• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13499
  • Last Modified:

LSASRV and SPNEGO errors, hanging at start up (40961 and 40960)

I am having a problem with LSASRV / SPNEGO errors (Event ID codes 40961 and 40960) appearing in computer's event logs.  There is no precursor to them happening.  Users come in one morning to start work and it will take 20 minutes for the system to log them on. They hit CTRL+ALT+DEL and enter their username and password, and then the system hangs for a very long time before eventually logging them in.  Outlook will not connect, and they cannot seem to browse to other systems.  They can get out to the Internet via web browser, and have no problem using Outlook Web Access. It appears the problem is with local network resources that require the successfull processing of credentials. We use SBS 2003, by the way. Stranger still, it is affecting just 3  computers that are all located in one section of the office.

I have read several posts where others have "solutions" but nothing seems to work. I've tried the following as well as other random tasks:
=Move the computers to data jacks in other areas of the office that are working fine with other systems
=Remove the computer from the domain and re-add it.
=Try a user account that is working fine elsewhere
=Make sure the time is synched with the DC
=Upgraded the NIC driver on the server (someone mentioned this as a solution)
=All updates and patches are applied to all machines
=Reinstall networking components
=Ensured proper DNS settings on the server
=Flushed DNS on the client machines

Have missed anything? Why does this keep happening randomly to systems around my network? I am starting to become convinced it is a Microsoft issue, perhaps a faulty patch or update they issued and haven't acknowledged.  I am open to ANY suggestions-- please let me know what has worked for you in this case!
0
Edgerock
Asked:
Edgerock
1 Solution
 
jkrCommented:
The error code descriptions are

# for decimal 40960 / hex 0xa000 :
  NEGOTIATE_DOWNGRADE_DETECTED                                  lsapmsgs.mc
# When asking for client authentication, this server sends a
# list of trusted
# certificate authorities to the client. The client uses this
# list to choose
# a client certificate that is trusted by the server.
# Currently, this server trusts
# so many certificate authorities that the list has grown too
# long. This list has
# thus been truncated. The administrator of this machine
# should review the
# certificate authorities trusted for client authentication
# and remove those that
# do not really need to be trusted.
# client
# server

# for decimal 40961 / hex 0xa001 :
  NEGOTIATE_INVALID_SERVER                                      lsapmsgs.mc
# The Security System detected an authentication error for
# the
# server %1.  The failure code from authentication protocol
# %2
# was %3.

Does http://support.microsoft.com/kb/824217 apply?
0
 
EdgerockAuthor Commented:
No, that doesn't fit the situation unfortunately.  It did happen after I rebooted the server, though, now that I think of it.  But we only have one server and no updates were made recently.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Actually, it is very likely a hardware issue which has come about because of installing Windows Server 2003 SP2 on your server.

If you've recently done that then please review all of the known issues regarding SP2 on SBS here:  http://sbsurl.com/sp2

And specifically this KB article:  http://support.microsoft.com/kb/936594

If you have Broadcom NICs there have also been a ton of issues with those... be sure you have the latest drivers installed on ALL NICs (server and client).

Jeff
TechSoEasy

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
EdgerockAuthor Commented:
I haven't installed SP2 yet on the server.  I did upgrade the driver on the server's NIC though. I'll check the client.
0
 
EdgerockAuthor Commented:
The clients also have up-to-date drivers on the NICs.

It is definitely something to do with authenticating with the server. When the client hangs at login it will immediately resume the login process when I unplug the network cable.  Also, even when connected, signing onto the computer locally with the admin account or local user also works without any hesitation or problem.  The same user's account will work fine on other computers in the office logging into the domain.  So it is something specific to this computer, regardless of user account, trying to authenticate with the domain. Any further thoughts along those lines?

0
 
EdgerockAuthor Commented:
Just for the heck of it, I uninstalled the driver for the Server's NIC and then re-installed (it was already the most up-to-date version.)  Problem resolved after this.  I will give the points to TechSoEasy since he suggested the hardware / driver (thanks!). It's an Intel Pro/1000 NIC-- not sure why this would suddenly cause an issue out of nowhere, and why it would only affect 3-4 computers in the same section of the office. Even though this is resolved, if anyone could offer further color on this matter, I'd appreciate it.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Even though you stated "There is no precursor to them happening." you're fooling yourself if you view a server as a static piece of equipment.  Your server is changing every minute of the day.  Files get added and removed, drives get full, updates get installed, and every minute of every day, the hard drives have made over 7,000 rotations each... which amounts to more than 10,000,000 revolutions PER DAY.  To me, it's surprising that bits of data aren't being flung off those things more often!

So, remember, on a computer that's running 24/7?  There's no such thing as "out of nowhere".

Jeff
TechSoEasy
0
 
EdgerockAuthor Commented:
Point taken-- but why did it affect just one grouping of machines in the office and not all of them? They are all similar machines throughout the office. I can't seem to find anything unique that separates them except their physical location. They are connected to the same switch as the other client machines, etc etc. Anyhow, it's resolved for now.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It's possible those few machines have received a Windows Update that the others haven't?  Or perhaps they have a different Video driver than the others?  (something as obscure as that can be the cause).  Whatever it is, there is most likely SOME common thread... it could just be the room temperature being a few degrees different where they are compared to the others.

But most likely, other than satisfying your curiosity, it's not worth taking the time to figure it out.

Jeff
TechSoEasy
0
 
madmax40Commented:
Hello, I just stumbled upon this old discussion that states the exact same problem we are expriencing. I was just wondering if in your case you had to reinstall the whole pc that experienced the problem. Right now even though we redo the whole computer we get the exact same problem, some after 1 login and others after 3-4 logins????? All I can figure is the MAC adress is somehow retained in the negotiation process.
Let me know.

Thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now