Event 40960 and 40961 after upgrade to Windows 2008 R2 domain controller

After I replaced my Windows 2003 Domain Controllers for fresh new Windows 2008 R2 domain controllers, I was starting to have problems at my remote offices.
In the eventlog on my remote pc’s, I found the following events:

Event ID: 40960
Source: LsaSrv 
Type: Warning
Category: SPNEGO (Negotiator) 
Description: The Security System detected an attempted downgrade attack for server <server name>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".

Event ID: 40691
Type: Warning
Source: LSASRV
Category: SPNEGO (Negotiator)
Description:
The Security System could not establish a secured connection with the server ldap/SERVERNAME.DOMAINNAME.net. No authentication protocol was available.

Several articles and posts stated that a VPN / SSL connection may hinder the Kerberos protocol from successfully authenticating to the domain controller / global catalog server.
However, all suggestions led to nothing. At the end, the Netlogon debug mode helped me out. To enable the Netlogon Debug Mode, I created the following key on your client computer:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DBFlag"=dword:2080ffff
   (hexadecimal value)

Then open a cmd and type net stop netlogon && net start netlogon to enable the debugging mode. The Debug logging writes to C:\Windows\Debug\netlogon.log

In the netlogon.log, I found that my client on the remote location could not authenticate with Kerberos and tried to fallback to NTLM. Since Windows 2008 R2 does not have NTLM enabled by default, the authentication consequently failed.

Referring back to the VPN / SSL connection: Kerberos uses UDP and this is known to be unreliable through VPN tunnels.
Therefor, I had to force the authentication to use TCP, using the following registry key on the client:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxPacketSize"=dword:00000001

Done! The LSASRV error did not occur no more in my eventviewer and the logon speed was back to 30 secondes.

Credits go to the following websites:
http://support.microsoft.com/kb/244474
http://support.microsoft.com/kb/109626
http://blogs.technet.com/b/ad/archive/2009/03/20/downgrade-attack-a-little-more-info.aspx

Leave a Reply

6 Comments on "Event 40960 and 40961 after upgrade to Windows 2008 R2 domain controller"

Notify of
avatar
Sort by:   newest | oldest | most voted
Nathan
Guest

Thanks so much for this.. spent many hours troubleshooting this issue and finally came across your solution :-)

free microsoft points 2014 no survey no download
Guest

Аsking questions ɑrе in faϲt nice thing іf you are
not understanding anytɦing еntirely, Ƅut thiѕ piece of writing provides pleasant understanding үet.

kthane
Guest

Whew! I was pulling my hair out!
Thanks for dropping this off on the internet.

Tom Elliott
Guest

I hope this fixes our intermittent issues too. Thanks for sharing the answer.

trackback

[…] Slow log on from remote Windows XP with 2008 R2 Domain Controller […]

abu dabi
Guest

Thanks a lot!

wpDiscuz