The security system detected an authentication error for the server ldap

Security system detected an authentication error

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

we have different forest and trust (external two way) relationship has been created between all the forest successfully and trust also validated between all.

Example : A->B, A->C, A->D

But when we are trying to add any user(D forest) on the Group belongs A forest or find the user of D forest on forest a it giving the below error

• The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

We can add the user or find the A forest user on D forest Active directory.

We checked the file wall ports 389,88,445 and no issue with other domain and forest. when checked on the system event logs of A forest domain controllerbelow warning error

The Security System detected an authentication error for the server ldap/DC1.contoso.com/ contoso.com @ contoso.com. The failure code from authentication protocol Kerberos was «The network logon failed. This may be because the validation authority can’t be reached. (0xc0000190)».

A forest DC is having Windows 2008 R2 SP1

D forest Dc is having windows 2003

Configure Allow cryptography algorithms compatible with Windows NT 4.0 policy and try to add user.
http://support.microsoft.com/kb/942564

Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

Refer below article, if its applicable. This can also due to token size. Also, can you use wireshark/netmon tool & see what is exactly happening from the network perspective.

You receive a «The system has detected a possible attempt to compromise security» error message when you try to include security settings for a user from different domain in a local domain folder

Awinish Vishwakarma — MVP — Directory Services

Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

I have checked all port are opend and other forest are hapening. If on A forest DC from run i give the \server of d forest DC it will ask for password and belwo warning event will record on the A forest DC. But other Forect DC sharevol folder will open

The Security System detected an authentication error for the server ldap/DC1.contoso.com/ contoso.com @ contoso.com. The failure code from authentication protocol Kerberos was «The network logon failed. This may be because the validation authority can’t be reached. (0xc0000190)».

Its not necessary that NT4.0 should be available in the domain, this issue occurs due SMB storage device, it may be unable to use weak cryptography algorithms to establish a security channel to a Windows Server 2008-based domain controller.

Did you try suggession in my first post?

Abhijit Waikar.
MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

Disclaimer: This posting is provided «AS IS» with no warranties or guarantees , and confers no rights.

I have checked all port are opend and other forest are hapening. If on A forest DC from run i give the \server of d forest DC it will ask for password and belwo warning event will record on the A forest DC. But other Forect DC sharevol folder will open

The Security System detected an authentication error for the server ldap/DC1.contoso.com/ contoso.com @ contoso.com. The failure code from authentication protocol Kerberos was «The network logon failed. This may be because the validation authority can’t be reached. (0xc0000190)».

How exactly have you setup DNS for resolution between the forests?

• Have you setup Conditional Forwarders between each other? If not, please do so.
• Do each domain in each forest have a Search Suffix created for all other domains in other forests? If not, please do so. Easiest way is to use a GPO. Read the link below for more info.

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP — Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Источник

How to resolve event id 40960 error

when ever i am trying to login to my server with my domain credentials it says(windows machine) windows can not connect to this domain or either the domain controller is down(which is not ) & i am getting this error in event viewer

The Security System detected an authentication error for the server LDAP/prod01.xyz.com/prod.xyz.com@PROD.XYZ.COM. The failure code from authentication protocol Kerberos was «The attempted logon is invalid. This is either due to a bad username or authentication information.
(0xc000006d)».

This is a production box,i can not restart,need some help to resolve this without restart

Popular Topics in Windows Server

TIGUNIA is an IT service provider.

Windows 2008 Server?

What server are you trying to connect? The DC itself or another server in the domain?

I would check attributes on the server in DC.

It’s a Windows 2003 SP2(standard edition) server, & it’s not DC & it’s another server in domain

TIGUNIA is an IT service provider.

Was it rebooted recently or power outage that you weren’t aware of?

Found this and it might pertain to the issue that you’re dealing with.

No.it didn’t reboot & it’s a Virtual Machine(VMware machine).Let me check the link if it can help me

The Above link you provided didn’t help me

TIGUNIA is an IT service provider.

«. it is likely that a service is attempting to authenticate before the directory service is available.»

I would try rebooting. I know it’s probably not what you want it to do with the production but you might need to. Off hours of course.

