Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Security System Error (ID 40960) on File Server

Posted on 2011-02-14
14
Medium Priority
?
2,179 Views
Last Modified: 2012-05-11
Hi folks!

We run an environment with five Windows Server 2003 R2 x64 servers. We have two domain controllers, and then three servers for various purposes. On the server that acts primarily as our file server, I am seeing recurring errors from the Security System in our event log.

Specifically, the error ID I am normally seeing is 40960 and the specific error text is one of the following two:

"The Security System detected an authentication error for the server LDAP/server.domain/domain@domain.  The failure code from authentication protocol Kerberos was "The user account has time restrictions and may not be logged onto at this time.
 (0xc000006f)".

And:

"The Security System detected an authentication error for the server LDAP/server.domain/domain@domain.  The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to.
 (0xc0000072)".

In all cases, the server it is referencing in the error is one of our two domain controllers. Each domain controller appears in some of the errors. I cannot figure out why this would be the case, though, as the computer accounts for our domain controllers should certainly not be disabled nor have any time restrictions on when they can interact with another server.

These errors are appearing regularly at least every hour or two.

Any suggestions would be most appreciated.

Thanks,
Ithizar
0
Comment
Question by:Ithizar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
14 Comments
 
LVL 8

Expert Comment

by:Toxacon
ID: 34887282
Those error messages simply mean that someone who has account login time restrictions is trying to log in. The other account is disabled and someone is trying to log in with that account. Just look at the error messages to see the referenced account.
0
 

Author Comment

by:Ithizar
ID: 34887918
I'm not sure I understand what you mean "look at the error messages." I posted the complete text of the error. All I did was obscure the name of our server and domain. But there are no user accounts mentioned anywhere in the error.
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34888394
There should be Event Type, Event Source, Event Category, Event ID (which is 40960), Date, Time, User and Computer in addition to the Description you posted.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Ithizar
ID: 34889958
The user says "N/A".
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34890988
What are the Event Source and Category? Do you have restricted accounts in your domain?
0
 

Author Comment

by:Ithizar
ID: 34891048
Source: Userenv
Category: None
Type: Error
Event ID: 1053
User: NT AUTHORITY\SYSTEM

That's all relevant information, other than things like the date or the name of the server.

Forgive me if I seem dense, but what do you mean by "restricted accounts"?
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34891173
If a user account is restricted, then, for example the account can only logon to specified workstation or the account can logon at specified time. Just open the user properties, Account tab, click the Logon Hours button to view time restrictions as your case has.

"The user account has time restrictions and may not be logged onto at this time.
 (0xc000006f)".


0
 

Author Comment

by:Ithizar
ID: 34891284
But it says that the user in question is "N/A", which implies to me that it's not a user account that's involved in this case. In fact, the error message seems to say that it's one server attempting to authenticate to another. Is that not correct?

In any event, we don't generally use restrictions like that on our accounts, and the errors are happening at all hours of the day and night, with regularity, so it wouldn't just be at a specific time of the day when certain accounts couldn't log on.
0
 
LVL 8

Expert Comment

by:Toxacon
ID: 34891821
That's really odd... As if domain controller account has been warped or something... And still the first error is related to user account...

Have you had problems with DCs not replicating or trouble running DCPROMO or anything?

Does the dcdiag pass ok or does it give errors?
0
 

Author Comment

by:Ithizar
ID: 34892864
I have not had any problems that I am aware of with replication. We have two domain controllers on the network, and I don't see any replication errors in their logs, and all of the account information and so forth seems synchronized between the two of them. We have not run DCPROMO at all since the domain controllers were originally created.

The system I am posting these errors from is not a domain controller, so dcdiag is not applicable. I can run it on our two domain controllers and see if either or both return errors if you think that might reveal something related.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 34893842
What backup software do you use?

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 34893852
And please list your servers by Server A, Server B, etc, with the roles of the servers, (meaning DNS, DHCP, AD,)
0
 

Author Comment

by:Ithizar
ID: 35060221
Sorry for the delay in responding.

We use Macrium Reflect for backing up our servers.

Our servers are as follows:

Server A: Domain Controller, DNS, DHCP
Server B: Domain Controller, DNS
Server C: File Server, GhostCast Server, Symantec Endpoint Protection Server
Server D: SQL Database Server, Application Server
Server E: Remote Access/Terminal Server
Server F: Deep Freeze/BrowseControl Security Server
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 2000 total points
ID: 35063300
Server C: File Server, GhostCast Server, Symantec Endpoint Protection Server

Server C is the one having problems?  If so, this is good news.

Symantec Endpoint Protection has a console management, and many domain features need to be addressed in order to allow these domain features. I do believe one of them is Active Directory.

Your errors are stating that you are having problems communicating with the LDAP, (Lightweight Directory Access Protocol). AS MOST ANTIVIRUS and FIREWALLS, they are geared for home use, that doesn't really need access to an LDAP (or Kerberos Authentictation). Instead credentials are held locally. I know little about Symmantec Endpoint protection. I do think it's a system state firewall. System state means that it will block communications unless that computer initiates the call.

When a client first logs on, it will initiate a authentication with the server. So, logons are not the problem. However, when it comes time to renew the Kerberos ticket, the server initiates the procedure to do so. Symantec may be blocking this, (because it is a system state firewall).

When choosing a FIREWALL or ANTIVIRUS product, always make sure you look at what that product blocs, and what is needed for acceptions or rules to work right.

Your file server is having problems updating its Kerberos ticket. That's what your errors are stating.

Client type firewall (SEP):
http://www.symantec.com/business/support/index?page=content&id=TECH92440&locale=en_US

Now, this could be DNS related problems, but it would appear more like a problem with a system state firewall.  To verify that DNS works, use an SRV ping to ping the Server SeRVice records. These are the records that point the way to your domain controller for authentication.

SRV PING:
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/DHCPandDNS/AQuickTipToVerifyTheSRVRecordsOfDomainControllers.html
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question