Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

No authority could be contacted for authentication

RRAS, VPN, TS/RDP, Routing and remote Access.

No authority could be contacted for authentication

Postby guest » Sun Jul 12, 2009 8:11 pm

Situation: 1. You try to connect by using a fully qualified domain name (FQDN) or a NetBIOS name.
2. Both computers are in a Windows Server domain.
3. You have performed an authoritative restoration on the Users container in the Active Directory directory service or changed the username.
4. Active Directory replication and Group Policy refresh may fail.
5. You receive Event iD 40961

Log Name: System
Source: LsaSrv
Date: Date
Event ID: 40961
Task Category: (3)
Level: Warning
Computer: ComputerName
Description: The Security System could not establish a secured connection with the server ServerName. No authentication protocol was available.

6. You receive Event ID 1006

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: Date
Event ID: 1006
Level: Error
User: SYSTEM
Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed).

7. You may receive Event ID 1055

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: Date
Event ID: 1055
Task Category: None
Level: Error
User: SYSTEM
Description: The processing of Group Policy failed. Windows could not resolve the computer name.

8. You may receive Event ID 1925
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: Date
Event ID: 1925
Task Category: Knowledge Consistency Checker
Level: Warning
User: ANONYMOUS LOGON
Computer: ComputerName
Description:
The attempt to establish a replication link for the following writable directory partition failed.

Directory partition:
CN=Schema,CN=Configuration,DC=Namespace,DC=Namespace
Source directory service:
CN=NTDS Settings,CN=DomainController,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=Namespace,DC=Namespace
Source directory service address:
Address

This directory service will be unable to replicate with the source directory service until this problem is corrected.
Error value:
1396 Logon Failure: The target account name is incorrect.

9. You may receive Event ID 1645

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: Date
Event ID: 1645
Task Category: DS RPC Client
Level: Error
User: ANONYMOUS LOGON
Computer: ComputerName
Description: Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.
WMI: Namespaces from a remote computer cannot be listed. You may encounter this situation when you use wmimgmt.msc to "connect to remote computer" and you select Properties and then Security. "Root" will not expand to show available namespaces.

When you use Hyper-V Remote Management, the Hyper-V management console stops responding when you try to create a fixed-size virtual hard drive (VHD) on a remote Hyper-V server.

Note These problems do not occur if one of the following conditions is true:

* You connect by using the IP address of the remote computer and by using a local user account on the remote computer.
* You connect from a Windows XP-based computer to a Windows Vista-based computer.
* You connect from a Windows Vista-based computer to a Windows XP-based computer.

Resolutions: These problems occur because the version number of the KRBTGT account increases when you perform an authoritative restoration. The KRBTGT account is a service account that is used by the Kerberos Key Distribution Center (KDC) service.

To work around this problem, disable the new Remote Desktop Protocol (RDP) authentication functionality that Windows Vista provides by following this link: Disable RDP authentication functionality that Windows Vista - http://www.chicagotech.net/netforums/vi ... f=2&t=6860

To work around the Windows Server 2008 Domain Controller problem temporarily, follow these steps:

1. Click Start, type services.msc in the Start Search box, and then press ENTER.
2. In the list of services, double-click Kerberos Key Distribution Center.
3. In the Startup type list, click Disabled, click Stop, click Apply, and then click OK.
4. Close the Services MMC snap-in, and then restart the domain controller.

Note This workaround prevents the Windows Server 2008 domain controller from acting as a Kerberos KDC. Use this workaround only until the hotfix can be applied to all Windows Server 2003 domain controllers.

or download the hotfix from Microsoft: http://support.microsoft.com/kb/939820/en-us?sd=gn
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9578
Joined: Mon Nov 27, 2006 1:10 pm

Re: No authority could be contacted for authentication

Postby blin » Fri Nov 11, 2011 12:04 pm

In our case, the problem is the DC doesn't have sysvol and netlogon wshare out. These links may help too:

Event ID 40961 - The Security System could not establish a secured connection with the server ldap/Computername.domain.com. No authentication protocol was available - http://www.chicagotech.net/troubleshoot ... 040961.htm
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 2790
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: No authority could be contacted for authentication

Postby blin » Fri Nov 11, 2011 12:06 pm

The cause of the error was simply that there was no reverse lookup zone configured on their internal DNS server.

Remember, a quick check from a client by running "nslookup" from a command prompt and seeing a timeout error also will point immediately to a reverse DNS lookup zone missing problem.

Once the zone has been created, it may be worth doing the following on your DCs (if you can't afford a reboot and have a small environment):
- ipconfig /registerdns
- net stop netlogon followed immediately by net start netlogon
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 2790
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA


Return to VPN, TS and Remote Access

Your Ad Here

Who is online

Users browsing this forum: No registered users and 3 guests