Here’s another one specific for your VM.

yes,we will have to reboot,waiting for the confirmation in between if you find something then please let me know

1. Removed any additional default gateway from each network interface.

2.Configured only primary and secondary DNS servers for each server network interface.

3. Removed the DNS servers which were not domain members from NAME Servers settings on domain DNS systems.

Do you have any other event ID’s like 3210?

The 0xc000006d part indicates «Bad username» or authentication information, where 0xc000006a would indicate «Bad password»

With that error for bad username/authenticating information I would suggest creating a new GPO or editing an existing GPO for your domain computers that will disable the password change for the computer account, after it applies your computer accounts passwords will not change. Normally domain computer passwords change on a rotation.

You can do one of the following to resolve your issue:

Create a new GPO/Edit existing:

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.

Select «Domain member: Disable machine account password changes» and define the policy as «Enable»

Or you can edit the problem computer’s registry manually. (Editing the registry can harm your computer and should not be performed unless you absolutely understand what your doing, I can not be held responsible for any hard it may cause your computer).

Se the key located at:

by default the dword will be «DisablePasswordChange»=dword:00000000

If it is a VM, can you log in from the console? If so, do that and then disable IPSEC. IPSEC will sometimes block the network access that allows domain controllers to talk to one another and replicate AD. If the system was recently rebooted or promoted, replication may not yet have occurred and this will prevent logging in.

Check the time settings on your server.

If there is time difference on your DC and the server you are trying to authenticate on it will most likely fail.

Time has to be in sync in AD for smooth authentication.

Can you see that computer-name in AD?

— sync server time.

— log on that local machine > unjoin > rejoin (worked for us)

Well i don’t want to do any modification to registry either on local machine or in AD,without that if there is something by which we can solve this then that would be good.

On other servers IPSEC service is running & i am able to login with my domain credentials,so i don’t see any reason of disabling that,what is your opinion on this?

I have checked the setting & time sync is happening perfectly.

Yes, i can see the computer name in AD & i am waiting for confirmation from concern team to reboot this & at the time of reboot i will also do the removing/adding it to domain

Thanks all for all the options you guys have provided but bad luck for me as non of these worked out 🙁

Did you try providing your user name in different formats ?

I tried that way by giving my domainusername but getting same error message(as above) in event viewer.

I’m getting this same error on my servers now after resetting the domain admin password and running a script to change all the local admin passwords. I checked and have updated any service account passwords. Still looking for a fix.

Hi. I had the same issue and after doing everything I eventually found that the computer object in Active Directory was disabled. I re-enabled, rejoined to the domain and everything start working again after that.

This worked for me in an identical configuration (Server 2003 as a Guest OS of Hyper-V):

To resolve this problem, follow these steps:
Run the following command on the root domain controllers of the parent domain and of the child domain. This command resets the trust relationship between the parent and child domain.

Netdom trust trusting_domain_name /Domain:trusted_domain_name /UserD:user /PasswordD:* /UserO:user /PasswordO:* /reset

Notes
The trusting_domain_name placeholder represents the name of the trusting domain.
The trusted_domain_name placeholder represents the name of the trusted domain.
The user placeholder in the /UserD:user parameter represents the user account that connects to the trusted domain.
The user placeholder in the /UserO:user parameter represents the user account that connects to the trusting domain.
Exchange the designated domains in the trusting_domain_name and trusted_domain_name parameters from step 1, and then run the Netdom trust command again.

Note Steps 1 and 2 reset both directions of the trust.
Let the parent and child domain controllers replicate the changes.
Restart the root domain controllers of the parent domain and of the child domain. Restarting these domain controllers removes the Kerberos tickets.

Note You can also use the Kerbtray tool to remove the Kerberos tickets. The Kerbtray tool is included in the Windows Server 2003 Resource Kit Tools package.
Back to the top | Give Feedback

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

Read these next.

How do you like to learn?

There is a lot of buzz and actually also controversy about learning styles and multiple intelligences in the way that we think about learning, so not taking a side here and saying that it is a magical code that will unlock our ability to do all things. T.

poor wifi, school’s third floor

I work as a help desk technician at a high school for a school district. Teachers/students on the building’s third floor have been reporting poor wifi, with their Chromebooks/laptops etc experiencing slow connectivity and random disconnections. We hav.

