After you install Microsoft Security Bulletin MS04-011 or Microsoft Windows XP Service Pack 2 (SP2) on your computer, you experience problems accessing resources in a domain when no domain controller is available. This issue occurs when you try to access a Distributed File System (DFS) share in an untrusted domain. In a Network Monitor trace, you will see the error STATUS_DOWNGRADE_DETECTED. When you try to connect to resources, you cannot gain access, and the System event log contains the following events:
Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40961 User: N/A Computer: <computer> Description: The Security System could not establish a secured connection with the server <service>/<server name>. No authentication protocol was available.
Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40960 User: N/A Computer: <computer> Description: The Security System detected an authentication error for the server <service>/<server name>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e).
In Microsoft Security Bulletin MS04-011, which is also included in Windows XP SP2, there is a change in the Kerberos authentication. It no longer allows for a fallback to NTLM when a domain controller cannot be accessed. If you cannot contact a Key Distribution Center (KDC), you cannot connect to resources.
To access a DFS share resource, you can use either of the following methods:
You can log on to the system with a local account.
You can make a domain controller available to the computer.
Note You install Security Bulletin MS04-011or Windows XP SP2 so that the domain member computers are more secure because the new authentication protocols (Kerberos) are more secure. For example, Kerberos offers mutual authentication.
For more information about DFS, click the following article number to view the article in the Microsoft Knowledge Base: