Re: Does IPsec only work within domain with Kerberos? -- SOLVED

From: Charles Kerekes (ckerekes.nospam@att.net)
Date: 03/31/03

• Next message: Neal: "Updating CA"
• Previous message: x y, mvp: "Re: Recovering encrypted files and folders"
• In reply to: Charles Kerekes: "Does IPsec only work within domain with Kerberos?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ckerekes.nospam@att.net (Charles Kerekes)
Date: 31 Mar 2003 06:23:59 -0800

"Charles Kerekes" <ckerekes.nospam@att.net> wrote in message news:<04cd01c2e73f$1c4ba2b0$3401280a@phx.gbl>...
> Hello,
>
> I have been testing with the Secure Server policy in a
> lab where I have three domains within a single AD forest.
> I tweaked the Secure Server policy to allow DNS and WINS
> packets through without encryption - this works fine.
>
> I applied the Secure Server policy to one DC/GC within a
> site. To all other DC/GC's within the forest I applied
> the Client IPsec policy. The server that has the Secure
> Server policy applied to is, has two AD replication
> connects, one to a DC in its own domain and another to a
> DC in another domain in the forest. When the policy is
> applied, it is no longer able to replicate to the DC in
> the other domain. Replmon gives the following reason:
>
> Replication Failure: The reason is: The RPC server is
> unavailable.
>
>
> I would have expected all servers in the forest (where
> there is transitive trusts to all domains) to work
> seamlessly. I even tried to add a manual trust between
> these two domains with the same results.
>
> Am I missing something, or is IPsec with Kerberos limited
> to a single domain?
>
> Charlie

With the help of Microsoft Support, we determined that for IPsec to
work across the forest with Kerberos authentication, a filter needs to
be created to NOT encrypt (Permit) LDAP queries on port 389.

Charlie

• Next message: Neal: "Updating CA"
• Previous message: x y, mvp: "Re: Recovering encrypted files and folders"
• In reply to: Charles Kerekes: "Does IPsec only work within domain with Kerberos?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Does IPsec only work within domain with Kerberos? ... > lab where I have three domains within a single AD forest. ... > I tweaked the Secure Server policy to allow DNS and WINS ... > Server policy applied to is, has two AD replication ... > there is transitive trusts to all domains) to work ... (microsoft.public.win2000.security) Does IPsec only work within domain with Kerberos? ... lab where I have three domains within a single AD forest. ... I tweaked the Secure Server policy to allow DNS and WINS ... Replication Failure: The reason is: The RPC server is ... there is transitive trusts to all domains) to work ... (microsoft.public.win2000.security) Re: Does IPsec only work within domain with Kerberos? -- SOLVED ... >> lab where I have three domains within a single AD forest. ... >> I tweaked the Secure Server policy to allow DNS and WINS ... >> the Client IPsec policy. ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint