AD 2000: Downgrade attack for Domain Controller RRS feed

  • Question

  • Hi all,

    I'm getting this error message on some of the users' PC in one of my child domain. (ABC.xyz.com)

    Event Type: Warning
    Event Source: LSASRV
    Event Category: SPNEGO (Negotiator)
    Event ID: 40960
    Date:  10/6/2009
    Time:  10:50:08 AM
    User:  N/A
    Computer: AM036734
    The Security System detected an attempted downgrade attack for server DNS/DomainCtrl001.abc.xyz.com.  The failure code from authentication protocol Kerberos was "The referenced account is currently disabled and may not be logged on to.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Symptoms the users are facing:
    1. User getting Account Lockout message even if user account is not locked in AD. And able to do the "net use xxxx /domain" command.
    2. Outlook prompting for Login name and password
    3. Local area network connection temporarily lost and reconnected automatically.


    DomainCtrl001 is the PDC emulator, Infra Master and RID master of ABC.xyz.com. And it also has a Certificate Authority installed on it.
    Replication with other servers is ok.

    When looking at the system event logs on DomainCtrl001. It's filled with the below warning message.

    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 100
    Date:  10/9/2009
    Time:  2:52:15 PM
    User:  N/A
    Computer: DomainCtrl001
    The server was unable to logon the Windows NT account 'IUSR_DomainCtrl001' due to the following error: The referenced account is currently locked out and may not be logged on to.  The data is the error code.
    For additional information specific to this message please visit the Microsoft Online Support site located at: http://www.microsoft.com/contentredirect.asp.

    When the IIS is being stopped. The warning message stopped generating.


    Q: Has anyone encounter problem with Account not locked in AD but user getting locked out message?

    Tuesday, October 13, 2009 7:50 AM


All replies