB_AP_ERR_MODIFIED

A client was saying that it was taking 15 minutes in the morning to login to the computer. I found when logged onto the computer and attempted to access the domain server shares that I was being prompted for the username and password; and he was still not connecting. The event log on the workstation had the following messages:

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date:  13/05/2009
Time:  7:25:10 PM
User:  N/A
Computer: ML150
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server TIM$ The target name used was cifs/WS01.domain.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAIN.LOCAL), and the client realm.   Please contact your system administrator.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  13/05/2009
Time:  9:13:33 PM
User:  N/A
Computer: TIM
Description:
The Security System detected an attempted downgrade attack for server cifs/ML150.domain.local.  The failure code from authentication protocol Kerberos was “No authority could be contacted for authentication.
 (0×80090311)”.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date:  13/05/2009
Time:  9:13:33 PM
User:  N/A
Computer: TIM
Description:
The Security System could not establish a secured connection with the server cifs/ML150.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
Date:  13/05/2009
Time:  9:13:34 PM
User:  N/A
Computer: TIM
Description:
The Security System detected an attempted downgrade attack for server LDAP/ML150.domain.local.  The failure code from authentication protocol Kerberos was “No authority could be contacted for authentication.
 (0×80090311)”.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date:  13/05/2009
Time:  9:13:34 PM
User:  N/A
Computer: TIM
Description:
The Security System could not establish a secured connection with the server LDAP/ML150.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 In the application event log was

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date:  13/05/2009
Time:  10:40:12 PM
User:  NT AUTHORITY\SYSTEM
Computer: TIM
Description:
Windows cannot determine the user or computer name. (An internal error occurred. ). Group Policy processing aborted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The computer had had its name changed from WS01 to BOB. Checking in the domain computer list I found the old WS01 computer still existed as well as the new BOB computer. WS01 also existed as a DNS entry. 

I removed the computer off the domain, manually deleted the entries on the domain controller, rebooted the workstation, rejoined the domain, rebooted again and the event log messages were still there and same problem. The HP NC7781 Gigabit Server Adapter NIC card on the Windows 2003 server driver was updated from v8 to v12 using the downloads at:

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=407737&prodTypeId=329290&prodSeriesId=407735&swLang=8&taskId=135&swEnvOID=1005

By the way I was able to do this through remote desktop and only lost connection for a few seconds while the driver updated.

I also ran net time /setsntp:ml150 on the workstation to synchronise the time with the server. I updated the NIC card driver on the HP dx7300 workstation using

http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareDescription.jsp?lang=en&cc=us&prodTypeId=12454&prodSeriesId=3251396&swItem=vc-69120-1&prodNameId=3251400&swEnvOID=1093&swLang=13&taskId=135&mode=4&idx=0

All the time I was also downloading 360Mb odd of updates to the Windows 2003 SBS server. The server was rebooted after all the patch and driver installations, and then the workstation. After this the workstation no continued to have problems connecting to the network shares.

 

Other solutions to this may be found at

http://www.eventid.net/display.asp?eventid=40960&eventno=787&source=LsaSrv&phase=1

Tags: , , , ,
Networking, System Administration, Windows XP |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

You must be logged in to post a comment.