Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. ADFS Authentication Failure During Domain Controller Reboot; Failure Audit 500 and LSASRV 40960 logged

ADFS Authentication Failure During Domain Controller Reboot; Failure Audit 500 and LSASRV 40960 logged

Symptoms

Consider the following scenario:

  • Authentication that relies on Active Directory Federation Services (ADFS) is failing.

  • You notice that one or more domain controllers are being rebooted at the time of the ADFS authentication failures.

  • The following event is logged in the System log:

    Event Type:       Warning
    Event Source:    LSASRV
    Event Category: SPNEGO (Negotiator)
    Event ID:           40960
    Date:                8/25/2009
    Time:                10:05:40 PM
    User:                N/A
    Computer:         ADFSACCOUNT
    Description:
    The Security System detected an authentication error for the server ldap/adatumdc.adatum.com/adatum.com@adatum.com.  The failure code from authentication protocol Kerberos was "The specified user does not exist. (0xc0000064)".

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 64 00 00 c0               d..À

  • When ADFS auditing is enabled, the following event will be logged in the Security log:

    Event Type:  Failure Audit
    Event Source:  ADFS Federation Service Auditor
    Event Category:  Object Access
    Event ID:  500
    User:  adatum\adfsaccount
    Computer:  ADFS1
    Description:
    Transaction ID: {03838d48-ed18-4c12-bb25-d6461ffe2736}

    A token request was received directly by the Federation Service. The request for target 'urn:federation:adatum.com' was denied, and no tokens were issued.  The request was denied because the inbound evidence could not be verified.
    Target URI: urn:federation:adatum.com 

    No resource token was issued. 

    No logon accelerator token was issued. 

    The client did not present a logon accelerator token as evidence. 

    The client credentials could not be verified because of a Lightweight Directory Access Protocol (LDAP) error.
    Account store URI: urn:federation:activedirectory
    Error code: 0xFFFFFFFF8007203A
    LDAP Server: 
    Authentication method: Windows integrated authentication
    Username: adatum\0057401 

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

For more information about configuring ADFS servers for troubleshooting, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc738766(WS.10).aspx

↑ Back to the top

Cause

The ADFS authentication failure is a result of the Netlogon service on the ADFS server holding a secure channel with a domain controller that was being rebooted. When the ADFS authentication request is made, the domain controller was not able to satisfy the request and responded to the request with the misleading error The specified user does not exist. (0xc0000064). Since the secure channel did not fail over to another domain controller in a timely manner, the ADFS authentication request fails.

↑ Back to the top

Resolution

Install the following hotfix on all domain controllers and member servers that may be involved in the ADFS authentication process.

942636 Windows Server 2003-based domain controllers may incorrectly return the "NO_SUCH_USER (0xc0000064)" status code in response to logon requests

↑ Back to the top

Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2002203
Revision : 1
Created on : 1/8/2017
Published on : 9/21/2009
Exists online : False
Views : 206