Eventid 40960 : The failure code from authentication protocol Kerberos was "No authority could be contacted for authentication from Workstation

Ranjith Dass 36 Reputation points
2020-12-16T02:15:09.623+00:00

Hi All,

We are experiencing the event id 40960 from half of our Windows 10 workstations - ( These workstations are spread across different sites ) . Though each of the sites were having a local domain controller before , due to some issues , these local DC's were removed and now the workstation from these sites are connected to the main domain controller .

"The Security System detected an authentication error for the server cifs/dc04. The failure code from authentication protocol Kerberos was "No authority could be contacted for authentication. (0x80090311)".

The user can log on to the workstation , but unable to get the mapped drives workings , GPO not getting applied etc.

Even if we browse from these workstation, to any of the DC's "netlogon" folder , it is prompting for the user name and password.

Have tried the following and still could not get the issue resolved -

DCDIAG - no error reported from the DC's ( two DC's are at the main site) - Windows 2016 DC's & DNS

nltest - no error

dns - no error

etc

From the client -i am getting the following error for nltest /dclist

nltest /dclist:MYDC.LAZ

Get list of DCs in domain 'MYDC.LAZ' from '\LES-EXC02.MYDC.LAZ'.

Cannot DsBind to mydc.laz (\LAZ-EXC02.MYDC.LAZ).Status = 2148074320 0x80090350 SEC_E_DOWNGRADE_DETECTED.

Removed the WS and added back to the domain

Checked the MTU Size and no fragmentation at all

Checked the Tech forum and could not find a resolution relating to the fault I am facing .

Please help

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,843 questions
{count} votes

Accepted answer
  1. Hannah Xiong 6,236 Reputation points
    2020-12-17T02:27:31.167+00:00

    Hello,

    Thank you so much for your kindly reply.

    Thanks a lot for the detailed information. As mentioned, the affected workstations are spread across different sites and now there is no DC in the sites. These workstations are connected to the main domain controller.

    So we are wondering whether the workstations in the main site have the same issue. We would like to know whether only the workstations in other different sites where there is no DC have this issue.

    Actually the issue is a little special and I have researched but failed to get the proper solution currently. Below are the cases with the same error, and we could kindly have a check whether it helps.

    https://social.technet.microsoft.com/Forums/lync/en-US/4d3c11e4-7b41-4fed-8ee2-4cfe402b424a/slow-network-logon-at-remote-site?forum=winserverDS

    https://learn.microsoft.com/en-us/answers/questions/34899/cannot-access-on-prem-file-shares-from-azure-vm.html

    https://social.technet.microsoft.com/Forums/en-US/ce977f14-3bba-48e1-8a14-2a9499efa4f6/pcs-in-branch-site-intermmitently-switch-to-public-network?forum=winserver8gen

    https://forums.overclockers.com.au/threads/windows-authentication-issue-over-cisco-vpn.952235/

    The cases are a little different from ours. We could kindly have a check and hope they could give us some inspiration.

    Thank you so much for your understanding and support.

    Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Hannah Xiong 6,236 Reputation points
    2020-12-16T07:36:18.167+00:00

    Hello,

    Thank you so much for posting here.

    To further troubleshoot, we would like to collect more information from you:

    1, How many Sites and Domain Controllers?
    2, "DCDIAG - no error reported from the DC's ( two DC's are at the main site) - Windows 2016 DC's & DNS"

    Have we checked all the DCs dcdiag report? We could run the below command to check all the DCs.
    dcdiag /v /e>c:\dcdiag.txt

    3, Please also run the below command to check the AD replication.
    Repadmin /showrepl * /csv >c:\showrepl.csv

    4, When we run "nltest /dclist:domain.com", there is error. Please run the below command on the client and then tell us the output:
    nltest /sc_verify:domain.com

    For example:

    48671-111.png

    5, As mentioned, "The user can log on to the workstation , but unable to get the mapped drives workings , GPO not getting applied etc."

    If we run "gpupdate /force" on the client, is there any error messages?

    6, Have we tried to disjoin and then re-join the domain? If so, could it solve this issue?

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Hannah Xiong 6,236 Reputation points
    2020-12-16T09:44:49.443+00:00

    Hello,

    Thank you so much for your kindly reply.

    Make sure the client machines point ONLY to your internal DNS servers.

    Run nslookup domain name to check whether the domain could be successfully resolved.
    Run Ping IP address of DNS server and FQDN to check whether it could connect to DNS.
    Run Ping domain name to check whether it could connect to the domain.

    For example:

    48702-11111.png

    It seems that the client could not access the shared folder. We are wondering whether the users log on to Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. So was the clients connected to the domain network when the users logged on to the workstations?

    Did we access the Netlogon shared folder via \hostname\Netlogon or \domain name\Netlogon or \IP address of the DC\Netlogon? Normally it could access via \hostname\Netlogon and \domain name\Netlogon as shown below. If accessing via IP address, it will prompt for use name and password. Even though we enter the credentials, it still could not be accessed.

    48668-22.png

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.