Microsoft KB Archive/891559

= You cannot access resources after you install Security Bulletin MS04-011 or Windows XP Service Pack 2 =

Article ID: 891559

Article Last Modified on 2/8/2007

-

APPLIES TO


 * Microsoft Windows XP Service Pack 2

-





SYMPTOMS
After you install Microsoft Security Bulletin MS04-011 or Microsoft Windows XP Service Pack 2 (SP2) on your computer, you experience problems accessing resources in a domain when no domain controller is available. This issue occurs when you try to access a Distributed File System (DFS) share in an untrusted domain. In a Network Monitor trace, you will see the error STATUS_DOWNGRADE_DETECTED. When you try to connect to resources, you cannot gain access, and the System event log contains the following events:

Event Source: LSASRV

Event Category: SPNEGO (Negotiator)

Event ID: 40961

User: N/A

Computer:

Description: The Security System could not establish a secured connection with the server /. No authentication protocol was available.

Event Type: Warning

Event Source: LSASRV

Event Category: SPNEGO (Negotiator)

Event ID: 40960

User: N/A

Computer:

Description: The Security System detected an authentication error for the server /. The failure code from authentication protocol Kerberos was &quot;There are currently no logon servers available to service the logon request. (0xc000005e).



CAUSE
In Microsoft Security Bulletin MS04-011, which is also included in Windows XP SP2, there is a change in the Kerberos authentication. It no longer allows for a fallback to NTLM when a domain controller cannot be accessed. If you cannot contact a Key Distribution Center (KDC), you cannot connect to resources.



WORKAROUND
To access a DFS share resource, you can use either of the following methods:
 * You can log on to the system with a local account.
 * You can make a domain controller available to the computer.

Note You install Security Bulletin MS04-011or Windows XP SP2 so that the domain member computers are more secure because the new authentication protocols (Kerberos) are more secure. For example, Kerberos offers mutual authentication.



MORE INFORMATION
For more information about DFS, click the following article number to view the article in the Microsoft Knowledge Base:

812487 Overview of DFS in Windows 2000

For additional information about Network Monitor, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms709669.aspx

For additional information about Security Bulletin MS04-011, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Additional query words: MS04-011

Keywords: kbsecurity kbprb KB891559

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.