none
Event ID: 5000 - The security package Kerberos generated an exception. The exception information is the data.

    Question

  • We are experience an issue with our Windows 7 Enterprise machines when they are scanning by a Third Party product for software patches and vulnerability management. The Third Party product uses nmap amongst other tools for its scan. When it scans we get the following event log:

    Log Name:      System
    Source:        LsaSrv
    Date:          10/09/2013 12:56:02
    Event ID:      5000
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      RemoveName
    Description:
    The security package Kerberos generated an exception. The exception information is the data.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" />
        <EventID>5000</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2013-09-10T11:56:02.963895700Z" />
        <EventRecordID>25751</EventRecordID>
        <Correlation />
        <Execution ProcessID="740" ThreadID="896" />
        <Channel>System</Channel>
        <Computer>RemovedName</Computer>
        <Security UserID="S-1-5-18" />
      </System>
      <EventData>
        <Data Name="Package">Kerberos</Data>
        <Binary>63736DE00100000000000000000000005D9EA9FDFE07000004000000000000002005931900000000F0DCFD0100000000A045E7FCFE0700000000D1FCFE07000000000000000000004A335A7500000000488FFD01000000008097FD010000000000000000000000000000000000000000009CFD01000000006B335A750000000070AEFD010000000000E0FD010000000000E0FD0100000000</Binary>
      </EventData>
    </Event>
    

    Once this occurs it is not possible to login to the box using any method, the only option is to select reboot from the login page or press the power button.

    We don't believe that Windows 7 is totally to blame as we have found that uninstalling Check Point Full Disk Encryption E80.x stops the issue from happening.

    I am looking for a method of providing more information to all parties so they stop pointing fingers at each other and find a fix for the problem.

    Neal

    Wednesday, October 09, 2013 9:55 PM

Answers

All replies

  • Hi,

    This issue may occur because a race condition occurs when the computer receives multiple authentication requests. Please try the hotfix in the following KB for a test.

    Lsass.exe crashes and error code 255 is generated in Windows Server 2008 R2 or in Windows 7

    http://support.microsoft.com/kb/2732595

    Does it work?

    Regards,

    Yolanda


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Thursday, October 10, 2013 9:15 AM
  • I'm having the exact same issue, but it occurs when a WiFi client tries to authenticate onto the network (using 802.1X with an NPS host). As there are two access points on the SSID I think that both of them may be sending a RADIUS request at the same time?

    Edit: Actually either one of the access points causes this issue, even when the other is switched off. Looks like the issue is internally in Windows?

    I tried the hotfix but it didn't appear to resolve the issue. Two events as follows appear at the same time, followed by Windows saying it has to restart now.

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> <EventID>5000</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2014-05-20T01:54:03.696680200Z" /> <EventRecordID>592320</EventRecordID> <Correlation /> <Execution ProcessID="736" ThreadID="792" /> <Channel>System</Channel> <Computer>server</Computer> <Security UserID="S-1-5-18" /> </System> - <EventData> <Data Name="Package">Kerberos</Data> <Binary>050000C00000000000000000000000007C981AFCFE0700000200000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</Binary> </EventData> </Event>


    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="LsaSrv" Guid="{199FE037-2B82-40A9-82AC-E1D46C792B99}" /> 
      <EventID>5000</EventID> 
      <Version>0</Version> 
      <Level>2</Level> 
      <Task>0</Task> 
      <Opcode>0</Opcode> 
      <Keywords>0x8000000000000000</Keywords> 
      <TimeCreated SystemTime="2014-05-20T01:54:03.696680200Z" /> 
      <EventRecordID>592321</EventRecordID> 
      <Correlation /> 
      <Execution ProcessID="736" ThreadID="792" /> 
      <Channel>System</Channel> 
      <Computer>server</Computer> 
      <Security UserID="S-1-5-18" /> 
      </System>
    - <EventData>
      <Data Name="Package">Kerberos</Data> 
      <Binary>050000C00000000000000000000000007C981AFCFE0700000200000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</Binary> 
      </EventData>
      </Event>



    Thanks, Adam Reece.



    • Edited by Adambean Tuesday, May 20, 2014 3:01 AM
    Tuesday, May 20, 2014 2:37 AM
  • A fix for this has been found.

    You need to uninstall update KB2871997. After I uninstalled this (including a server restart) I stated the Network Policy Server service, connected my phone to the affected Wi-Fi network, and it worked instantly. No server restarting, and now I've changed NPS to start automatically again.

    Source: http://superuser.com/a/775274/147457


    Thanks, Adam Reece.


    • Proposed as answer by Adambean Tuesday, July 01, 2014 3:23 PM
    • Edited by Adambean Tuesday, July 01, 2014 3:24 PM
    Tuesday, July 01, 2014 3:23 PM