authentication problem

From: kjelle (kjell.ritter_at_kemi.se)
Date: 03/16/04 

Date: Tue, 16 Mar 2004 07:44:38 -0800

Cenario:
Mixed environment with Windows 2000 and 2003 servers and
clients.
IPSEC policys is distributed to clients and servers on
the network through group policys to protect
the "IPSEC_Users" OUīs communication on all IPtraffic.
Secured users and clients using ipsec is placed in a OU
called "IPSEC_users".
Domain controllers are placed in default OU "Domain
Controllers".
Secured servers are placed in a OU called "IPSEC_servers".
 
Using the default ipsec policy filters in Windows the
computers in "IPSEC_users" OU is assigned the "Request
security" filter with certificate authentication on all
IPtraffic.
The "Domain Controller" OU is assigned "Respond only"
filter with certificate authentication on all IPtraffic.
The "IPSEC_servers" OU is assigned "Require security"
filter with certificate authentication on all IPtraffic.
 
 
Problem:
The problem arrise when the clients and domain
controllers are using these settings. The ipsec
kommunication works after a cashed login but the big
thing is that the client cannot locate the domain
controller in the domain for authentication at logon
witch result in group policy not beeing assigned. The
error message in event viewer is:
 
Event id 1054: Canīt read the domain controller name on
the network. The specified domain is not available or
could not be contacted.............
 
AND
 
Event id 5719: This computer could not establish a secure
session with a domain controller in this domain LABB
because of following error:
There are no logon servers available to handle the login
request.........
 
I doesnīt matter what kind of authentication method is
used, kerberos, pre-shared key or certificate
authentication.
I have been running a packet capture program on the
domain controller and analyzed what kind of traffic is
sent when the client is trying to login. I can clearly
see that the client is trying to do a DNS loockup of the
SRV record for the domain controller although there is no
reply sent from the server.
Although I manually add a filter action to send DNS
traffic in clear text between client and server, the
server doesnīt reply. I think this is the reason to why
the client canīt login correctly and maintain the policy
settings.
 
The question is why this occur?
 

Best regards
Kjelle

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... Enabled Small Business Server Remote Assistance Policy No ... Default Domain Controller policy should not be linked to the domain ... thread titled "Client Logon Failure". ... So basically, the Account lockout threshold, account lockout ...
    (microsoft.public.windows.server.sbs)
  • Re: Files are not disconnecting after closed by client
    ... use Group Policy settings to turn off SMB ... set the Default Domain Controller policy settings to ... Digitally sign client communication ...
    (microsoft.public.win2000.security)
  • Re: authentication problem
    ... I my domain computers already have the client/repond policy assigned to them ... > the problem is that you can only log on to the client ... What's the OS of the server you are logging on? ... >>session with a domain controller in this domain LABB ...
    (microsoft.public.win2000.security)
  • Re: Question!
    ... Just to make sure the client policy and the server policy and the package ... Right click your package and update it. ... wait for the other servers to get the new policy ...
    (microsoft.public.sms.admin)
  • Re: Prevent Domain Users from logging on to specific PCs w/ Group Policies
    ... This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers. ...
    (microsoft.public.windows.server.security)