Penguin
Note: You are viewing an old revision of this page. View the current version.

Windows XP tries to sign or seal the secure channel between the workstation and the domain controller. This causes the following error:

Windows cannot connect to the domain either because the domain controller is down or otherwise unavailable or because your computer account was not found.

The domain controller may record:

Event ID: 5723

The session setup from the computer <Computername> failed to authenticate. The name of the account referenced in the security database is <Computername>. The following error occurred: Access is denied.

The client may record:

Event Source: NETLOGON Event ID: 3227 Description: The session setup to the Windows NT or Windows 2000 domain controller \\<!ServerName?> for the domain <!DomainName> failed because \\<!ServerName?> does not support signing or sealing the Netlogon session. Either upgrade the domain controller or set the !RequireSignOrSeal registry entry on this machine to 0.

Option 1: Manual registry editing

Start Regedit, navigate to
HKEY_LOCAL_MACHINE\System\!CurrentControlSet?\Services\!NetLogon?\Parameters

and change

"!RequireSignOrSeal"=dword:00000001

to

"!RequireSignOrSeal"=dword:00000000

Option 2: The only way Microsoft advocate changing this setting

  1. Use Control Panel to open Local Security Policy in the Administrative Tools.
  2. Navigate to Local Policies / Security Options.
  3. Double-click Domain Member:Digitally encrypt or sign secure channel data (always).
  4. Press Disabled.
  5. Press Apply and OK.

Option #3: registry file

Save the followig text to requiresignorseal.reg and then right click->Merge

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\!CurrentControlSet\Services\Netlogon\Parameters? "requiresignorseal"=dword:00000000

This file can be found in the docs/Registry directory of the Samba 2.2.2 source distribution as WinXP_!SignOrSeal?.reg.