John Howard - Senior Program Manager in the Hyper-V team at Microsoft

Senior Program Manager, Hyper-V team, Windows Core Operating System Division.

Blogs

Resolving Event ID 40961 LSASRV - DNS/prisoner.iana.org

  • Comments 6
  • Likes

This was an interesting problem I was discussing with a customer today. The customer had a concerning looking error appearing periodically in the event log:

Event ID: 40961
Source: LSASRV
Version: 5.2
Symbolic Name: NEGOTIATE_INVALID_SERVER
Message: The Security System could not establish a secured connection with the server DNS/prisoner.iana.org.  No authentication protocol was available

The concerning part to this is the word "prisoner" which may set alarm bells ringing initially in some peoples minds. As it happens, this is perfectly legitimate, just the name of a DNS server run by iana.org.

After some diagnosis and looking up, I found a few articles on the Internet which relate to this problem, and found the root cause. prisoner.iana.org has a 192.x.x.x IP address. This is a big clue as it's one of the non-routable reserved address spaces commonly used in smaller organisations. The customers internal address space turned out to be 192.168.x.x. The cause of the error was simply that there was no reverse lookup zone configured on their internal DNS server.

Remember, a quick check from a client by running "nslookup" from a command prompt and seeing a timeout error also will point immediately to a reverse DNS lookup zone missing problem.

Once the zone has been created, it may be worth doing the following on your DCs (if you can't afford a reboot and have a small environment):
- ipconfig /registerdns
- net stop netlogon followed immediately by net start netlogon

Comments
  • Just a quick note: 192.0.0.0/8 is not reserved for private networks. 192.168.0.0/16 is. This is sometimes mistakenly misconfigured by network administrators, either by using other subblocks of the 192/8 network for private addresses, or by blocking the whole of 192/8 at the router.

    The three blocks of private addresses are defined in RFC 1918 - Address Allocation for Private Internets at ftp://ftp.rfc-editor.org/in-notes/rfc1918.txt.

    The 192.1.0.0/24 network is already allocated to BBN, as you can see with a whois query (e.g. at www.dnsstuff.com).

  • thank you very much for this!  Having installed many many SBS servers and having DNS all set up automatically for me (flippin' lazy mans server) I didnt realise you had to set up reverse lookup manually.  We have been having computer browser problems for a while now and this seems to have sorted it.  

    Thank you.

    Ben

  • Just disable reverse lookups, as MS recommends it:

    http://support.microsoft.com/kb/259922

  • Hi, we have the same problem

  • We have the same problem,
    Sometimes one a day, several users cannot use outlook. We have contacted with microsoft but they are changes a lot on the exchanger server. But nothing helps.

  • After following mention step still issue is not resolved,if posible please provide the other trubleshooting step and screen shot

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment