Unable to resolve SPNEGO Event ID 40961 errors

I have a few workstations, not all of them, that randomly start getting
security failures in their event logs, rebooting the main server and the
workstations often takes care of it, but not always. I've looked all
over the net, tried many things, but I can't seem to shake this.

Anyone have a solution path for getting rid of these errors?

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Date: 11/25/2007
Time: 11:49:23 AM
User: N/A
Computer: WS56
Description:
The Security System could not establish a secured connection with the
server
ldap/servername.domainname.local/(E-Mail Removed).
No authentication protocol was available


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(E-Mail Removed) (remove 999 for proper email address)

is there something "wrong"? or are you just thinking something is wrong
because you see these events?



"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). ..
>I have a few workstations, not all of them, that randomly start getting
> security failures in their event logs, rebooting the main server and the
> workstations often takes care of it, but not always. I've looked all
> over the net, tried many things, but I can't seem to shake this.
>
> Anyone have a solution path for getting rid of these errors?
>
> Event Type: Warning
> Event Source: LSASRV
> Event Category: SPNEGO (Negotiator)
> Event ID: 40961
> Date: 11/25/2007
> Time: 11:49:23 AM
> User: N/A
> Computer: WS56
> Description:
> The Security System could not establish a secured connection with the
> server
> ldap/servername.domainname.local/(E-Mail Removed).
> No authentication protocol was available
>
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (E-Mail Removed) (remove 999 for proper email address)

In article <(E-Mail Removed)>, (E-Mail Removed) says...
> is there something "wrong"? or are you just thinking something is wrong
> because you see these events?

I'm assuming that since I get an Authentication Error in the security
event log, that there should be something wrong.

Any user that logs onto the problem machine will cause a Security Event
entry showing logon authentication failure, but they can login without
any problem.

I don't see this in any of the other domains we manage, just this one
and only on some workstations.

The SPNEGRO error is common for the ones that fail, if I disjoin from
the domain, delete the computer account, and rejoin it, it goes away 90%
of the time and doesn't return - but once in a while I have a computer
that doesn't seem to resolve that problem.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(E-Mail Removed) (remove 999 for proper email address)

Hello Leythos,

Did you have a reverse lookup zone created in DNS console? If not create
it, should help you.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> In article <(E-Mail Removed)>, (E-Mail Removed) says...
>
>> is there something "wrong"? or are you just thinking something is
>> wrong because you see these events?
>>
> I'm assuming that since I get an Authentication Error in the security
> event log, that there should be something wrong.
>
> Any user that logs onto the problem machine will cause a Security
> Event entry showing logon authentication failure, but they can login
> without any problem.
>
> I don't see this in any of the other domains we manage, just this one
> and only on some workstations.
>
> The SPNEGRO error is common for the ones that fail, if I disjoin from
> the domain, delete the computer account, and rejoin it, it goes away
> 90% of the time and doesn't return - but once in a while I have a
> computer that doesn't seem to resolve that problem.
>

In article <(E-Mail Removed) >, Meinolf
Weber <meiweb(nospam)@gmx.de> says...
> Hello Leythos,
>
> Did you have a reverse lookup zone created in DNS console? If not create
> it, should help you.

Yes, for all 6 subnets (we have a few branch offices that register their
DNS, but the ones (workstations) that cause the problem are the local
subnet ones.

What if I remove the records in the reverse LUZ?


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(E-Mail Removed) (remove 999 for proper email address)

Hello Leythos,

Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients?
Also you can try to remove/reinstall MS client for networking on the workstations.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.dts-l.org/goodpost.htm

> In article <(E-Mail Removed) >,
> Meinolf Weber <meiweb(nospam)@gmx.de> says...
>
>> Hello Leythos,
>>
>> Did you have a reverse lookup zone created in DNS console? If not
>> create it, should help you.
>>
> Yes, for all 6 subnets (we have a few branch offices that register
> their DNS, but the ones (workstations) that cause the problem are the
> local subnet ones.
>
> What if I remove the records in the reverse LUZ?
>

In article <(E-Mail Removed) >, Meinolf
Weber <meiweb(nospam)@gmx.de> says...
> Hello Leythos,
>
> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the clients?
> Also you can try to remove/reinstall MS client for networking on the workstations.

Thanks for the ideas - I'll check on this on Monday when I have more
time. Have a good evening.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(E-Mail Removed) (remove 999 for proper email address)

if it only happens on one machine, check the system time AND time zone on
that machine. could be a kerberos issue caused by a time difference between
the pc and the authenticating dc




"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). ..
> In article <(E-Mail Removed) >, Meinolf
> Weber <meiweb(nospam)@gmx.de> says...
>> Hello Leythos,
>>
>> Think this will be ok. Do you have enabled NETBIOS over TCP/IP on the
>> clients?
>> Also you can try to remove/reinstall MS client for networking on the
>> workstations.
>
> Thanks for the ideas - I'll check on this on Monday when I have more
> time. Have a good evening.
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (E-Mail Removed) (remove 999 for proper email address)

In article <(E-Mail Removed)>, (E-Mail Removed) says...
> if it only happens on one machine, check the system time AND time zone on
> that machine. could be a kerberos issue caused by a time difference between
> the pc and the authenticating dc

It happens on one or two machines at a time, and once fixed, normally by
a disjoin from domain, delete computer account on server, rejoin to
domain, it doesn't come back, but it crops up from time to time.

I've checked the time zone, time, ensured that they are all set by DHCP,
ensured that the time service is reachable, etc....

The main server was an SBS 2003 server migrated (swing) to Win 2003 Std
R2, but everything seems to work without any errors other than that.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(E-Mail Removed) (remove 999 for proper email address)

It is quite odd that they trigger the message, but then do manage
to get authenticated. If you are logging successful logins, what
is showing as the authentication provider? NTLM when this
happens (msgs but success anyway) whereas normally you see
that Kerberos is being used?

Later you say the main server was SBS03, never migrated.
So doesn't that mean still SBS03? If so, could it be some
odd SBS hardcoded limit (max clients) you are hitting?

Roger

"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed). ..
> In article <(E-Mail Removed)>, (E-Mail Removed) says...
>> is there something "wrong"? or are you just thinking something is wrong
>> because you see these events?
>
> I'm assuming that since I get an Authentication Error in the security
> event log, that there should be something wrong.
>
> Any user that logs onto the problem machine will cause a Security Event
> entry showing logon authentication failure, but they can login without
> any problem.
>
> I don't see this in any of the other domains we manage, just this one
> and only on some workstations.
>
> The SPNEGRO error is common for the ones that fail, if I disjoin from
> the domain, delete the computer account, and rejoin it, it goes away 90%
> of the time and doesn't return - but once in a while I have a computer
> that doesn't seem to resolve that problem.
>
>
> --
>
> Leythos
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (E-Mail Removed) (remove 999 for proper email address)