Authentication error after migrating PC to new AD forest
-
Thursday, November 01, 2012 7:31 PM
I am testing an AD migration migrating users and PC's from one AD forest to a new AD Forest, after migrating the PC's when trying to connect back to resources in the source Forest I am getting Authentication errors in the Event log and unable to access the resources. When trying to access resources in the source forest I am receiving the below errors and cannot connect to the resources, some are network files and some are Web resources. There is a 2 way trust setup and SID filtering has been disabled on the source Trust. The network resourced will eventually work after 10 or so minutes but WEB pages (IIS) requiring authentication will not work at all. Name resolution is working ok. Any ideas on what to look for?
Source Forest is 2003
Target Forest is 2008R2
Servers are 2003 and 2008R2
Clients are XP and Windows 7
Event log errors
Windows 7 Client
Event: 40960 source: LsaSrv
The Security System detected an authentication error for the server exchangeAB/servername.domainname.com. The failure code from authentication protocol Kerberos was "The name or SID of the domain specified is inconsistent with the trust information for that domain. (0xc000019b)".
XP
client<o:p></o:p><o:p> </o:p>
Event Type: Warning<o:p></o:p>
Event Source: LSASRV<o:p></o:p>
Event Category: SPNEGO (Negotiator) <o:p></o:p>
Event ID: 40961<o:p></o:p>
Date: 30/10/2012<o:p></o:p>
Time: 8:31:13 PM<o:p></o:p>
User: N/A<o:p></o:p>
Computer: ABC<o:p></o:p>
Description:<o:p></o:p>
The Security System could not establish a secured
connection with the server cifs/Server.Domain.com. No authentication protocol
was available.<o:p></o:p>Event Type: Warning<o:p></o:p>
Event Source: LSASRV<o:p></o:p>
Event Category: SPNEGO (Negotiator) <o:p></o:p>
Event ID: 40960<o:p></o:p>
Date: 30/10/2012<o:p></o:p>
Time: 8:31:13 PM<o:p></o:p>
User: N/A<o:p></o:p>
Computer: ABC<o:p></o:p>
Description:<o:p></o:p>
The Security System detected an attempted downgrade
attack for server cifs/Server.Domain.com. The failure code from authentication
protocol Kerberos was "Indicates a referenced user name and authentication
information are valid, but some user account restriction has prevented
successful authentication (such as time-of-day restrictions).<o:p></o:p>(0xc000006e)".<o:p></o:p>
All Replies
-
Monday, November 05, 2012 6:15 AMModerator
Hi,
Thanks for posting in Microsoft TechNet forums.
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thank you for your understanding and support.
Regards
KevinIf you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
-
Tuesday, November 06, 2012 1:26 PM
Hi,
"The network resourced will eventually work after 10 or so minutes but WEB pages (IIS) requiring authentication will not work at all"
Does the network resource such as shared folders still work now? What's the error message when you visited the web site hosted in old domain?
Regards,
Denny
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Monday, November 12, 2012 1:58 AM
-
Tuesday, November 13, 2012 10:17 PM
Hi.
I open a ticket with MS support and found the problem.
The Name suffix routing was not enabled for the new domain, and we also disabled SID Filtering.
thanks,
Glen
- Marked As Answer by world tech Tuesday, November 13, 2012 10:17 PM
-
Monday, November 19, 2012 2:47 PM
Hi,
Thanks for the update. I am glad to hear that the issue is resolved :)
Regards,
Denny
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
.png)
