Events 1925, 1006, 1645, 1055, 40961 on a Windows Server 2008-based domain controller or authentication errors

Symptoms

In Windows Vista or later, you receive the following error message when you try to use Remote Desktop Connection to connect to another Windows Vista-based or later computer. Or, on a computer that is running Windows Vista or later together with Hyper-V RSAT tools, you may receive the following error when you use VMConnect or Remote Desktop Connection to connect to a Hyper-V guest computer:
No authority could be contacted for authentication. For assistance, contact your system administrator or technical support.
And you receive the following error message when you use the System Center Virtual Machine Manager Admin Console to connect to a Hyper-V virtual machine:
An authentication error has occurred (Code: 0x80090303).
A similar class of problem can happen when you have an application communicating between Windows Vista or later computers using DCOM. The application may encounter an error like:

The file is not valid for the following reason: a security package specific error occurred (Code: 80070721).

These problems occur if the following conditions are true:
  • You try to connect by using a fully qualified domain name (FQDN) or a NetBIOS name.
  • Both computers are in a Windows Server 2003-based domain.
  • You have performed an authoritative restoration on the Users container in the Active Directory directory service.
If Windows Server 2008 domain controllers exist in the domain, Active Directory replication and Group Policy refresh may fail. Additionally, you may receive the following event log messages:WMI: Namespaces from a remote computer cannot be listed. You may encounter this situation when you use wmimgmt.msc to "connect to remote computer" and you select Properties and then Security. "Root" will not expand to show available namespaces.

When you use Hyper-V Remote Management, the Hyper-V management console stops responding when you try to create a fixed-size virtual hard drive (VHD) on a remote Hyper-V server.

Note These problems do not occur if one of the following conditions is true:
  • You connect by using the IP address of the remote computer and by using a local user account on the remote computer.
  • You connect from a Windows XP-based computer to a Windows Vista-based computer.
  • You connect from a Windows Vista-based computer to a Windows XP-based computer.

Cause

These problems occur because the version number of the KRBTGT account increases when you perform an authoritative restoration. The KRBTGT account is a service account that is used by the Kerberos Key Distribution Center (KDC) service.

Resolution

To resolve this problem, apply this hotfix to all the Windows Server 2003-based domain controllers in the domain. This hotfix prevents the problem before you perform an authoritative restoration. This hotfix also fixes the problem when you have already performed an authoritative restoration.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Windows Server 2003 Service Pack 2 installed.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Server 2003 with Service Pack 2, x86-based versions
File nameFile versionFile sizeDateTimePlatform
Samsrv.dll5.2.3790.4250454,65611-Mar-200806:55x86
Windows Server 2003 with Service Pack 2, x64-based versions
File nameFile versionFile sizeDateTimePlatform
Samsrv.dll5.2.3790.42501,059,32811-Mar-200809:39x64
Windows Server 2003 with Service Pack 2, Itanium-based versions
File nameFile versionFile sizeDateTimePlatform
Samsrv.dll5.2.3790.42501,140,22411-Mar-200809:37IA-64

Workaround

To work around this problem, disable the new Remote Desktop Protocol (RDP) authentication functionality that Windows Vista provides. To do this, follow these steps:
  1. Click Start, type
    mstsc.exe in the Start Search box, and then press ENTER.
  2. Click Options.
  3. On the General tab, click Save As.
  4. In the Save As dialog box, specify a location and a name for the file, and then click OK.

    Note The saved file will have the .rdp file name extension.
  5. Click Start, type
    notepad in the Start Search box, and then press ENTER.
  6. In Notepad, open the file that you saved in step 4.
  7. Locate the line that resembles the following:
    authentication level:i:x
    Note The x placeholder represents the current authentication level.
  8. Change the authentication level to 0so that the line becomes the following:
    authentication level:i:0
    Note When you set the authentication level to 0, RDP 6.0 does not check for server authentication.
  9. Add the following line to the end of the file:
    enablecredsspsupport:i:0
    Note When this line is present, users do not have to enter credentials before they establish a remote desktop connection.
  10. Save the file.
  11. To connect by using Remote Desktop Connection, run the file that you saved in step 10.
Note After you follow these steps, RDP 6.0 becomes incompatible with Windows Vista-based computers that have the Allow connections only from computers running Remote Desktop with Network Level Authentication option enabled in the system properties.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

You need to deploy this hotfix to all Windows Server 2003 domain controller in the domains where the users container was restored.

This hotfix package also resolves the following issues :  
  • Hyper-V VM connection issue as described in KB961723.
    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    961723 Connection to a Virtual Machine running in Hyper-V fails

  • Hyper-V Remote Management: Hyper-V Manager UI hangs when it tries to create a fixed-size VHD on a remote Hype-V Server.
  • The Root folder in the Security tab cannot be expanded to show available namespaces after you use the Wmimgmt.msc tool to connect to a remote computer.
  • Offer Remote Assistance fails between Windows 7 computers, and you receive the following error in System Log:
    DCOM got error "%2147746132" from the computer COMPUTERNAME when attempting to activate the server: {833E4010-AFF7-4AC3-AAC2-9F24C1457BCE}
  • When you use System Center Virtual Machine Manager 2012 Service Pack 1 or Virtual Machine Manager 2012 R2 in an environment that has domain controllers running Windows Server 2003, you may see the following error in Virtual Machine Manager when Hyper-V hosts are refreshed:
    cs(3148) 0x00000000 Retrieving underlying WMI error to throw. Got string "<f:WSManFault xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault" Code="1311" Machine="VMM.CONTOSO.COM"><f:Message>There are currently no logon servers available to service the logon request. </f:Message></f:WSManFault>" {00000000-0000-0000-0000-000000000000}
    66 02:49:53.843 08-27-2013 0x0950 0x115C WsmanAPIWrapper.cs(3148) 0x00000000 System.Runtime.InteropServices.COMException (0x8007051F): There are currently no logon servers available to service the logon request.
    ...
    67 02:49:53.846 08-27-2013 0x0950 0x115C VmRefresher.cs(200) 0x00000000 This is a transient wsman exception and we will ignore it. Host SERVER1.CONTOSO.COM {00000000-0000-0000-0000-000000000000}
    68 02:49:53.848 08-27-2013 0x0950 0x115C VmRefresher.cs(200) 0x00000000 Microsoft.Carmine.WSManWrappers.WSManProviderException: VMM is unable to complete the requested operation because there are no logon servers available.
    Ensure that the domain controller is up and running and that you have access to it. ---> System.Runtime.InteropServices.COMException: There are currently no logon servers available to service the logon request.
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Propriedades

ID do Artigo: 939820 - Última Revisão: 11/02/2014 - Revisão: 1

Comentários