none
The Security System detected an attempted downgrade attack for server

    Question

  • The Security System detected an attempted downgrade attack for server The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.

    (0xc000005e)".

    Wednesday, December 30, 2009 4:30 PM

Answers

  • Have you verified whether http://support.microsoft.com/kb/244474 does not apply in your case?

    hth
    Marcin
    • Marked as answer by Bruce-Liu Wednesday, January 6, 2010 6:35 AM
    Wednesday, December 30, 2009 4:52 PM
  • Hi LaserBurn,

    Apart from Marcin's suggestion, check the MTU Size set on the Router or the Server itself. If the Packet Size sent on the Network is higher than what is set on the Router, than you will see these Errors.

    Default Ethernet IP MTU is 1500. 20 bytes are reserved for the IP header and 8 bytes for the ICMP Echo Request header. This leaves 1472 for the Data.

    Try the Ping command with '-l' switch to check the Payloads.

    Ex - Ping Servername -f -l 1472

    You may decrease the Size of and see what size is permitted on the Network. When you have determined the MTU, you can set the packet size by changing the value in the registry entry. The MTU registry entry can be found at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ Adapter _GUID

    You can refer to the following Article - http://technet.microsoft.com/en-us/library/cc940103.aspx

    This is also termed as 'Black Hole Router problem'. In such scenerios if the MTU set on the intermediate segments is lett than the MTU used by communication hosts than the Router might drops the Packets silently.
    Refer to the following Article to address this issue -- http://support.microsoft.com/default.aspx/kb/314825

    Hope the information helps.

    Thanks,
    Nitin

    • Marked as answer by Bruce-Liu Wednesday, January 6, 2010 6:35 AM
    Thursday, December 31, 2009 8:27 PM

All replies

  • Have you verified whether http://support.microsoft.com/kb/244474 does not apply in your case?

    hth
    Marcin
    • Marked as answer by Bruce-Liu Wednesday, January 6, 2010 6:35 AM
    Wednesday, December 30, 2009 4:52 PM
  • Hi LaserBurn,

    Apart from Marcin's suggestion, check the MTU Size set on the Router or the Server itself. If the Packet Size sent on the Network is higher than what is set on the Router, than you will see these Errors.

    Default Ethernet IP MTU is 1500. 20 bytes are reserved for the IP header and 8 bytes for the ICMP Echo Request header. This leaves 1472 for the Data.

    Try the Ping command with '-l' switch to check the Payloads.

    Ex - Ping Servername -f -l 1472

    You may decrease the Size of and see what size is permitted on the Network. When you have determined the MTU, you can set the packet size by changing the value in the registry entry. The MTU registry entry can be found at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ Adapter _GUID

    You can refer to the following Article - http://technet.microsoft.com/en-us/library/cc940103.aspx

    This is also termed as 'Black Hole Router problem'. In such scenerios if the MTU set on the intermediate segments is lett than the MTU used by communication hosts than the Router might drops the Packets silently.
    Refer to the following Article to address this issue -- http://support.microsoft.com/default.aspx/kb/314825

    Hope the information helps.

    Thanks,
    Nitin

    • Marked as answer by Bruce-Liu Wednesday, January 6, 2010 6:35 AM
    Thursday, December 31, 2009 8:27 PM
  • Hi,

    Apart from what Marcin and Nitin have stated, I would first like to know when do you recieve this error? Is it coming on its own (may be due to any scheduled task)? or it comes when you try to do something?

    Second, I would like to know if DNS is working fine. PLease check if DNS has the site specific SRV records for the DCs.

    Go to DNS management console (on the DNS which the concerned machine is pointing to), expand the forward lookup zone that is in question, then browse to the site where the concrned machine is and see if u can see ldap, kerb records under _tcp folder.

    Regards,

    Arun.


    Thanks, Arun.
    Friday, January 1, 2010 6:06 PM