Re: Does IPsec only work within domain with Kerberos?
From: David Beder (dbeder@online.microsoft.com)
Date: 03/11/03
- Next message: Vladimir Katalov: "Re: Encryption"
- Previous message: David Beder: "Re: IPSec"
- In reply to: Steven L Umbach: "Re: Does IPsec only work within domain with Kerberos?"
- Next in thread: Charles Kerekes: "Re: Does IPsec only work within domain with Kerberos?"
- Reply: Charles Kerekes: "Re: Does IPsec only work within domain with Kerberos?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David Beder" <dbeder@online.microsoft.com> Date: Mon, 10 Mar 2003 23:08:03 -0800
Also, it's not advised to use both the Secure Server and the Client policies
at opposite ends in their unmodified forms.
The Client policy uses only the default response rule. By its nature, it
does not distinguish between protocols; any request for IPsec that comes in
will create a blanket all-protocol-all-port filter with the other computer.
The Secure Server policy, however includes an exemption for ICMP. Conflicts
can arise when the Client starts requiring security for protocols that the
other peer has exempted. Many management systems use ICMP to validate the
peer is alive before sending more heavy data payloads. When such a conflict
has occurred, ICMP fails so the data payloads never get sent.
I'm not sure that this conflict is the root of your problem, but it's
something to further investigate once any kerb issues are resolved.
-- David Microsoft Windows Networking This posting is provided "AS IS" with no warranties, and confers no rights. "Steven L Umbach" <n9rou@attbi.com> wrote in message news:Sccba.33686$L1.7136@sccrnsc02... Hi Charles. Kerberos authentication is forest wide. Try using the request policy to see if that works and tweak from there, using ipsecmon to see what is happening. This link may be of some help. --- Steve http://support.microsoft.com/?kbid=254949 "Charles Kerekes" <ckerekes.nospam@att.net> wrote in message news:04cd01c2e73f$1c4ba2b0$3401280a@phx.gbl... > Hello, > > I have been testing with the Secure Server policy in a > lab where I have three domains within a single AD forest. > I tweaked the Secure Server policy to allow DNS and WINS > packets through without encryption - this works fine. > > I applied the Secure Server policy to one DC/GC within a > site. To all other DC/GC's within the forest I applied > the Client IPsec policy. The server that has the Secure > Server policy applied to is, has two AD replication > connects, one to a DC in its own domain and another to a > DC in another domain in the forest. When the policy is > applied, it is no longer able to replicate to the DC in > the other domain. Replmon gives the following reason: > > Replication Failure: The reason is: The RPC server is > unavailable. > > > I would have expected all servers in the forest (where > there is transitive trusts to all domains) to work > seamlessly. I even tried to add a manual trust between > these two domains with the same results. > > Am I missing something, or is IPsec with Kerberos limited > to a single domain? > > Charlie >
- Next message: Vladimir Katalov: "Re: Encryption"
- Previous message: David Beder: "Re: IPSec"
- In reply to: Steven L Umbach: "Re: Does IPsec only work within domain with Kerberos?"
- Next in thread: Charles Kerekes: "Re: Does IPsec only work within domain with Kerberos?"
- Reply: Charles Kerekes: "Re: Does IPsec only work within domain with Kerberos?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
