Article ID: 891559 - Last Review: February 8, 2007 - Revision: 1.7

You cannot access resources after you install Security Bulletin MS04-011 or Windows XP Service Pack 2

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

After you install Microsoft Security Bulletin MS04-011 or Microsoft Windows XP Service Pack 2 (SP2) on your computer, you experience problems accessing resources in a domain when no domain controller is available. This issue occurs when you try to access a Distributed File System (DFS) share in an untrusted domain. In a Network Monitor trace, you will see the error STATUS_DOWNGRADE_DETECTED. When you try to connect to resources, you cannot gain access, and the System event log contains the following events:


Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
User: N/A
Computer: <computer>
Description: The Security System could not establish a secured connection with the server <service>/<server name>. No authentication protocol was available.


Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
User: N/A
Computer: <computer>
Description: The Security System detected an authentication error for the server <service>/<server name>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e).

Back to the top

CAUSE

In Microsoft Security Bulletin MS04-011, which is also included in Windows XP SP2, there is a change in the Kerberos authentication. It no longer allows for a fallback to NTLM when a domain controller cannot be accessed. If you cannot contact a Key Distribution Center (KDC), you cannot connect to resources.
Back to the top

WORKAROUND

To access a DFS share resource, you can use either of the following methods:
  • You can log on to the system with a local account.
  • You can make a domain controller available to the computer.

Note You install Security Bulletin MS04-011or Windows XP SP2 so that the domain member computers are more secure because the new authentication protocols (Kerberos) are more secure. For example, Kerberos offers mutual authentication.
Back to the top

MORE INFORMATION

For more information about DFS, click the following article number to view the article in the Microsoft Knowledge Base:
812487  (http://support.microsoft.com/kb/812487/ ) Overview of DFS in Windows 2000


For additional information about Network Monitor, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms709669.aspx (http://msdn2.microsoft.com/en-us/library/ms709669.aspx)


For additional information about Security Bulletin MS04-011, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx)
Back to the top
APPLIES TO
  • Microsoft Windows XP Service Pack 2
Back to the top
Keywords: 
kbsecurity kbprb KB891559
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations