Receiving Event ID 40960 (LSASERV:SPNEGO) Events and Errors

fpcit
fpcit used Ask the Experts™
on
Hi all,
     We have recently started receiving a rash of Event ID: 40960 errors on all of our domain controllers and one or two member servers.  I can't find the user account that is causing all of the errors, and not sure how to go about doing it?  The anonymized error is as below:

EVENT #      522261
EVENT LOG      System
EVENT TYPE      Warning
SOURCE      LSASRV
CATEGORY      SPNEGO (Negotiator)
EVENT ID      40960
COMPUTERNAME        {Name of one of our DC's}
DATE / TIME        12/27/2010 1:29:31 PM
MESSAGE      The Security System detected an authentication error for the server cifs/memberservername.domain.com. The failure code from authentication protocol Kerberos was "The user's account has expired.
(0xc0000193)".
BINARY DATA        0000: 93 01 00 C0

As always, any help is appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2012

Commented:

Author

Commented:
As requested... DC3-DCDIAG.txt
Top Expert 2012
Commented:
Well the error states that your account that is being used is expired. Are these systems using DHCP? I would check your AD for expired accounts.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I ran a VBScript to show me all of the Expired users, and went through and disabled them.  I am still receiving the same error.  I currently do not have a single expired account.  Coincidentally, I am receiving a Kerberos error from one of our offsite PC's.  The Event is below.

EVENT #      41451
EVENT LOG      System
EVENT TYPE      Error
SOURCE      NETLOGON
EVENT ID      5722
COMPUTERNAME        DC3
DATE / TIME        12/27/2010 2:32:54 PM
MESSAGE      The session setup from the computer HOMEUSER failed to authenticate. The name(s) of the account(s) referenced in the security database is HOMEUSER$. The following error occurred:
Access is denied.
BINARY DATA        0000: 22 00 00 C0

Author

Commented:
Oh sorry!  I forgot to mention that all of our local machines are indeed picking up DHCP from our servers.  The above mentioned machine is statically assigned, but the home is nailed to us via Cisco VPN Tunnel.  
Top Expert 2012

Commented:
Now that is a different error.

Reset the secure channel password they will need to be VPN to do this

http://www.windowsitpro.com/article/tips/jsi-tip-3401-how-do-i-reset-the-secure-channel-s-password-in-windows-2000-.aspx

Author

Commented:
I will be at the remote site this afternoon, and will try that.  Thanks for the advice!  

As for the SPNEGO errors, they have changed to "cannot because the referenced account is currently disabled" as I expected it would.  The issue I am having is that I cannot figure out which account is causing the errors.  The errors are coming from all of our domain controllers at 3 different sites.  Any suggestions on how to narrow it down, without just deleting all of our disabled accounts?

Thanks!!
Stefan

Author

Commented:
I found it!  One of the users was a consultant here for a day, and he remained logged in via RDP to our DC's.  His sessions were disconnected, but the ID was not logged off.    I feel like such a dolt.  Thanks for the help!!!!!

Stefan

Author

Commented:
Thanks again!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial