none
Warning Event ID 40961 Source LsaSrv

    Question

  • The Warning Event details as follows;

    Details : The security System could not establish a secured connection with the server ldap/server.mydomain.net/mydomain.net@MYDOMAIN.NET. No authentication protocol was available

    Log Name : System     Source : LsaSrv     Event ID : 40961     User : System     Computer : Server.mydomain.net 

    We are receiving this warning log in a 2008 R2 server.  The details of the server as follows;

    OS - Server 2008 R2 Standard with SP1 (64 bit), It is not a DC, The Primary and Secondary DNS servers have been configured properly and even we unchecked the checkbox in "Register this connectiion's address in DNS", this host has a static IP address.  We have a centralised DNS management system and we configured that IP addresses as Primary/Secondary DNS servers.  Normally if we uncheck the register connection in DNS option from the NIC IPV4 Advanced DNS properties this issue gets resovled.  But in this host even though we unchecked that option we are still keep on getting this warning message.

    I'm getting some results in this forum itself for the same warning message and analyzing that with my environment.....

    meantime can anyone please guide/advice me to get rid of this warning message...??

    Thanks in Advance

    Tuesday, August 16, 2011 3:17 AM

All replies

  • Hi,

     

    According to your description, the warning occurred on server machines, most of them can be fixed by unchecking “Register this connectiion's address in DNS”. What are the OS version of the machines?  Which roles, features and applications are installed on this problematic member server? Do you use DHCP server?

     

    Please check whether the following link helps first:

     

    Resolving Event ID 40961 LSASRV - DNS/prisoner.iana.org

    http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx

     

    Thanks.

    Nina


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Proposed as answer by MumthazMuhsin1 Tuesday, December 20, 2011 1:58 PM
    Friday, August 19, 2011 2:38 AM
    Moderator
  • My suggestion would be disabling kerberos logging is an option here.

    http://blogs.technet.com/b/askds/archive/2007/10/19/introducing-auditing-changes-in-windows-2008.aspx

     

    Regards


    Awinish Vishwakarma

    MVP-Directory Services

    MY BLOG:  http://awinish.wordpress.com

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, August 19, 2011 3:52 AM
    Moderator
  • Hi,

    You can try to Purge the Kerberos tickets and Reset secure channel password.

    Reset Secure channel

    netdom resetpwd /server:<var>another domain controller</var> /userd:domain\administrator /passwordd:<var>administrator password</var>

    Also purge kerberos tickets using "klist purge", reboot the DC and check.

    • Proposed as answer by 404again Thursday, May 21, 2015 5:44 AM
    Friday, August 19, 2011 5:18 AM
  • Hi,

     

    Resolution 1:


    The cause of the error was simply that there was no reverse lookup zone configured on their internal DNS server.

    Remember, a quick check from a client by running "nslookup" from a command prompt and seeing a timeout error also will point immediately to a reverse DNS lookup zone missing problem.

    Resolving Event ID 40961 LSASRV
    http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx

     

    Resolution 2:

    Re-entering credentials for DNS dynamic updates registration in the DHCP
    snap-in may resolve this issue.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by iamrafic Monday, August 22, 2011 1:58 AM
    Friday, August 19, 2011 5:39 AM
  • It appears that Kerberos authentication attempts against this server are failing. Start by verifying its DNS configuration (make sure that it points to a DC hosting AD-integrated zone hosting your AD namespace as its primary) and that the SPN referenced in the error message is actually present in the servicePrincipalName of the computer account. More at http://technet.microsoft.com/en-us/library/cc728430(WS.10).aspx

    hth
    Marcin

    Friday, August 19, 2011 12:53 PM
  • Hi Everyone,

    Thank you for all your replies and suggestions given. 

    In my place our security team ran a scan and found that this same Event Log is reported in several workstations as well.  The Centralised DNS Management system is currently managed by the Network Team of our Company.  So, I've placed a change request to check and create the reverse lookup and also to check in the Kerberos logging by disable it.

    I'll keep you all updated in this...

    Once again I thank you for everyone for your helpful suggestions.

    Thanks

    Saturday, August 20, 2011 4:12 AM
  • Hi All!

    Please keep this updated...I've been struggling with 1 out of 7 Windows 7 client computers on a SBS 2008 R2 network.  It also happens to be MY computer, which really bugs me.  I get the LsaSrv 40961

    "The Security System could not establish a secured connection with the server LDAP/SERVER2.domain.local/Domain.local@DOMAIN.LOCAL. No authentication protocol was available."

    Followed by the GroupPolicy 1067 event

    "The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:

    a) Name Resolution failure on the current domain controller.

    b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller)."

    I have tried removing the computer from the domain (deleting it from AD, DNS and DHCP) and re-joining.

    The problem is persistent and been happening ever since the computer was originally joined to the domain using https://connect/ (At which time I joined 5 other clients which work just fine).  The computer has never applied the computer group policy. 

    It is VERY frustrating and everytime I think I find a solution, it proves me wrong!

    Thanks!

     


    Tuesday, August 30, 2011 11:35 PM
  • Hi ARMeyer,

    Have you tried the suggestions give by me?

     

    Resolution 1:


    The cause of the error was simply that there was no reverse lookup zone configured on their internal DNS server.

    Remember, a quick check from a client by running "nslookup" from a command prompt and seeing a timeout error also will point immediately to a reverse DNS lookup zone missing problem. 

    Resolving Event ID 40961 LSASRV
    http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx

     

    Resolution 2:

    Re-entering credentials for DNS dynamic updates registration in the DHCP
    snap-in may resolve this issue.

     


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    • Proposed as answer by MumthazMuhsin1 Tuesday, December 20, 2011 1:58 PM
    Thursday, September 1, 2011 10:15 AM
  • Thanks for the reply.

    Resolution 1: Nslookup works just fine.

    Resolution 2: I checked the credentials and the name and domain boxes were blank with asterisks (*****) in the password boxes.  I created a new user account, which was part of the DHCP Administrators group, and entered the credential information.  I found and used this article to input the information. http://technet.microsoft.com/en-us/library/dd183673(WS.10).aspx

    I have not noticed any change as of yet...Is there a way to verify that what I did was correct and working?

    Thanks.

    Thursday, September 1, 2011 5:21 PM
  • Hi ARMeyer,

    Check for the event logs again. If you don't find any events related to LsaSrv then you can confirm that your issue is solved.

    If you find any additional error events please post it so that we can try to provide a solution for you.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Friday, September 2, 2011 3:30 AM
  • The LsaSrv error and group policy errors on the client computer continue.

    What I was asking about is how to know whether or not I set up the account for the DNS dynamic update credentials correctly (how can I check it on the server).

    Also since I have updated the credentials, in DHCP on the server, under address pool any client computer that has been restarted after I updated the credentials shows up as a computer with a pen in front of it which according to http://technet.microsoft.com/en-us/library/gg722802(WS.10).aspx indicates "Active lease, DNS dynamic update pending. This address is not available for lease by the DHCP server."  I performed an ipconfig /registerdns on the server and it still show the same icons.

    Is this correct or do I need to change my credentialing?

    Friday, September 2, 2011 4:45 PM