Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Strange Event ID 40968

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Strange Event ID 40968 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Strange Event ID 40968 - 31.Jan.2006 7:03:09 PM   
fsantos

 

Posts: 23
Joined: 15.May2003
Status: offline 		I believe that since I installed ISA 2004 my primary DC shows on the System event log (once a day) the following event Id:

Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40968
Date:  31-01-2006
Time:  6:39:10
User:  N/A
Computer: xxxxxxx
Description:
The Security System has received an authentication request that could not be  decoded.  The request has failed.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....   


Looking for info on the internet (even on places like www.eventid.net) result in no info that clarifies this.

It does look like something related to ISA because before installing ISA 2004 (on other machine) this was not showing up.

Any ISA gurus that know what the event means?

Thanks and  regards

Fernando
Post #: 1
RE: Strange Event ID 40968 - 2.Feb.2006 3:18:22 PM   
fsantos

 

Posts: 23
Joined: 15.May2003
Status: offline 		I believe this is related to the following event:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 6004
Date:  02-02-2006
Time:  6:37:45
User:  N/A
Computer: FIREWALL
Description:
The DNS server received a zone transfer request from xxx.xxx.xxx.xxx for a non-existent or non-authoritative zone host.domain.com..
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

My external IP on the ISA Server machine is given by DHCP by our ISP. It is a reserve, so we always get the same IP but in fact it is DHCP. Aparently our ISP is trying a zone transfer from our DNS Server and it is failing the authentication on our domain controler.

What would be the best way to block the zone transfer? Shall I create a DNS Server deny rule with the specific IP address trying to do the zone transfer? Shall I block TCP or UDP on port 53?

fsantos

(in reply to fsantos)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Strange Event ID 40968 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts