Windows XP tries to sign or seal the secure channel between the workstation and the domain controller. This causes the following error:

Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.

The domain controller may record:

Event ID: 5723

The session setup from the computer <Computername> failed to authenticate. The name of the account referenced in the security database is <Computername>. The following error occurred: Access is denied.

The client may record:

Event Source: NETLOGON Event ID: 3227 Description: The session setup to the Windows NT or Windows 2000 domain controller \\<!ServerName?> for the domain <!DomainName> failed because \\<!ServerName?> does not support signing or sealing the Netlogon session. Either upgrade the domain controller or set the !RequireSignOrSeal registry entry on this machine to 0.

Option 1: Manual registry editing

Start Regedit, navigate to

and change




Option 2: The only way Microsoft advocates changing this setting

  1. Use Control Panel to open Local Security Policy in the Administrative Tools.
  2. Navigate to Local Policies / Security Options.
  3. Double-click Domain Member:Digitally encrypt or sign secure channel data (always).
  4. Press Disabled.
  5. Press Apply and OK.

Option #3: registry file

Save the followig text to requiresignorseal.reg and then right click->Merge


[HKEY_LOCAL_MACHINE\SYSTEM\!CurrentControlSet\Services\Netlogon\Parameters? "requiresignorseal"=dword:00000000

This file can be found in the docs/Registry directory of the Samba 2.2.2 source distribution as WinXP_!SignOrSeal?.reg.