Need help crafting a job posting for an IT Pro

I’d really appreciate some thoughts and advice. I’m looking to hire an IT pro to be our resident go-to for all things IT (device support, SQL Server, network admin, etc) but who also is interested in learning — or even has some experience in — the.

Snap! — AI Eye Contact, Mine Batteries, Headset-free Metaverse, D&D Betrayal

Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: January 13, 1874: Adding Machine Patented (Read more HERE.) Bonus Flashback: January 13, 1990: Astronauts awakened to the song Attack of the Killer Tomatoes (Read mor.

Spark! Pro series – 13th January 2023

Happy Friday the 13th! This day has a reputation for being unlucky, but I hope that you’ll be able to turn that around and have a great day full of good luck and good fortune. Whether you’re superstitious or not, .

Источник

Skip to content

I’ve had a Server 2016 VM (fully up to date at time of writing) that has been in production for about a year now. Fairly recently, I started having a range of issues relating to what appear to be DNS/connectivity issues. It started with these types of messages in the event log

The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

and

The Security System detected an authentication error for the server cifs/server02. The failure code from authentication protocol Kerberos was «No authority could be contacted for authentication. (0x80090311)».

and

The Security System detected an authentication error for the server LDAP/SERVER02.domain.local/domain.local@domain.LOCAL. The failure code from authentication protocol Kerberos was «No authority could be contacted for authentication. (0x80090311)».

The server is at a remote branch office. The site is connected by a S2S VPN. All this points to intermittent / non-existent connectivity OR DNS issues.

Thing is — I’ve checked for packet loss / connection stability / DNS functionality. Everything SEEMS to be working. Yet, I can’t crack this one.

Symptoms we’re seeing include

• Inability to UNC into other servers by hostname — i.e. \HOSTNAME doesn’t work, but \<IPADDRESS> works

• VERY long logon times (3-5 minutes+)

• Some LoB apps that run on this system (as services) that use domain accounts to log on are no longer working — the error says The sytem cannot contact a domain controlelr to service the authentication request. Please try again later.

So having double & triple checked DNS — I’ve checked using nslookup to look up _LDAP._TCP.DC._MSDCS.mydomain.local to ensure correct IPs are being resolved & pingable, I’ve checked this isn’t a firewalling issue, I’ve double & triple checked using ipconfig /all, what else does one try (other than banging my head on the desk)?

Rejoining the system to the domain seems to have resolved this for now. I will update if not.

I’m setting up a test environment for a customer about to deploy samba4 into 1400 remote sites and I’m running into a problem. It’s my job, after all, to run into problems and then solve them.

Active Directory

• forest root & single domain: main.adlab.netdirect.ca
• created on Windows 2008 R2
• 2008 FFL
• 2008 DFL

Main office

• AD1: Windows 2008 R2 DC
• AD2: Windows 2008 R2 DC
• Windows 7 Professional clients

Branch office

• SLES11SP2 (fully updated!) with Samba 4 (4.1.1-7.suse111 packages from sernet)
• Samba 4 configured as RODC

I’ve configured a password replication policy to allow certain accounts to be cached on the RODC and then populated those accounts to the RODC:

sles-shire:~ # samba-tool rodc preload 'win7-shire$' --server main.adlab.netdirect.ca
Replicating DN CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca
Exop on[CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca] objects[1] linked_values[2]

sles-shire:~ # samba-tool rodc preload 'win7-shire-2$' --server main.adlab.netdirect.ca
Replicating DN CN=WIN7-SHIRE-2,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca
Exop on[CN=WIN7-SHIRE-2,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca] objects[1] linked_values[1]

sles-shire:~ # samba-tool rodc preload 'bilbo' --server main.adlab.netdirect.ca
Replicating DN CN=Bilbo Baggins,OU=Shire,OU=Offices,DC=main,DC=adlab,DC=netdirect,DC=ca
Exop on[CN=Bilbo Baggins,OU=Shire,OU=Offices,DC=main,DC=adlab,DC=netdirect,DC=ca] objects[1] linked_values[2]

