After I replaced my Windows 2003 Domain Controllers for fresh new Windows 2008 R2 domain controllers, I was starting to have problems at my remote offices.
In the eventlog on my remote pc’s, I found the following events:
Event ID: 40960
Source: LsaSrv
Type: Warning
Category: SPNEGO (Negotiator)
Description: The Security System detected an attempted downgrade attack for server . The failure code from authentication protocol Kerberos was “There are currently no logon servers available to service the logon request. (0xc000005e)”.
Event ID: 40691
Type: Warning
Source: LSASRV
Category: SPNEGO (Negotiator)
Description:
The Security System could not establish a secured connection with the server ldap/SERVERNAME.DOMAINNAME.net. No authentication protocol was available.
Several articles and posts stated that a VPN / SSL connection may hinder the Kerberos protocol from successfully authenticating to the domain controller / global catalog server.
However, all suggestions led to nothing. At the end, the Netlogon debug mode helped me out. To enable the Netlogon Debug Mode, I created the following key on your client computer:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
“DBFlag”=dword:2080ffff (hexadecimal value)
Then open a cmd and type net stop netlogon && net start netlogon to enable the debugging mode. The Debug logging writes to C:\Windows\Debug\netlogon.log
In the netlogon.log, I found that my client on the remote location could not authenticate with Kerberos and tried to fallback to NTLM. Since Windows 2008 R2 does not have NTLM enabled by default, the authentication consequently failed.
Referring back to the VPN / SSL connection: Kerberos uses UDP and this is known to be unreliable through VPN tunnels.
Therefor, I had to force the authentication to use TCP, using the following registry key on the client:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
“MaxPacketSize”=dword:00000001
Done! The LSASRV error did not occur no more in my eventviewer and the logon speed was back to 30 secondes.