RE: [ActiveDir] Attempted downgrade attack

[Myrick, Todd (NIH/CIT)]

Well Event ID had this to say.........

Toddler

Event ID: 40960 
Source LsaSrv  
Type Error  
Description The Security System detected an attempted downgrade attack for
server <server name>. The failure code from authentication protocol Kerberos
was "There are currently no logon servers available to service the logon
request. (0xc000005e)".  
Comments Ionut Marin (Last update 8/20/2003): 
This can also occur if the File Replication Service (Ntfrs.exe) tries to
authenticate before the directory service has started. See Q824217 to
troubleshoot this problem. Also seeing the Kerberos FAQ might be of some
help.

Adrian Grigorof (Last update 8/5/2003): 
>From a newsgroup post: "An authenticated connection was requested but the
negotiation to find a mutually agreeable security provider (SPNEGO) failed."

As per Q823712, on a Windows 2003 server, this behavior occurs when you
restart the server that was promoted to a domain controller. In this
scenario, the Windows Time service (W32Time) tries to authenticate before
Directory Services has started. There are no adverse effects on computers
that experience the warning events that are described in the "Symptoms"
section.

Vazy Gee (Last update 8/5/2003): 
I had this event for users were connecting to our RRAS service. The end user
could connect to RRAS and could ping hosts, nslookup hosts, tracert, etc...
However, when the user tried to access any network resources in our Windows
2003 Active Directory that actually required authentication, it would fail.
After a support call with Microsoft, it was determined that somewhere
between his home machine and our RRAS server, the Kerberos UDP packets were
being fragmented, hence any authentication was failing (recall he could
ping, nslookup, etc). We set the following reg key to a value of 1 to force
Kerberos authentication to use TCP instead of UDP and everything worked
perfectly.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LsaKerberos\Parameters\M
axPacketSize=1

Note: On his XP Professional w/SP1 client, I had to create the Parameters
subkey and MaxPacketSize DWORD value manually.

See Q244474.

Greg Martin 
Had this on a WinXP workstation which could no longer access domain
resources. The fix was changing the DNS settings to point to a Win2k DNS
which was tied into Active Directory. Apparently the workstation could no
longer locate SVR records for the kerberos authentication server. These
records were not in our UNIX DNS but were in the Win2k DNS. Related
directly to Event 40961 - LsaSrv

Anonymous 
In our case, one of our customer reports that they are periodically seeing
slow logon times, (defined as the time between entering the password and
hitting enter on the “Logon on to Windows Screen” and the disappearing of
that screen) sometimes1 -3 minutes on Windows XP SP1. Windows 2000 Pro
computers are unaffected. The domain these computers are logging onto is a
Windows 2000 AD Native Mode Domain with AD Integrated DNS zones. Checking
the event log of a machine reveals these 40960 errors in the system log.

Soluton: User Logon Failures must be enabled.
By looking at the logon failure audit event logged at the same time as the
SPNEGO event, more  information about the logon failure can be obtained.
Windows XP performs a reverse lookup on the DNS Server it is configured for
as part of its own blackhole router detection. In the case where the DNS
Server used does not have the Reverse Lookup Zone and/or no PTR Record for
their DNS Server, the request gets forwarded out to the Internet. 

The response comes back with one of the following server names:
prisoner.iana.org
blackhole-1.iana.org
blackhole-2.iana.org

These servers own the public PTR records for the 192.168.x.x zones. Since
they have no record of your DNS Server, they reply with a "Server does not
exist" reply, which causes LSASRV to log the error.

Solution: On the local DNS Server, create a Reverse Lookup Zone, and enter a
record for your DNS Server.

Anothe case: The client was pointed to the ISP's DNS servers which contained
a zone for the customer's domain. We removed the External DNS server
addresses and ensured that DHCP was only assigning the Internal DNS server
address. For testing we manually configured the DNS server address on a
workstation which overrides the DHCP values. We can reference the following
Knowledge Base Articles - Q291382 Frequently Asked Questions About Windows
2000 DNS.

Another case: Check the time on the workstation. Ensure that the day, time,
time zone, AM/PM, year are correct. In my case the year was incorrect
everything else was correct. 

Last case: In this situation they actually were not authenticating to the
DC. They were being logged in with cached credentials.   
Links Q291382 , Q244474 , Q823712 , Q824217 , Kerberos FAQ   

-----Original Message-----
From: Barber, Thomas [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 07, 2003 12:47 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Attempted downgrade attack


We have been experiencing some issues with several client computers.  Most
of the time the issues revolve around users not being able to log in, with
the message coming back as "Account has been disabled."  This seems to
happen more on Windows XP Pro than Windows 2000.
 
Our environment:
 
Native mode AD
Windows 2000 Servers, no windows 2003 servers.
 
When we take a client off of the domain, then add them back on they work for
a variable amount of time, then go right back to the same message.
 
I am getting System event messages as follows:
 
Category: SPNEGO (Negotiator)
Event ID: 40960
 
Description:
The Security System detected an attempted downgrade attack for server
DOMAIN\DC1$.  The failure code from authentication protocol Kerberos was
"The referenced account is currently disabled and may not be logged on to.
(0xc0000072)".
 
The accounts I am using to log in with are NOT disabled.  I have verified
this time and again.
 
After researching on the net, I have heard that some of the issue may be
FRS.  Also, I have not seen these machines pull down new group policy in the
last day or two.
 
Has any had this issue?  Any thoughts on how to resolve?  Not all client
machines have the problem...just some of them.
 
Also, the above messages are usually listed three to five in a row, with
each message going to a different domain controller.
 
Any help would be greatly appreciated.  Thanks.
 
-Tom
.+-wȆi0g-튺+YbᰲmPi൮0浯-튺+b슲ڪf.+-j!硶0j!ጊor剅yثI嚊V+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/