Lsass insufficient system resources

Lsass insufficient system resources

- June 24, 2014

most of users log on domain without problem, of them can’t. receive lsass “insufficient system resources” error message. problem not client specific; affected users cannot log on of clients.

the environment: windows 2003 domain controller, xp sp3 clients.

i turned on kerberos debug logging setting kerbdebuglevel , logtofile registry values.

please me understand log got:

1224.1356> kerb-spn: found in spn cache 000cbd10 1224.1356> kerb-trace: delegationtgt endtime: 1-17-2010 18:34:38

1224.1356> kerb-trace: serviceticket endtime: 1-17-2010 18:34:38

1224.1356> kerb-spn: found in spn cache 000cbd10 1224.3396> kerb-(null): kerbinsertbinding binding cache disabled

1224.3396> kerb-trace: calling kdc 172.16.19.1 realm mydomain

1224.3396> ksupp-trace: calling kdc: 172.16.19.1

testuser

1224.3396> kerb-trace: mydomain

1224.3396> kerb-trace: flags: raw

1224.3396> kerb-(null): kerbinsertbinding binding cache disabled

1224.3396> kerb-trace: calling kdc 172.16.19.1 realm mydomain.local

1224.3396> ksupp-trace: calling kdc: 172.16.19.1

1224.3396> kerb-(null): kerbinsertbinding binding cache disabled

1224.3396> kerb-trace: calling kdc 172.16.19.1 realm mydomain.local

1224.3396> ksupp-trace: calling kdc: 172.16.19.1

1224.3396> kerb-error: failed make call kdc 172.16.19.1: 0xc000009a. d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 1832

1224.3396> kerb-(null): kerbinsertbinding binding cache disabled

1224.3396> kerb-trace: calling kdc 172.16.19.1 realm mydomain.local

1224.3396> ksupp-trace: calling kdc: 172.16.19.1

1224.3396> kerb-error: failed make call kdc 172.16.19.1: 0xc000009a. d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 1832

1224.3396> kerb-(null): kerbinsertbinding binding cache disabled

1224.3396> kerb-trace: calling kdc 172.16.19.1 realm mydomain.local

1224.3396> ksupp-trace: calling kdc: 172.16.19.1

1224.3396> kerb-error: failed make call kdc 172.16.19.1: 0xc000009a. d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 1832

1224.3396> kerb-error: failed call kdc tgs request: 0xc000009a. d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 2535

1224.3396> kerb-warn: failed tgs ticket service 0xc000009a :

host gepeszek.mydomain.local

1224.3396> kerb-warn: d:\nt\ds\security\protocols\kerberos\client2\kerbtick.cxx, line 3574

1224.3396> kerb-error: logonuser: failed workstation ticket mydomain\testuser: 0xc000009a. d:\nt\ds\security\protocols\kerberos\client2\logonapi.cxx, line 5096

1224.1356> kerb-trace: spacceptlsamodecontext called kerbmapcontext contextattributes 0x5, 0

1224.1356> kerb-trace: spacceptlsamodecontext called kerbmapcontext contextattributes 0x5, 0

1224.1356> kerb-trace: spacceptlsamodecontext called kerbmapcontext contextattributes 0x5, 0

1224.1356> kerb-trace: spacceptlsamodecontext called kerbmapcontext contextattributes 0x5, 0

here answer:

isa 2004 installed on domain controller (sbs), , new outgoing rule had been set recently, http on port 88 web proxy filter. outgoing rule; internal external.
if user member of more 10 groups, can’t log on, otherwise log on without issue.

Windows Server > Directory Services

Comments