none
Troubleshooting SPNEGO 40960

    Question

  • Greetings,

    I'm looking for some tips on troubleshooting this particular error. In the past I've seen this error corresponding with 40961 however I'm just seeing 40960 this time. This has been happening for about 2 days and happening every 9 minutes or so. These are exchange servers running windows server 2003 sp2. There are no known mail flow issues. I am looking for some methods on why this is happening. I would be surprised if a reboot fixed it. Thanks for any help....

    Wednesday, October 27, 2010 8:12 PM

Answers

All replies

  • Have you tried the following in order to gather more information:

    Event 40960 only logs the error returned by Kerberos. It does not log the name of the principal or the name of the client. In order to obtain this information, auditing for User Logon Failures must be enabled. By looking at the logon failure audit event logged at the same time as the SPNEGO event, more information about the logon failure can be obtained

    From http://support.microsoft.com/kb/824217

    Perhaps you can raise Kerberos logging level: http://setspn.blogspot.com/2010/06/kerberos-basic-troubleshooting-tip-4.html

    It might log an error with a specific name of spn (service) which can give you a clue to what is being polled every 9 minutes.


    http://setspn.blogspot.com
    Wednesday, October 27, 2010 8:50 PM
  • In addition to Thomas' suggestions, do you have a reverse zone created for your subnets, and if so, do the Exchange servers have a PTR? I've seen this in the past and creating a reverse zone cleared up the issue.

     

    Late addition:

    Here's more info regarding these events:

    Event ID 40960 Source LSASRV
    To resolve this issue create the proper reverse lookup zones for the private IP subnets used .... The System log contains EventID 40960 from source LsaSrv, ...
    http://www.eventid.net/display.asp?eventid=40960&eventno=8508&source=LSASRV&phase=1

    Event ID 40961 Source LsaSrv
    http://www.eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, October 27, 2010 11:13 PM
  • @Thomas

    I will enable logging and see if I can get more info.

     

    @Ace. We do not have reverse lookups defined but this has been the case for years so I don't think its related in this particular case. We basically have a forest and our internal DNS servers forward lookups to a BIND server. I think the reverse lookups are done there....

     

     

     

     

     

    Thursday, October 28, 2010 12:30 PM
  • Ok so as soon as I turned on the logging I got the following to errors. It appears this is happening on one of the Exchange Admins user accounts.....

     

    Error Code: 0x34 KRB_ERR_RESPONSE_TOO_BIG

    and

    Error Code: 0x18 KDC_ERR_PREAUTH_FAILED

    Thursday, October 28, 2010 1:10 PM
  • The Responso Too Big might be related to UDP being used instead of TCP. You can force Keberos to use TCP. In many environments this is pushed by GPO.

    Some explanation: http://technet.microsoft.com/en-us/library/cc779511(WS.10).aspx
    And the KB: http://support.microsoft.com/kb/244474/en-us

    You could try the KB first on your server (not sure if you have to reboot). And see if the error goes way.

     

    Oh, and the PREAUTH_FAILED can be safely ignored.

    Regards,
    Thomas


    http://setspn.blogspot.com
    Thursday, October 28, 2010 1:14 PM
  • In addition to Thomas's suggestions, just to relate a story, at one customer site, I've seen this with an Exchange admin account that wasn't a domain admin account, as well as with non-domain accounts with restrictions in AD. The restrictions or deinals were done by the domain admin to hide Users and the Exchange Admins from various areas in AD, but not sure why he did that or specifically how he did it. The reasons were not shared with us. In both instances, the accounts can logon without problems, but after the account would stay logged on for about a week, passing the Kerberos ticket renewal period, it wouldn't be able to renew the ticket, and the 40961, 40960, 1030, and 1058 would appear, then they couldn't access anything. Once they restarted the machine, it was all good, or when another user would log on, and would be fine until after a week.

    Sorry for the long story. My question now is if you logged the user off, then on again, or restarted the server (yea, I know that's a huge request for an Exchange server), does it clear it up, then reappear a few days or a week later?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, October 28, 2010 2:22 PM
  • @Thomas.

    I am very familiar with the MaxPacketSize key and forcing TCP. I don't think this is the issue here since there are lots of exchange servers that are not having issues.

     

    @Ace. You may be on to something. I pinged the Exchange guy this morning and asked him was he doing around the time I first noticed the error. He said he recalled changing his password on his Admin account (evidently they log in with both accounts to do certain things). I also checked for remote sessions but this is taken care of by GPOs anyways.

    The server hasnt been rebooted since 9/23 so I am assuming a reboot would fix it but as you said, not the easiest thing to do as you stated.

     

    I just noticed this error a few minutes ago. This is the first time I've saw it and this is w/o logging enabled.....Thanks for the help guys!

     

    Thursday, October 28, 2010 2:46 PM
  • Chad,

    The error image didn't show up. Can you copy/paste the error in text?

    Curious, how long does he stay logged on? Does he connect using RDP with the Exchange admin account, then just disconnects and leaves it disconnected for lengths of time instead of logging out?

    Instead of rebooting, I assume logging out and in again may work?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, October 28, 2010 3:18 PM
  • Source: Kerberos

    Event ID: 4

    The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.com. The target name used was SERVER. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (SERVER.COM), and the client realm. Please contact your system administrator.

     

    I'm still trying to determine how the Exchange Admin manages these servers.....

    Thursday, October 28, 2010 4:15 PM
  • Ok, another Kerb error. Besides the suggestions already provided, take a look at these, that is if you haven't already looked at them:

    EventID 4
    http://eventid.net/display.asp?eventid=4&eventno=1968&source=Kerberos&phase=1

    Microsoft - Event ID 4 — Kerberos Client Configuration
    http://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx

    And that's a good question about the admin. Can the server be rebooted tonight?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, October 28, 2010 4:26 PM
  • If the eventid 4 is a onetimer, it's ok. The server pw might have changed recently, causing in already issued ticket to be invalid.

    if the eventid 4 is persistent, it's a killer, it breaks KRB authN and does not fallback to NTLM.


    http://setspn.blogspot.com
    Thursday, October 28, 2010 4:28 PM
  • Thanks guys for all the tips and info. We are going to wait until the next scheduled reboot and see if it goes away as it doesnt appear to be affecting exchange in anyway. I'll let you know how it goes.
    Thursday, October 28, 2010 4:49 PM
  • Looking forward to your results.

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, November 01, 2010 3:01 AM