I know that those credentials are being cached on the RODC since if I drop the site link I can log in with a cached user but not a different user:

michael@sles-shire:~> smbclient //sles-shire.main.adlab.netdirect.ca/sysvol -U michael
Enter michael's password: 
session setup failed: NT_STATUS_IO_TIMEOUT

michael@sles-shire:~> smbclient //sles-shire.main.adlab.netdirect.ca/sysvol -U bilbo
Enter bilbo's password: 
Domain=[MAIN] OS=[Unix] Server=[Samba 4.1.1-SerNet-SuSE-7.suse111]
smb: > ls
  .                                   D        0  Mon Nov 18 16:09:44 2013
  ..                                  D        0  Mon Nov 18 16:11:15 2013
  main.adlab.netdirect.ca             D        0  Wed Nov 20 17:54:13 2013

So authentication is working fine! But when I try and log into the Windows 7 PC (WIN7-SHIRE) I get the error:

An internal error has occurred.

Gee. Thanks. If I use an incorrect password I get:

The user name or password is incorrect.

So the authentication is happening, but Windows 7 doesn’t like something. I see these errors in the event logs and I think they’re relevant to this problem:

The Security System detected an authentication error for the server ldap/sles-shire.main.adlab.netdirect.ca. The failure code from authentication protocol Kerberos was «An internal error occurred. (0xc00000e5)».

The Security System detected an authentication error for the server DNS/sles-shire.main.adlab.netdirect.ca. The failure code from authentication protocol Kerberos was «An internal error occurred. (0xc00000e5)».

If I’m already logged on and try and use network services I get:

The Security System detected an authentication error for the server cifs/sles-shire.main.adlab.netdirect.ca. The failure code from authentication protocol Kerberos was «An internal error occurred. (0xc00000e5)».

My krb5.conf on the server:

[libdefaults]
    default_realm = MAIN.ADLAB.NETDIRECT.CA
    dns_lookup_realm = true
    dns_lookup_kdc = true

[realms]

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

Here’s the real kicker:

The behaviour still occurs when the site link is up. I can log in to the domain PC with accounts that are not cached on the RODC, but if they’re on the RODC I get the same error.

I’ve ensured that all appropriate SRV records in AD DNS are in place. I’ve ensured this by promoting a Windows 2008 R2 DC in the branch office to an RODC role and ensuring that all of the appropriate DNS records are present for both the Windows and Samba RODC.

(some were necessary to add by hand as they aren’t yet added by samba:

SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389

) (must close bracket)

So… what’s broken and how do I fix it?

SPN info

> dsquery * "CN=SLES-SHIRE,OU=Domain Controllers,DC=main,DC=adlab,DC=netdirect,DC=ca" -attr servicePrincipalName
  servicePrincipalName
  ldap/SLES-SHIRE;
  ldap/4116d553-d66b-4c8b-9a60-90380ac69c04._msdcs.main.adlab.netdirect.ca;
  ldap/SLES-SHIRE.main.adlab.netdirect.ca/main.adlab.netdirect.ca;
  HOST/SLES-SHIRE.main.adlab.netdirect.ca/main.adlab.netdirect.ca;
  ldap/SLES-SHIRE.main.adlab.netdirect.ca;
  ldap/SLES-SHIRE.main.adlab.netdirect.ca/MAIN;
  HOST/SLES-SHIRE.main.adlab.netdirect.ca/MAIN;
  RestrictedKrbHost/SLES-SHIRE.main.adlab.netdirect.ca;
  RestrictedKrbHost/SLES-SHIRE;
  GC/SLES-SHIRE.main.adlab.netdirect.ca/main.adlab.netdirect.ca;
  HOST/SLES-SHIRE.main.adlab.netdirect.ca;HOST/SLES-SHIRE;

> dsquery * "CN=WIN7-SHIRE,CN=Computers,DC=main,DC=adlab,DC=netdirect,DC=ca" -attr servicePrincipalName
  servicePrincipalName
  TERMSRV/WIN7-SHIRE.main.adlab.netdirect.ca;
  TERMSRV/WIN7-SHIRE;
  RestrictedKrbHost/WIN7-SHIRE;
  HOST/WIN7-SHIRE;
  RestrictedKrbHost/WIN7-SHIRE.main.adlab.netdirect.ca;
  HOST/WIN7-SHIRE.main.adlab.netdirect.ca;