You cannot access resources after you install Security Bulletin MS04-011 or Windows XP Service Pack 2 (891559)


The information in this article applies to:

  • Microsoft Windows XP Service Pack 2

SYMPTOMS

After you install Microsoft Security Bulletin MS04-011 or Microsoft Windows XP Service Pack 2 (SP2) on your computer, you experience problems accessing resources in a domain when no domain controller is available. This issue occurs when you try to access a Distributed File System (DFS) share in an untrusted domain. In a Network Monitor trace, you will see the error STATUS_DOWNGRADE_DETECTED. When you try to connect to resources, you cannot gain access, and the System event log contains the following events:
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
User: N/A
Computer: <computer>
Description: The Security System could not establish a secured connection with the server <service>/<server name>. No authentication protocol was available.

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40960
User: N/A
Computer: <computer>
Description: The Security System detected an authentication error for the server <service>/<server name>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e).

CAUSE

In Microsoft Security Bulletin MS04-011, which is also included in Windows XP SP2, there is a change in the Kerberos authentication. It no longer allows for a fallback to NTLM when a domain controller cannot be accessed. If you cannot contact a Key Distribution Center (KDC), you cannot connect to resources.

WORKAROUND

To access a DFS share resource, you can use either of the following methods:
  • You can log on to the system with a local account.
  • You can make a domain controller available to the computer.

Note You install Security Bulletin MS04-011or Windows XP SP2 so that the domain member computers are more secure because the new authentication protocols (Kerberos) are more secure. For example, Kerberos offers mutual authentication.

MORE INFORMATION

For more information about DFS, click the following article number to view the article in the Microsoft Knowledge Base:

812487 Overview of DFS in Windows 2000



For additional information about Network Monitor, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmon/netmon/using_network_monitor_2_0.asp



For additional information about Security Bulletin MS04-011, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Modification Type:MinorLast Reviewed:7/8/2005
Keywords:kbSecurity kbprb KB891559 kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.