fpcit
asked on
Receiving Event ID 40960 (LSASERV:SPNEGO) Events and Errors
Hi all,
We have recently started receiving a rash of Event ID: 40960 errors on all of our domain controllers and one or two member servers. I can't find the user account that is causing all of the errors, and not sure how to go about doing it? The anonymized error is as below:
EVENT # 522261
EVENT LOG System
EVENT TYPE Warning
SOURCE LSASRV
CATEGORY SPNEGO (Negotiator)
EVENT ID 40960
COMPUTERNAME {Name of one of our DC's}
DATE / TIME 12/27/2010 1:29:31 PM
MESSAGE The Security System detected an authentication error for the server cifs/memberservername.doma in.com. The failure code from authentication protocol Kerberos was "The user's account has expired.
(0xc0000193)".
BINARY DATA 0000: 93 01 00 C0
As always, any help is appreciated.
We have recently started receiving a rash of Event ID: 40960 errors on all of our domain controllers and one or two member servers. I can't find the user account that is causing all of the errors, and not sure how to go about doing it? The anonymized error is as below:
EVENT # 522261
EVENT LOG System
EVENT TYPE Warning
SOURCE LSASRV
CATEGORY SPNEGO (Negotiator)
EVENT ID 40960
COMPUTERNAME {Name of one of our DC's}
DATE / TIME 12/27/2010 1:29:31 PM
MESSAGE The Security System detected an authentication error for the server cifs/memberservername.doma
(0xc0000193)".
BINARY DATA 0000: 93 01 00 C0
As always, any help is appreciated.
ASKER
As requested... DC3-DCDIAG.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I ran a VBScript to show me all of the Expired users, and went through and disabled them. I am still receiving the same error. I currently do not have a single expired account. Coincidentally, I am receiving a Kerberos error from one of our offsite PC's. The Event is below.
EVENT # 41451
EVENT LOG System
EVENT TYPE Error
SOURCE NETLOGON
EVENT ID 5722
COMPUTERNAME DC3
DATE / TIME 12/27/2010 2:32:54 PM
MESSAGE The session setup from the computer HOMEUSER failed to authenticate. The name(s) of the account(s) referenced in the security database is HOMEUSER$. The following error occurred:
Access is denied.
BINARY DATA 0000: 22 00 00 C0
EVENT # 41451
EVENT LOG System
EVENT TYPE Error
SOURCE NETLOGON
EVENT ID 5722
COMPUTERNAME DC3
DATE / TIME 12/27/2010 2:32:54 PM
MESSAGE The session setup from the computer HOMEUSER failed to authenticate. The name(s) of the account(s) referenced in the security database is HOMEUSER$. The following error occurred:
Access is denied.
BINARY DATA 0000: 22 00 00 C0
ASKER
Oh sorry! I forgot to mention that all of our local machines are indeed picking up DHCP from our servers. The above mentioned machine is statically assigned, but the home is nailed to us via Cisco VPN Tunnel.
Now that is a different error.
Reset the secure channel password they will need to be VPN to do this
http://www.windowsitpro.com/article/tips/jsi-tip-3401-how-do-i-reset-the-secure-channel-s-password-in-windows-2000-.aspx
Reset the secure channel password they will need to be VPN to do this
http://www.windowsitpro.com/article/tips/jsi-tip-3401-how-do-i-reset-the-secure-channel-s-password-in-windows-2000-.aspx
ASKER
I will be at the remote site this afternoon, and will try that. Thanks for the advice!
As for the SPNEGO errors, they have changed to "cannot because the referenced account is currently disabled" as I expected it would. The issue I am having is that I cannot figure out which account is causing the errors. The errors are coming from all of our domain controllers at 3 different sites. Any suggestions on how to narrow it down, without just deleting all of our disabled accounts?
Thanks!!
Stefan
As for the SPNEGO errors, they have changed to "cannot because the referenced account is currently disabled" as I expected it would. The issue I am having is that I cannot figure out which account is causing the errors. The errors are coming from all of our domain controllers at 3 different sites. Any suggestions on how to narrow it down, without just deleting all of our disabled accounts?
Thanks!!
Stefan
ASKER
I found it! One of the users was a consultant here for a day, and he remained logged in via RDP to our DC's. His sessions were disconnected, but the ID was not logged off. I feel like such a dolt. Thanks for the help!!!!!
Stefan
Stefan
ASKER
Thanks again!!
http://support.microsoft.com/kb/824217
http://www.eventid.net/display.asp?eventid=40960&eventno=8508&source=LSASRV&phase=1
Run dcdiag on DC post results