JSI Tip 9083. After you upgrade Windows XP to SP2, or install Security Bulletin MS04-011, you cannot access resources when no domain controller is available?

When you try to access a DFS (Distributed File System) share in an un-trusted domain, you cannot gain access, and the System event log contains:

Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
User: N/A
Computer: <Computer Name>
Description: The Security System could not establish a secured connection with the server <service>/<server name>. No authentication protocol was available.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
User: N/A
<Computer Name>
Description: The Security System detected an authentication error for the server <service>/<server name>. The failure code from authentication protocol Kerberos was 'There are currently no logon servers available to service the logon request. (0xc000005e)'
.

MS04-011, which is included in Windows XP SP2, changes Kerberos authentication, removing the fallback to NTLM when a domain controller cannot be accessed. If you cannot contact a KDC (Key Distribution Center), you are prevented from accessing the resource.

To workaround this behavior, use either of the following:

• Make a domain controller available.

• Log on to the system with a local account.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish