環境:
AD:Windows Server 2003升級Windows Server 2008 R2
客戶端:Windows 7+XP mode
故障:
AD 2003升級到2008 R2(系統升級,其他沒變),導致客戶端Windows 7內的XP mode登陸域時間過長,在XP Mode重新配置用戶配置文件,登陸正常。
在AD上看到日誌有Event 40960和40961的警告:
Event ID: 40960
Source: LsaSrv
Type: Warning
Category: SPNEGO (Negotiator)
Description: The Security System detected an attempted downgrade attack for server <server name>. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".
Event ID: 40691
Type: Warning
Source: LSASRV
Category: SPNEGO (Negotiator)
Description:
The Security System could not establish a secured connection with the server ldap/xxxx.com. No authentication protocol was available.
解決方法:
在XP mode用本地管理員登陸,打開註冊表,在[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
添加DWORD,DWORD名字爲MaxPacketSize,值爲1